About

Tcpreplay is a suite of BSD licensed tools written by Aaron Turner for *NIX operating systems which gives you the ability to use previously captured traffic in libpcap format to test a variety of network devices.  It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 headers and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS's. Voted as one of the top 75 security tools, tcpreplay is used by numerous firewall, IDS, IPS and other networking vendors, enterprises, universities, and open source projects. If your organization uses tcpreplay, please let me know who you are and what you use it for so that I can continue to add features which are useful.

Details

Tcpreplay includes the following tools: tcpprep - multi-pass pcap file pre-processor which determines packets as client or server and creates cache files used by tcpreplay and tcprewrite tcprewrite - pcap file editor which rewrites TCP/IP and Layer 2 packet headers tcpreplay - replays pcap files at arbitrary speeds onto the network tcpbridge - bridge two network segments with the power of tcprewrite flowreplay - emulates a network client using a pcap file as the basis of a TCP or UDP connection (currently in alpha) Generally speaking, most people would first run tcpprep against a pcap file to create a cache file which splits traffic between client and server if they are testing an inline device like a firewall or IPS.  Then depending on their network setup and where the pcap was captured, they would use tcprewrite to edit the packets so that the device under test will examine them properly.  Finally, tcpreplay is used to replay the pcap onto the network to do the test.

News

2005-08-07 Tcpreplay 3.0.beta7 is relased which merges the tcpprep fixes from 2.3.5 and incorprates an important flowreplay fix for UDP flows. Still looking for a tech writer who can spend a few hours a week on the documentation. 2005-07-03 Tcpreplay 2.3.5 is released which fixes a long standing bug in tcpprep with auto/router mode. Note that *all* tcpprep releases up to now in all three branches of code (1.x, 2.x and 3.x) have this bug. 3.0.beta7 will have the fix, but 1.x is EOL. 2005-06-29 Many thanks to Dorr Clark of Santa Clara University who provided me a really nice doxygen file for documenting the 3.0 source code. 2005-06-28 Beta6 is out. Fixes a number of user reported bugs. Thanks to all the beta testers who have been giving me such great feedback. Keep it comming! 2005-06-14 Well I got a lot of good feedback on the beta4 release, so beta5 fixes a number of key bugs and adds a few enhancements which should help people out. Let me know... 2005-06-05 Released 3.0.beta4 and 2.3.4. Both fix problems compiling under OpenBSD and add support for libpcap 0.5 although some features may be disabled. 3.0.beta4 also fixes a number of bugs during both compile and runtime... check the changelog for details. 2005-05-28 Ugh. libnids is so close and yet so far away. It handles the basic functionality of doing IP defragmentation and TCP stream reassembly which I need for flowreplay, but yet misses the boat on a number of key requirements... the biggest of which are no multi-thread support or proper handling of multiple pcap files. Unfortunately, doing proper multi-thread support would require an API change... something that the libnids author is unwilling to do. The only option seems to be a fork of the code, but that's plain ugly... Suggestions? 2005-05-12 Oops. I thought I fixed a compile problem with dlt2desc in 3.0.beta3, but apparently I goofed. If you get an error complaining about multiple definitions, then go into src/edit_packet.c and delete the line: #include "dlt_names.h" 2005-03-09 Just re-posted a job posting for a technical writer/editor to help me with the tcpreplay documentation. If you are interested in getting some good tech writing experiance in the networking/security space, then this might just be the opportunity for you!

Get It

Releases: Latest development release: tcpreplay-3.0.beta7.tar.gz (Changelog) Latest stable release: tcpreplay-2.3.5.tar.gz (release notes) Last release supporting Libnet 1.0.x: tcpreplay-1.3.3.tar.gz (release notes) Note that the 1.x series is EOL. Past releases Source via Subversion: svn co https://www.synfin.net/svn/tcpreplay/trunk tcpreplay-trunk or view it online using the web interface Packages: Apple OS X users can try Darian Lanx's Fink package: fink install tcpreplay Debian users can try Noel Koethe's APT package: apt-get install tcpreplay Win32 users can try this UNOFFICAL and UNSUPPORTED port.  Note: anyone interested in helping with an offical Win32 port of tcpreplay should contact me.

Documentation

3.x Docs: Manual Frequently Asked Questions Source code documentation via Doxygen 3.x Man Pages: tcpreplay tcpprep tcprewrite flowreplay tcpbridge Other: 3.x TODO list 2.x Docs: Frequently Asked Questions

Support

Sourceforge has a support, bug and patch ticket tracking system which I do not use.  So if you submit a ticket into any of those systems, it will likely be ignored for a few months, if not longer.  Hence, you should be using the tcpreplay-users mailing list for support. (Due to spam, the tcpreplay-users list is a closed list, so you will need to subscribe in order to post.) Please note that tcpreplay has a lot of documentation.  Please read the documentation before asking for help. You may also be interested in checking out tcpreplay's SourceForge project page.