Network
tcpreplay
Replay network traffic from pcap files.
Additional Notes
tcpreplay is a suite of tools for replaying network traffic captured in pcap format. It can reconstruct captured packets and send them back onto a live network, allowing administrators to test network devices, intrusion detection systems (IDS), firewalls, and other network equipment with real traffic patterns.
The tcpreplay suite includes several utilities: tcpreplay (replay packets), tcprewrite (rewrite packet headers for different networks), tcpcapinfo (pcap file information), tcpliveplay (replay with TCP connection tracking), and others. These tools allow modifying source/destination MACs, IPs, and ports to adapt captured traffic to the test network topology.
Syntax
tcpreplay [options] pcap_file [pcap_file...]
Parameters
pcap_file: One or more pcap files containing captured packets.
Common Options
-i interface,--intf1=interface: Specify the output interface for sending packets.-I interface2: Specify a second interface (for dual-port replay).-l count,--loop=count: Loop the replaycounttimes (0 = infinite).-t,--topspeed: Replay packets as fast as possible (no timing delay).-M mbps,--mbps=mbps: Replay at a specific bitrate in Mbps.-p pps,--pps=pps: Replay at a specific rate in packets per second.-x multiplier,--multiplier=multiplier: Speed up replay by a multiplier (e.g.,-x 2.0for double speed).-c duration,--duration=duration: Replay for a specified duration in seconds.-L limit,--limit=limit: Replay only the firstlimitpackets.-s skip,--skip=skip: Skip the firstskippackets.-v,--verbose: Show verbose statistics after replay.-V,--version: Show version information.-q,--quiet: Suppress normal output.-o,--no-flow-stat: Do not print flow statistics.--stats: Print statistics at the end of each loop.
tcprewrite Options
--dstipmap=old:new: Rewrite destination IP addresses.--srcipmap=old:new: Rewrite source IP addresses.--enet-dmac=mac: Rewrite destination MAC address.--enet-smac=mac: Rewrite source MAC address.--portmap=old:new: Rewrite TCP/UDP ports.--seed=num: Randomize IP addresses with a given seed.-i input.pcap: Input pcap file.-o output.pcap: Output pcap file.
Examples
tcpreplay -i eth0 capture.pcap
Replay packets from capture.pcap on interface eth0 at original timing.
tcpreplay -i eth0 -t capture.pcap
Replay packets as fast as possible (stress test).
tcpreplay -i eth0 -M 100 capture.pcap
Replay at a target rate of 100 Mbps.
tcpreplay -i eth0 -l 5 capture.pcap
Loop the replay 5 times.
tcprewrite --dstipmap=192.168.1.0/24:10.0.0.0/24 -i original.pcap -o rewritten.pcap
Rewrite destination IPs from the 192.168.1.x range to 10.0.0.x range, saving to a new file.
tcpreplay -i eth0 -x 2.0 capture.pcap
Replay at double the original speed.
tcpreplay -i eth0 --pps=1000 capture.pcap
Replay at 1000 packets per second.
Practical Notes
tcpreplaysends packets at the data-link layer, bypassing the kernel's network stack.- Use
tcprewriteto adapt captured traffic to your test network's IP addressing. - For testing firewalls/IDS, rewrite MAC addresses to match your test equipment.
- The original packet timing is preserved by default unless
-tor-Mis used. - High-speed replay may saturate the network interface; monitor interface counters.
tcpreplaycan craft packets with original checksums; disable checksum offloading on the NIC for accuracy.- The
-t(topspeed) mode is useful for performance testing and stress testing. - Pcap files recorded with snaplen smaller than the packet will be truncated and may not replay correctly.