Introduction to Tcpreplay
In simple terms, tcpreplay is a pcap replay tool for network packets. It can replay packets captured with tools like Ethereal or Wireshark, either in their original form or after modifications. You can adjust packet headers, mainly at layers 2, 3, and 4, and control the replay speed of the packets. As a result, tcpreplay is useful for replicating packet capture scenarios to help locate bugs or for high-speed replay in stress testing.
Tcpreplay includes several auxiliary tools:
tcpprep: Divides client and server traffic, can send client packets from one network interface and server packets from another;
tcprewrite: Modifies layer 2, 3, and 4 headers in packets;
tcpreplay: Actually sends packets, with options to choose the main network interface, secondary interface, and packet sending rate, etc.
The following examples use a mysql.pcap packet, shown below:
>
tcpprep
The tcpprep tool generates a cache file.
tcpprep Help Documentation
tcpprep (tcpprep) - Create a TCPReplay cache cache file from a pcap file.Usage: tcpprep [ -[] | â[{=| }] ]âŠ
-a, âauto=str Auto-split mode
-c, âcidr=str CIDR-split mode
-r, âregex=str Regex-split mode
-p, âport Port-split mode
-e, âmac=str Source MAC split mode
âreverse Matches to be client instead of server
-C, âcomment=str Embedded cache file comment
âno-arg-comment Do not embed any cache file comment
-x, âinclude=str Include only packets matching rule
-X, âexclude=str Exclude any packet matching this rule
-o, âcachefile=str Output cache file
-i, âpcap=str Input pcap file to process
-P, âprint-comment=str Print embedded comment in the specified cache file
-I, âprint-info=str Print basic info from the specified cache file
-S, âprint-stats=str Print statistical information about the specified cache file
-s, âservices=str Load services file for server ports
-N, ânonip Send non-IP traffic out server interface
-R, âratio=str Ratio of client to server packets
-m, âminmask=num Minimum network mask length in auto mode
-M, âmaxmask=num Maximum network mask length in auto mode
-v, âverbose Print decoded packets via tcpdump to STDOUT
-A, âdecode=str Arguments passed to tcpdump decoder
-V, âversion Print version information
-h, âless-help Display less usage information and exit
-H, âhelp display extended usage information and exit
-!, âmore-help extended usage information passed thru pager
âsave-opts[=arg] save the option state to a config file
âload-opts=str load options from a config file
Options are specified by doubled hyphens and their name or by a single hyphen and the flag character.
tcpprep is a âpcap(3)â file pre-processor which creates a cache file that provides ârulesâ for âtcprewrite(1)â and âtcpreplay(1)â on how to process and send packets.
tcpprep Example
Based on Source IP, Example One:
Set the flow with the address 10.5.8.244/24 in the mysql.pcap packets as the client side, and the rest as the server side.Automatic Mode, Example Two:
The above command uses automatic/client mode for splitting. Here's my understanding of automatic mode:In automatic mode, tcpprep considers the following IP behaviors as client:
1. The party that sends TCP SYN packets;
2. The party that sends DNS packets;
3. The party receiving ICMP-Port Unreachable.
The following behaviors are considered as server:
1. The party that sends TCP Syn/Ack;
2. The party that sends DNS responses;
3. The party that sends ICMP-Port Unreachable.
Packets identified as server-side are sent from the main network card, and those identified as client-side are sent from the secondary card. The automatic/client mode categorizes unrecognized packets as client, while automatic/server mode categorizes them as server. This approach seems less effective than classification by IP address.
tcprewrite
Simply put, tcprewrite modifies the packet headers in pcap files, including layers 2, 3, 4, and even 5-7. Since version 3.0, all packet header modification functionality has shifted from tcpreplay to tcprewrite. There are two ways to modify packets with tcprewrite: modify one item at a time, generating a file each time, and use that file as input for the next, until final modifications are complete;
The command can also be executed in one go with all options in a single command:Both methods are viable, each with its pros and cons. The first is clear but complex, while the second is simpler but harder to understand. My suggestion is to experiment with the first method for easy debugging, then consolidate options into the second method for real use. Below is an example to analyze how tcprewrite modifies headers. The basic format of tcprewrite is as follows (note that there are no line breaks in the command, added here just for readability): Use the command `tcprewrite âhelp` to explore more detail.
Here's an explanation of the command's parameters:The commandâs input files are input.pcap and input.cach, with the results saved as out.pcap. It changes the host packet source MAC, destination MAC, and destination IP to: host_src_mac, host_dst_mac, and host_dst_ip, and the client packet source MAC, destination MAC, and destination IP to: client_src_mac, client_dst_mac, and client_dst_ip. It also changes port numbers from old_port1 to new_port1, and from old_port2 to new_port2.
Example of tcprewrite: pcap replay tool
Modifying Source IP, Destination IP, Source MAC, and Destination MAC in Packets
After execution, there's a new out.pcap file in the directory.Modifying Layer 2 Header
Modifying MAC Address
If the cache file is not specified, all packetsâ source and destination MAC addresses will be rewritten to 12:23:34:45:56:67 and 66:66:66:66:66:66.
Here's what the newly opened mysql_mac.pcap looks like:Or
Specifying Cache File
With the cache file specified, the server packetâs destination/source MAC addresses change to 00:44:66:FC:29:AF/00:66:AA:D1:32:C2, and the clientâs to: 00:55:22:AF:C6:37/00:22:55:AC:DE:AC, with the server addresses listed first.
Modifying 802.1q VLAN
Customer-captured packets often have VLAN headers, which wonât replay on your switch unless the VLAN header is removed or adjusted with tcprewrite:
For adding VLAN, itâs straightforward, the following command sets the VLAN tag to 40, CFI to 1, and VLAN priority to 4.
To remove VLAN is simple:
Modifying Layer 3 Header
Modifying Destination IP
According to the cache file tags, change the server IP to 10.10.1.1 and the client IP to 10.10.1.2:
Modifying IP Network Part
IP addresses consist of a network part and a host part; the following command changes an IP with a subnet address of 10.0.0.0/8 to one with a subnet address of 172.0.0.0/8
Modifying Other IP Header Parts
Modify the IPv4 header TOS to 50
Change the Traffic Class in IPv6 headers to 33
Modify the Flow Label field
Modifying Layer 4 Header
Like modifying the IP header, when modifying layer 4 headers, tcprewrite automatically computes the checksum, so thereâs no need to worry about it.
Modifying Port Numbers
Change port number 80 to 8080, 22 to 8022
Force Calculation of Transport Layer Checksum:
Some applications might not calculate the transport layer checksum; tcprewrite can force its calculation:
Modifying Layers 5-7 Data
tcprewrite has limited modification capability for layers 5-7, mainly just padding missing data with zeros, modifying TCP/UDP length bytes, or discarding the packet.