

The Tcpreplay suite includes the following tools:

  • tcpprep - multi-pass pcap file pre-processor which determines packets as client or server and creates cache files used by tcpreplay and tcprewrite
  • tcprewrite - pcap file editor which rewrites TCP/IP and Layer 2 packet headers
  • tcpreplay - replays pcap files at arbitrary speeds onto the network
  • tcpliveplay - Replays network traffic stored in a pcap file on live networks using new TCP connections
  • tcpreplay-edit - replays & edits pcap files at arbitrary speeds onto the network
  • tcpbridge - bridge two network segments with the power of tcprewrite
  • tcpcapinfo - raw pcap file decoder and debugger

Use the following specific syntax to replay a TCP capture:

# tcpliveplay <device> <file.pcap> <Destination IP > <Destination MAC> <Source Port>

Device: The device the packets will be sent out on, such as eth0 or eth1.

file.pcap: The “*.pcap” packet capture you desire to replay. Note that all non-TCP packets will be filtered out and ignored. Only replay captures that contain one TCP flow.

Destination IP: The destination IP string of the remote host you wish to replay the captures against.

Destination MAC: The destination MAC address of NIC directly connected to your replay station.

Source Port: The TCP source port. If the user does not desire a specific port, then may instead type “random” which will determine a random number at runtime and use that for the source port. The generated numbers will be in the private ports range of 49152 to 65535.

Due to the nature of the replay, you must suppress the kernel RST flags because the replay is injecting packets into the replay station’s NIC. Issue the following:

# sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST -s <your ip> -d <dst ip> --dport <dst port, example 80 or 23 etc.> -j DROP

Example of suppress command:

# sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST -s -d --dport 80 -j DROP

Here are examples of running tcpliveplay:

# tcpliveplay eth0 sample1.pcap 52:51:01:12:38:02 random
# tcpliveplay eth0 sample2.pcap 52:51:01:12:38:02 52178

Types of Packet Captures

This tool can only replay TCP packet captures that contain one TCP flow. Future improvements will allow users to replay captures that contain multiple TCP connections at the same time.



tcpliveplay eth0 52716.pcap fa:16:3e:f1:5c:28 random

tcpreplay --intf1=eth0 52716.pcap


Replaying packets with tcpreplay

Why packets sent by tcpreplay don't appear on server?

posted @ 2019-07-09 16:36  JustDoBetter  阅读(1023)  评论(0编辑  收藏  举报