Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 packets and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS’s. Tcpreplay supports both single and dual NIC modes for testing both sniffing and in-line devices.
Tcpreplay is used by numerous firewall, IDS, IPS, NetFlow and other networking vendors, enterprises, universities, labs and open source projects. If your organization uses Tcpreplay, please let us know who you are and what you use it for so that I can continue to add features which are useful.
Tcpreplay is designed to work with network hardware and normally does not penetrate deeper than Layer 2. Yazan Siam with sponsorship from Cisco developed tcpliveplay to replay TCP pcap files directly to servers. Use this utility if you want to test the entire network stack and into the application.
As of version 4.0, Tcpreplay has been enhanced to address the complexities of testing and tuning IP Flow/NetFlow hardware. Enhancements include:
  • Support for netmap modified network drivers for 10GigE wire-speed performance
  • Increased accuracy for playback speed
  • Increased accuracy of results reporting
  • Flow statistics including Flows Per Second (fps)
  • Flow analysis for analysis and fine tuning of flow expiry timeouts
  • Hundreds of thousands of flows per second (dependent flow sizes in pcap file)

On the online manual, it was mentioned that to install tcpreplay on Windows, I will 'need to install Winpcap the port of libpcap for Windows. For whatever reason, it seems important that you install the Winpcap files in the Cygwin root directory (/Wpdpack).' What is meant by installing the winpcap files in the Cygwin root directory?

  1. Hi, On the online manual, it was mentioned that to install tcpreplay on Windows, I will 'need to install Winpcap the port of libpcap for Windows. For whatever reason, it seems important that you install the Winpcap files in the Cygwin root directory (/Wpdpack).' What is meant by installing the winpcap files in the Cygwin root directory?
  2. Note: The same steps apply for Windows/Linux running VirtualBox. As I already mentioned, you can have either Windows or Linux installed as your host. But, in this case, I have Windows 10 installed (don’t hate me!) where I try to install Kali Linux in VirtualBox step by step.
Version 4.0 is the first version delivered by Fred Klassen and sponsored by AppNeta. Many thanks to the author of Tcpreplay, Aaron Turner who has supplied the world with a a solid and full-featured test product thus far. The new author strives to take Tcprelay performance to levels normally only seen in commercial network test equipment.
The Tcpreplay suite includes the following tools:

Network playback products:

  • tcpreplay – replays pcap files at arbitrary speeds onto the network with an option to replay with random IP addresses
  • tcpreplay-edit – replays pcap files at arbitrary speeds onto the network with numerous options to modify packets packets on the fly
  • tcpliveplay – replays TCP network traffic stored in a pcap file on live networks in a manner that a remote server will respond to

Pcap file editors and utilities:

  • tcpprep – multi-pass pcap file pre-processor which determines packets as client or server and splits them into creates output files for use by tcpreplay and tcprewrite
  • tcprewrite – pcap file editor which rewrites TCP/IP and Layer 2 packet headers
  • tcpbridge – bridge two network segments with the power of tcprewrite
  • tcpcapinfo – raw pcap file decoder and debugger

Install package
Please visit our downloads page on our wiki for detailed download and installation instructions.

Simple directions for Unix users:

Build netmap feature
This feature will detect netmap capable network drivers on Linux and BSD systems. If detected, the network driver is bypassed for the execution duration of tcpreplay and tcpreplay-edit, and network buffers will be written to directly. This will allow you to achieve full line rates on commodity network adapters, similar to rates achieved by commercial network traffic generators.
Note that bypassing the network driver will disrupt other applications connected through the test interface. Don’t test on the same interface you ssh’ed into.
Download latest and install netmap from http://info.iet.unipi.it/~luigi/netmap/ If you extracted netmap into /usr/src/ or /usr/local/src you can build normally. Otherwise you will have to specify the netmap source directory, for example:

Your upper arms should be parallel to the floor and palms facing forward.Then, push the weights up over your head, bringing your arms almost into full extension over your shoulders. Overhead Press. Ndt training schools. ©iStock.com/gpointstudioWith your weights in hand, goalpost your arms out so that your elbows are bent at 90 degrees.

You can also find netmap source here.
Detailed installation instructions are available in the INSTALL document in the tar ball.

Install Tcpreplay from source code
Download the tar ball or zip file. Optionally clone the git repository:

Support
If you have a question or think you are experiencing a bug, submit them here. It is important that you provide enough information for us to help you.
If your problem has to do with COMPILING tcpreplay:

  • Version of tcpreplay you are trying to compile
  • Platform (Red Hat Linux 9 on x86, Solaris 7 on SPARC, OS X on PPC, etc)
  • Contents of config.status
  • Output from configure and make
  • Any additional information you think that would be useful.

If your problem has to do with RUNNING tcpreplay or one of the sub-tools:

  • Version information (output of -V)
  • Command line used (options and arguments)
  • Platform (Red Hat Linux 9 on Intel, Solaris 7 on SPARC, etc)
  • Make & model of the network card(s) and driver(s) version
  • Error message (if available) and/or description of problem
  • If possible, attach the pcap file used (compressed with bzip2 or gzip preferred)
  • The core dump or backtrace if available
  • Detailed description of your problem or what you are trying to accomplish

Note: The author of tcpreplay primarily uses OS X and Linux; hence, if you’re reporting an issue on another platform, it is important that you give very detailed information as I may not be able to reproduce your issue.
You are also strongly encouraged to read the extensive documentation (man pages, FAQ, documents in /docs and email list archives) BEFORE posting to the tcpreplay-users email list:
http://lists.sourceforge.net/lists/listinfo/tcpreplay-users
If you have a bug to report you can submit it here:
https://github.com/appneta/tcpreplay/issues
If you want to help with development, visit our developers wiki:
https://github.com/appneta/tcpreplay/wiki
Lastly, please don’t email the authors directly with your questions. Doing so prevents others from potentially helping you and your question/answer from showing up in the list archives.

Authors and Contributors
Tcpreplay is authored by Aaron Turner. In 2013 Fred Klassen, Founder and VP Network Technology, AppNeta added performance features and enhancements, and ultimately took over the maintenance of Tcpreplay.
The source code repository has moved to GitHub. You can get a working copy of the repository by installing git and executing:

How To Contribute
It’s easy. Basically you…

How
  • Edit (we create a branch per issue)

Details:
You will find that you will not be able to contribute to the Tcpreplay project directly if you use clone the appneta/tcpreplay repo. If you believe that you may someday contribute to the repository, GitHub provides an innovative approach. Forking the @appneta/tcpreplay repository allows you to work on your own copy of the repository and submit code changes without first asking permission from the authors. Forking is also considered to be a compliment so fork away:

  • if you haven’t already done so, get yourself a free GitHub ID and visit @appneta/tcpreplay
  • click the Fork button to get your own private copy of the repository
  • on your build system clone your private repository:
Windows
  • we like to keep the master branch available for projection ready code so we recommend that you make a branch for each feature or bug fix
  • when you are happy with your work, push it to your GitHub repository
  • on your GitHub repository select your new branch and submit a Pull Request to master
  • optionally monitor the status of your submission here

We will review and possibly discuss the changes with you through GitHub services. If we accept the submission, it will instantly be applied to the production master branch.

Additional Information
Please visit our wiki.
or visit our developers wiki

Latest version

Released:

tool to replay and work with pcap and smcap (smithproxy capture) files

Project description

Support

For comments, feedback or new feature discussion feel free to drop a message to pplay-users@googlegroups.com mailing list.If you can make use of .deb package, visit download section of this site.

History

recently I’ve been in the need of reproducing some issue with DLP, while I was provided with pcap when DLP was not involved in the traffic flow and everything was working.Originally I was trying to utilize netcat, however I’ve always ended up with some (my) mistake, or simply I just sent CR when it should have been CRLF… Reproduction was frankly tedious task.

Then I gave up on manual work, and tried tcpreplay. This is really fantastic tool in case you want to replay exactly what you have in pcap. However I quickly realized that DLP is changing sequential numbers of inspected TCP traffic, so it couldn’t have been used it too!! Looking around the net, I decided to write something myself which will help me now and next time it can help others too.

Quick start

PPlay is tool to replay/resend application data, it doesn’t care of transport layer parameters (which we want, reasons described above). It will grab only the payload from connection you explicitly specify and will make new connection and plays the content in the right order. Of course, you will need to run pplay on server and on client too, with the same pcap file parameter and also with other quite important arguments.

All data about to be sent will be printed out to be confirmed by you. When receiving data, it will tell you if they differ from what we expect and how much; there are 3 levels, OK, modified, different. If they differ significantly (marked as different), they will not be considered as the part of the expected data, so in most cases the logic of packet ordering will stay stable.

Output is colored; RED means anything related to received stuff, GREEN everything to data to be sent, or YELLOW for command line and other data eligible to be sent in the future but not now. WHITE is usually program notifications. At the first sight pplay’s output might look bit a messy, but colors really help.

Replaying PCAP

Run server side pplay instance

Replaying SMCAP (smithproxy captures)

Run client pplay instance

Replaying PPlayScript

pplay also knows how to export data to a “script”. This is extremely convenient to do if you are repeating the same test again and again, needing to change parts of the payload dynamically. Output script is in fact a python class, containing also all necessary data, no –pcap or –smcap arguments are needed anymore.

You can produce script with –export <scriptname> (filename will be scriptname.py). You can then use it by –script scriptname (instead of –pcap or –smcap arguments).For example:

You can use “script” as the sniff file (NOTE: missing .py in –script argument)

Main purpose of it is the need of dynamic modification of the payload, or other “smart” stuff, that cannot be predicted and programmed for you in pplay directly.

Simplistic script example:

As you might see this gives to your hands power to export existing payload with –export and modify it on the fly as you want. You can make a string templates from it and just paste values as desired, or you can write even quite complex code around!

Creating and using self-contained package

This feature is extremely useful for automation. You can use SMCAP, PCAP or pplayscript, embed it into pplay itself,and use this self-contained pplay version by executing it over the SSH (or the other way, SSH is just the most obvious).

The rest is just the same normal pplay. Please note that pplay over ssh needs a bit different approach, so we execute it with:

Launch embedded server

Pack smcap file into pplay, resulting file in /tmp/smbla.py – smbla.py will contain pplay and also data from provided smcap file and launch server (on r32 host, options suitable for automation), using packed pplay:

Launch embbedded client

Please note that you need to have installed python-scapy on both remote servers. Of course, SSH needs to be reachable (i.e. you need to create firewall pin-holes for it).Also for (and only for) the automation you might want to create ssh key without the passphrase.

More details

PPlay forgets everything about original IP addresses. It’s because you will be testing it in your lab testbed. Only thing it will remember is the the destination port, for server side pplay it’s important, meaning the port where it should listen for incoming connections. But that’s really it.

Client-side pplay will connect to the server-side. Once connected, you will see on one side green hex data and on the other yellow hex data. For HTTP, the client-side would be typically green, since HTTP comes with the request first. On the line above green hex data you will also see e.g. “[1/2] (in sync) offer to send –>”. In sync is important here. Those data should be sent now according to pcap.If you see yellow data, that side is not on it’s turn, and you will not see also “(in sync)” above them.

Yellow or green, pplay will act on behalf of you by default in 5 seconds => green data will be sent.Hint: you can set –noauto, or –auto <big_seconds> program argument to change autosend feature. This feature could be also toggled on/off during the operation with “i” command shortcut.

Launch on remote SSH server

new in version 1.7.0You have learned so far how to “pack” data inside pplay. It’s pretty useful, but you need to always –pack, create a file, send it to the other side, and execute there.Even though in previous examples we mentioned how to send packed over ssh stdin, you still need linux command-line ssh.Since version 1.7.0 you can actually utilize –remote-ssh parameter, and pplay will send over ssh itself!

Nice on this is you don’t need anything on remote servers, just pure python. Nothing else is needed.

Limitation: since python on remote server receives pplay from stdin which must be closed to actually launch it, commands from standard input are not supported and –nostdin is automatically added to remote command line. Recommended running with --exitoneot and --auto.

Tcpreplay usage

Connect client using SOCKS

Another useful feature might be to use proxy for client outgoing connection (perhaps you are testing such a proxy, like I am).To do so, use –socks parameter, taking IP address optionally suffixed with a port, ie. 10.0.0.1:1080

Commands

Below hex data (green or yellow), there is some contextual help for you: pplay is waiting for your override action to it’s default – autosend. At the time being, you can enter:

Data sources

PPlay also supports smithproxy output, just use –smcap instead of –pcap argument option.You can wrap the traffic into SSL, just use –ssl option. With smithproxy together, pplay is quite powerful pair of tools: you can easily replay “decrypted” smcap file from smithproxy and wrap it again into SSL to further test.

Hint: Smithproxy it’s SSL mitm proxy written by me in C/C++, faking certificate subject. It utilizes iptables TPROXY target. SSL traffic is signed by local CA and plaintext is logged into files.

Requirements

Tool doesn’t have too requirements. You have to have installed scapy and colorama python packages.

Scapy is used to parse pcaps and to have scapy available for future features - runs on Linux, Mac and Windows (see instructions how to install scapy on windows here). It’s known to not work in Cygwin.

Note: I am deciding to drop scapy in the future.Colorama is responsible for multiplatform coloring. On windows, unpack zip-file, run cmd and run python setup.py install. That should make it.

I would recommend to run pplay in linux, I haven’t tested it on Windows yet.

SMCAP2PCAP tool

This tool is a bit hack. Basically it replays smcap file, while using tcpdump to sniff the traffic. There are dozens of reasons why you would like to convert smcap file to pcap. This is the tool for that purpose.

Also, this tools is very basic. There is only argument it takes: smcap file. Name and location of the converted pcap will be printed out.

Release historyRelease notifications | RSS feed

2.0.5.post3

2.0.5.post2

2.0.5.post1

Tcpreplay example

2.0.5 Vfr 400 nc30 workshop manual.

2.0.4

How To Install Tcpreplay On Windows 10

2.0.2

2.0.1

2.0.0.post6

2.0.0.post5

2.0.0.post1

1.7.4.post1

1.7.3.post5

1.7.3.post4

1.7.3.post3

How To Install Tcpreplay On Windows

1.7.3.post2

1.7.3.post1

1.7.3

Get sqlcmd for mac torrent. For SQL Server 2014 and lower, see sqlcmd Utility. For using sqlcmd on Linux, see Install sqlcmd and bcp on Linux. The sqlcmd utility lets you enter Transact-SQL statements, system procedures, and script files through a variety of available modes: Download Microsoft Command Line Utilities 15 for SQL. Apr 03, 2017 We are excited to announce the availability of the preview for SQL Server Command Line Tools (sqlcmd and bcp) on Mac OS. The sqlcmd utility is a command-line tool that lets you submit T-SQL statements or batches to local and remote instances of SQL Server. The utility is extremely useful for repetitive database tasks such as batch processing.

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for pplay, version 2.0.5.post3
Filename, sizeFile typePython versionUpload dateHashes
Filename, size pplay-2.0.5.post3-py3-none-any.whl (34.7 kB) File type Wheel Python version py3 Upload dateHashes
Filename, size pplay-2.0.5.post3.tar.gz (36.3 kB) File type Source Python version None Upload dateHashes
Close

Hashes for pplay-2.0.5.post3-py3-none-any.whl

Hashes for pplay-2.0.5.post3-py3-none-any.whl
AlgorithmHash digest
SHA25696b5186d555ab10711dce65b33150bcbfca0cf131a48bcf02a19f58e925e62f9
MD56f9fbdc7220fc1da4391347156226cb5
BLAKE2-256a471a8af768ba41a7eb65df4f1f423ad747ca10efac482df5b278bb8895f7399
Close

Tcpreplay Example

Hashes for pplay-2.0.5.post3.tar.gz

How Tcpreplay Work

Hashes for pplay-2.0.5.post3.tar.gz
AlgorithmHash digest
SHA256afdf511e1ba80114bbbdb67f674b738f8d6d298f9234b6b49aa3bba2a21ce7b0
MD542b72bd80c64a3ddb4df12367500baf4
BLAKE2-256e0a9fd7bfd9fcee757f8336576f809f0bf4e9d823d9284dbc3f731aab6a1d533