The Tcpreplay suite includes the following tools:
- tcpprep - multi-pass pcap file pre-processor which determines packets as client or server and creates cache files used by tcpreplay and tcprewrite
- tcprewrite - pcap file editor which rewrites TCP/IP and Layer 2 packet headers
- tcpreplay - replays pcap files at arbitrary speeds onto the network
- tcpliveplay - Replays network traffic stored in a pcap file on live networks using new TCP connections
- tcpreplay-edit - replays & edits pcap files at arbitrary speeds onto the network
- tcpbridge - bridge two network segments with the power of tcprewrite
- tcpcapinfo - raw pcap file decoder and debugger
Use the following specific syntax to replay a TCP capture:
# tcpliveplay <device> <file.pcap> <Destination IP > <Destination MAC> <Source Port>
Device: The device the packets will be sent out on, such as eth0 or eth1.
file.pcap: The “*.pcap” packet capture you desire to replay. Note that all non-TCP packets will be filtered out and ignored. Only replay captures that contain one TCP flow.
Destination IP: The destination IP string of the remote host you wish to replay the captures against.
Destination MAC: The destination MAC address of NIC directly connected to your replay station.
Source Port: The TCP source port. If the user does not desire a specific port, then may instead type “random” which will determine a random number at runtime and use that for the source port. The generated numbers will be in the private ports range of 49152 to 65535.
Due to the nature of the replay, you must suppress the kernel RST flags because the replay is injecting packets into the replay station’s NIC. Issue the following:
# sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST -s <your ip> -d <dst ip> --dport <dst port, example 80 or 23 etc.> -j DROP
Example of suppress command:
# sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST -s 10.0.2.15 -d 192.168.1.10 --dport 80 -j DROP
Here are examples of running tcpliveplay:
# tcpliveplay eth0 sample1.pcap 192.168.1.5 52:51:01:12:38:02 random
# tcpliveplay eth0 sample2.pcap 192.168.1.5 52:51:01:12:38:02 52178
Types of Packet Captures
This tool can only replay TCP packet captures that contain one TCP flow. Future improvements will allow users to replay captures that contain multiple TCP connections at the same time.
除了tcpliveplay以外,其他工具都只是单纯的发包,不会建立TCP连接,也不会维护SEQ/ACK,tcpliveplay测试了一下也没有成功?
tcpliveplay eth0 52716.pcap 10.125.52.26 fa:16:3e:f1:5c:28 random
tcpreplay --intf1=eth0 52716.pcap
参考链接: