Sniffing & Spoofingtrafficreplaypcapnidsnetworktestingtcpdump

tcpreplay

Tcpreplay replays saved tcpdump files at arbitrary speeds to test NIDS performance by replicating real network traffic. It allows control over replay speed and supports editing packets for comprehensive network device testing.

Description

Tcpreplay is designed for testing the performance of Network Intrusion Detection Systems (NIDS) by replaying real background network traffic to hide attacks. Unlike artificial traffic generators, tcpreplay uses actual tcpdump traces which exercise application/protocol inspection and reproduce real-world network anomalies such as asymmetric routes, traffic bursts, fragmentation, and retransmissions.

The suite includes multiple executables: tcpreplay for replaying traffic, tcpprep for creating cache files with processing rules, tcprewrite for rewriting packets in pcap files, tcpreplay-edit for endpoint modifications, tcpbridge for bridging traffic across interfaces, tcpcapinfo for pcap file dissection, and tcpliveplay for replaying with new TCP connections. This enables exact replication of production network traffic for testing firewalls, NIDS, and other network devices.

Traffic can be split between two interfaces, written to files, filtered, and edited according to specific needs. The tools support various DLT types and provide extensive packet modification capabilities including IP/port rewriting, checksum recalculation, fuzzing, and VLAN tagging.

How It Works

Tcpreplay reads pcap files containing captured network traffic and replays packets out specified network interfaces at controlled speeds (pps, mbps, topspeed, or one-at-a-time). It uses tcpprep cache files to determine client/server traffic direction for dual-interface replay. Packets can be pre-processed with tcprewrite to modify headers (IP addresses, ports, MAC, TTL, TOS), recalculate checksums, apply fuzzing, or simulate fragmentation. Tcpbridge enables selective bridging with packet editing between two interfaces. Tcpliveplay rewrites captured TCP sessions to use new connections against live targets while maintaining protocol SEQ/ACK expectations.

Installation

bash

sudo apt install tcpreplay

Flags

-i, --intf1=strClient to server/RX/primary traffic output interface

-I, --intf2=strServer to client/TX/secondary traffic output interface

-x, --multiplier=strModify replay speed to a given multiple (pps, mbps, oneatatime, topspeed)

-l, --loop=numLoop through the capture file X times

-c, --cachefile=strSplit traffic via a tcpprep cache file (requires intf2, prohibits dualfile)

-t, --topspeedReplay packets as fast as possible

-p, --pps=strReplay packets at a given packets/sec

--unique-ipModify IP addresses each loop iteration to generate unique flows

Examples

Replay pcap traffic out eth0 interface at original speed

tcpreplay --intf1=eth0 capture.pcap

Split replay traffic across two interfaces using tcpprep cache

tcpreplay --intf1=eth0 --intf2=eth1 --cachefile=cache.cache capture.pcap

Replay traffic as fast as hardware allows

tcpreplay --topspeed capture.pcap

Replay traffic at 10x original speed

tcpreplay --multiplier=10x capture.pcap

Replay at 1000 packets per second

tcpreplay --pps=1000 capture.pcap

Create cache file using port-based auto-split mode

tcpprep --auto=port -i input.pcap -o cache.cache

Bridge traffic between eth0 and eth1 interfaces

tcpbridge --intf1=eth0 --intf2=eth1

Updated 2026-04-16kali.org ↗