About

Tcpreplay is a suite of BSD licensed tools written by Aaron Turner for *NIX operating systems which gives you the ability to use previously captured traffic in libpcap format to test a variety of network devices.  It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 headers and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS's. These programs were written in the hopes that a more precise and repeatable testing methodology might be applied to the area of network intrusion detection, which is still a black art at best.

Details

Tcpreplay includes the following tools: tcpprep - multi-pass pcap file pre-processor which determines packets as client or server and creates cache files used by tcpreplay and tcprewrite tcprewrite - pcap file editor which rewrites TCP/IP and Layer 2 packet headers tcpreplay - replays pcap files at arbitrary speeds onto the network tcpbridge - bridge two network segments with the power of tcprewrite flowreplay - emulates a network client using a pcap file as the basis of a TCP or UDP connection (currently in alpha) Generally speaking, most people would first run tcpprep against a pcap file to create a cache file which splits traffic between client and server if they are testing an inline device like a firewall or IPS.  Then depending on their network setup and where the pcap was captured, they would use tcprewrite to edit the packets so that the device under test will examine them properly.  Finally, tcpreplay is used to replay the pcap onto the network to do the test.

News

2005-04-20 Just released tcpreplay 3.0.beta2! A metric ton of bug fixes and some new features as well. First release with "tcpbridge" which re-introduces the network bridge functionality originally added to the 2.x tree. 2005-03-09 Just re-posted a job posting for a technical writer/editor to help me with the tcpreplay documentation. If you are interested in getting some good tech writing experiance in the networking/security space, then this might just be the opportunity for you! 2005-02-28 New website design. Not nearly as ugly as the last one. 2005-02-27 First 3.0 BETA released! 2003-05-?? Tcpreplay was rated as one of the top 75 security tools by the nmap-hackers mailing list!

Get It

Releases: Latest development release: tcpreplay-3.0.beta2.tar.gz (Changelog) Latest stable release: tcpreplay-2.3.3.tar.gz (release notes) Last release supporting Libnet 1.0.x: tcpreplay-1.3.3.tar.gz (release notes) Past releases Source via Subversion: svn co https://www.synfin.net:444/svn/tcpreplay/trunk tcpreplay-trunk or view it online using the web interface Packages: Apple OS X users can try Darian Lanx's Fink package: fink install tcpreplay Debian users can try Noel Koethe's APT package: apt-get install tcpreplay Win32 users can try this UNOFFICAL and UNSUPPORTED port.  Note: anyone interested in helping with an offical Win32 port of tcpreplay should contact me.

Documentation

3.x Docs: Manual Frequently Asked Questions 3.x Man Pages: tcpreplay tcpprep tcprewrite flowreplay tcpbridge 2.x Docs: Frequently Asked Questions

Support

Sourceforge has a support, bug and patch ticket tracking system which we do not use.  So if you submit a ticket into any of those systems, it will likely be ignored for a few months, if not longer.  Hence, you should be using the tcpreplay-users mailing list for support. (Note, due to spam, the tcpreplay-users list is a closed list, so you will need to subscribe in order to post.) Please note that tcpreplay has a lot of documentation.  Please read the documentation before asking for help. You may also be interested in checking out tcpreplay's SourceForge project page.