tcpreplay, tcprewite ( rewrite MAC, IP for your network environments and replay the capture data )

Here is how to use tcpreplay / tcprewrite.

With tcprewrite, you can edit a capture data for your network environment, such as src MAC, dst MAC, dst IP, and you can replay a capture data with tcpreplay.

# tail -1 /etc/lsb-release DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS" # apt-get install tcpreplay -y

download dns.cap from http://wiki.wireshark.org/SampleCaptures

dump dst udp 53 captures ( DNS request queries)

tcpdump -r dns.cap -n udp dst port 53 -w a_dns.cap

rewrite src MAC, dst MAC and Dst IP. also fix checksum.

# tcprewrite --infile=a_dns.cap --outfile=c_dns.cap --dstipmap=0.0.0.0/0:192.168.11.20/32 --enet-dmac=08:00:27:27:c5:f1 --enet-smac=08:00:27:1b:09:e4 --fixcsum

replay the capture data.

# tcpreplay --intf1=eth0 --pps=100 c_dns.cap

capture data on the target device.

# tcpdump -i eth0 port 53 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 21:31:07.452087 IP 192.168.170.8.32795 > 192.168.11.20.53: 4146+ TXT? google.com. (28) 21:31:07.452610 IP 192.168.11.20.37474 > 192.168.11.1.53: 48231+% [1au] TXT? google.com. (39) 21:31:07.461590 IP 192.168.170.8.32795 > 192.168.11.20.53: 63343+ MX? google.com. (28) 21:31:07.461881 IP 192.168.11.20.57190 > 192.168.11.1.53: 61338+% [1au] MX? google.com. (39)

queries log

Feb  1 21:31:07 ubuntu-vm2 unbound: [2853:0] info: 192.168.170.8 google.com. TXT IN Feb  1 21:31:07 ubuntu-vm2 unbound: [2853:0] info: 192.168.170.8 google.com. MX IN Feb  1 21:31:07 ubuntu-vm2 unbound: [2853:0] info: 192.168.170.8 google.com. LOC IN Feb  1 21:31:07 ubuntu-vm2 unbound: [2853:0] info: 192.168.170.8 104.9.192.66.in-addr.arpa. PTR IN

tcprewrite and tcprepaly : rewrite a cap file and replay UDP traffic

Here is how to rewrite capture file and replay that with tcpreplay and tcprewrite.

root@ubuntu:~:# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 13.10"

root@ubuntu:~:# apt-get install tcpreplay

root@ubuntu:~:# dpkg -l tcprepaly
+++-==============-============-============-=================================
ii  tcpreplay      3.4.4-2      amd64        Tool to replay saved tcpdump file


my_dns_query.cap is DNS cap file collected with tcpdump.
rewrite dst ip address to 192.168.11.1

# tcprewrite --infile=my_dns_query.cap --outfile=new.cap --dstipmap=0.0.0.0/0:192.168.11.1/32

original: dst ip 8.8.8.8

root@ubuntu:~:# tcpdump -r my_dns_query.cap -n | head -1
reading from file my_dns_query.cap, link-type EN10MB (Ethernet)
00:13:52.094051 IP 192.168.11.100.14751 > 8.8.8.8.53: 65266+ A? ocsp.verisign.com. (35)

after rewriting : dst ip 192.168.11.1

root@ubuntu:~:# tcpdump -r new.cap -n | head -1
reading from file new.cap, link-type EN10MB (Ethernet)
00:13:52.094051 IP 192.168.11.100.14751 > 192.168.11.1.53: 65266+ A? ocsp.verisign.com. (35)

replay packet

# tcpreplay -i br0 new.cap --pps=10
sending out br0
processing file: new.cap

okay.

root@ubuntu:~:# tcpreplay --pps=100 --intf1=br0 new.cap
sending out br0
processing file: new.cap
Actual: 722 packets (57514 bytes) sent in 7.28 seconds. Rated: 7900.3 bps, 0.06 Mbps, 99.18 pps
Statistics for network device: br0
Attempted packets:         722
Successful packets:        722

root@ubuntu:~:# tcpdump -r new.cap | wc -l
reading from file new.cap, link-type EN10MB (Ethernet)
722

root@ubuntu:~:# tcpdump -i br0 udp dst port 53 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:54:00.827695 IP 192.168.11.100.28689 > 192.168.11.1.53: 17014+ A? workplace.stackexchange.com. (45)
01:54:00.837693 IP 192.168.11.100.5017 > 192.168.11.1.53: 64629+ A? apple.stackexchange.com. (41)