These programs were written in the hopes that a more precise and repeatable testing methodology might be applied to the area of network intrusion detection, which is still a black art at best.
- tcpprep - multi-pass pcap file pre-processor which determines packets as client or server and creates cache files used by tcpreplay and tcprewrite
- tcprewrite - pcap file editor which rewrites TCP/IP and Layer 2 packet headers
- tcpreplay - replays pcap files at arbitrary speeds onto the network
- flowreplay - emulates a network client using a pcap file as the basis of a TCP or UDP connection (currently in alpha)
Generally speaking, most people would first run tcpprep against a pcap file to create a cache file which splits traffic between client and server if they are testing an inline device like a firewall or IPS. Then depending on their network setup and where the pcap was captured, they would use tcprewrite to edit the packets so that the device under test will examine them properly. Finally, tcpreplay is used to replay the pcap onto the network to do the test.
- Latest development release: tcpreplay-3.0.beta1.tar.gz
- Latest stable release: tcpreplay-2.3.3.tar.gz (release notes)
- Last release supporting Libnet 1.0.x: tcpreplay-1.3.3.tar.gz (release notes)
Source via Subversion:
svn co https://www.synfin.net:444/svn/tcpreplay/trunk tcpreplay-trunk
or view it online using
the web interface
Packages:
- Apple OS X users can try Darian Lanx's Fink package: fink install tcpreplay
- Debian users can try Noel Koethe's APT package: apt-get install tcpreplay
- Win32 users can try this UNOFFICAL and UNSUPPORTED port. Note: anyone interested in helping with an offical Win32 port of tcpreplay should contact me.
| 3.x Docs: 3.x Man Pages: | 2.x Docs: |
Please note that tcpreplay has a lot of documentation. Please read the documentation before asking for help.
You may also be interested in checking out tcpreplay's SourceForge project page.