tcpreplay | Pcap editing and replay tools | Networking library
kandi X-RAY | tcpreplay Summary
kandi X-RAY | tcpreplay Summary
Tcpreplay is a suite of [GPLv3] licensed utilities for UNIX (and Win32 under [Cygwin]) operating systems for editing and replaying network traffic which was previously captured by tools like [tcpdump] and [Wireshark]. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 packets and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS’s. Tcpreplay supports both single and dual NIC modes for testing both sniffing and in-line devices. Tcpreplay is used by numerous firewall, IDS, IPS, NetFlow and other networking vendors, enterprises, universities, labs and open source projects. If your organization uses Tcpreplay, please let us know who you are and what you use it for so that I can continue to add features which are useful. Tcpreplay is designed to work with network hardware and normally does not penetrate deeper than Layer 2. Yazan Siam with sponsorship from [Cisco] developed tcpliveplay to replay TCP pcap files directly to servers. Use this utility if you want to test the entire network stack and into the application.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of tcpreplay
tcpreplay Key Features
tcpreplay Examples and Code Snippets
Community Discussions
Trending Discussions on tcpreplay
QUESTION
I'm using PF_RING and PCAP++ to capture and analyze net traffic.
Sometimes usefull to use lo
interface (loopback): for tests and regression analyze.
By the way, there is constant silence in the loopback until you break it by your command.
PF_RING may give me loopback traffic.
...ANSWER
Answered 2021-Aug-21 at 18:40It seems that PF_RING doesn't support lo
, please see this GitHub issue: https://github.com/ntop/PF_RING/issues/221
I tested it also and lo
isn't recognized by PF_RING.
However, as suggested in the issue, you can set up a dummy interface which PF_RING can see:
QUESTION
I have a pcap file that I modified with tcprewrite to set source and destination IP = 127.0.0.1, while the port numbers are different. I also set both mac addresses to 00:00:00:00:00:00 as I understand that comms over localhost ignore MAC. I made sure checksum was fixed.
When I run tcpreplay -i lo test-lo.pcap
in one shell, and tcpdump -i lo -p udp port 50001
in another, I see the traffic. Yet, when I try to view the traffic with netcat -l -u 50001
, it sees nothing. Wireshark is capturing the traffic correctly.
Side note: I'm seeing the following warning when running tcpreplay on localhost:
Warning: Unsupported physical layer type 0x0304 on lo. Maybe it works, maybe it won't. See tickets #123/318
That seems worrisome.
I'm asking because my own UDP listener code is also having the same problem as netcat and thought that maybe I'm missing something. Why would traffic be seen by tcpdump and wireshark, and not by netcat?
...ANSWER
Answered 2021-Apr-08 at 20:35I'm asking because my own UDP listener code is also having the same problem as netcat and thought that maybe I'm missing something. Why would traffic be seen by tcpdump and wireshark, and not by netcat?
Look at this image of the kernel packet flow from wikipedia:
As you can see, there are different places along the path where packets can be accessed. Wireshark uses libpcap
, which uses an AF_PACKET
socket to see packets. Your UDP listener, like netcat, uses regular user-space sockets. Let's highlight both on this image. Wireshark obtains packets via the red path, netcat via the purple one:
As you can see, there is a whole sequence of steps packets have to go through in the kernel to get to a local process socket. These steps include bridging, routing, filtering etc. Which step drops your packets? I don't know. You can try tweaking the packets and maybe you'll get lucky.
If you want a more systematic approach, use a tool like dropwatch. It hooks into the kernel and shows you counters of where the kernel drops packets.
QUESTION
I have to implement an RTSP Client which connects to an existing RTSP session without being able to send commands to the RTSP Server (recvonly).
To simulate such an environment, I have recorded a RTSP/RTP stream between testH264VideoStreamer and testRTSPClient examples from Live555 with Wireshark, and played it back using tcpreplay while trying to receive stream data with a modified version of testRTSPClient.
I've also stored the SDP information provided by the testH264VideoStreamer as an SDP file.
...ANSWER
Answered 2020-Nov-27 at 16:12I've found out that although wireshark was showing me the incoming packets with valid checksums, udp port received no packets.
I've tried following commands (as sudo) to avoid kernel discarding the packets but they simply don't help on Debian Buster.
QUESTION
I want to deploy an Azure Ubuntu 18.04-LTS VM with a custom data file during an automation test, using tmplate.json and parameters.json files.
Although, the VM was deployed successfully, It seem that the custom data execution have failed and I do not understand why...
According to this link, cloud-init is available in the image that I use.
My template.json file contain:
...ANSWER
Answered 2020-Nov-09 at 08:13According to my experience, the problem is that the value for the custom data is not right. I check the VM that the cloud-init provision successfully, the code does not match yours. You can check the file /var/lib/waagent/ovf-env.xml
yourself. Do not change the text yourself into a string. You can encode the text online.
QUESTION
I am quite unfamiliar with the way tcpreplay works and I just started using it.
I am feeding a pcap of vxlan packets to an ethernet interface that has vxlan configured on top of it. Can we see the decapsulated packets on the vxlan interface? Do I need to tweak the ip/mac? Is it even possible or am I trying something weird?
Is there any other way to achieve what I am trying to do? Basically receive vxlan pcap, decapsulate the vxlan headers and send it to an interface. Any help is much appreciated.
...ANSWER
Answered 2020-Mar-05 at 00:17No, you can't send the vxlan packets on an interface and see the decapsulated frames on the sub-interface on the same host... at least on Linux because the frame is immediately sent out and won't be seen as an inbound packet.
You'd need to sniff the packets on another host/NIC and set the IP/MAC to that remote host.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install tcpreplay
This feature will detect [netmap](http://info.iet.unipi.it/~luigi/netmap/) capable network drivers on Linux and BSD systems. If detected, the network driver is bypassed for the execution duration of tcpreplay and tcpreplay-edit, and network buffers will be written to directly. This will allow you to achieve full line rates on commodity network adapters, similar to rates achieved by commercial network traffic generators. Note that bypassing the network driver will disrupt other applications connected through the test interface. Don’t test on the same interface you ssh’ed into.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page