How to use Tcpreplay tool with practical examples

Leave a Comment / Linux Networking, Networking / By

Table of Contents

Introduction

Wondering how to produce a pattern of the traffic flow in your test network just like how it is in your production site ?

 We can leverage the tcpreplay tool to replay the same packets from the production network on a test network for analysis.  For example , If we are testing a switch or an intermediate device for its behavior on a particular traffic pattern which is very hard to recreate using other packet generation techniques. We can perform the capture of the production traffic through the tcpdump or other mechanisms and save it as a .pcap file. Now using the tcpreplay tool we can replay the packet part of the .pcap file captured to the test network for our analysis. 

Understanding the working of Tcpreplay tool

 Lets use the example packet capture .pcap file so that we can use that to demonstrate the working of the tcpreplay in detail

In the Above network , we were performing the ping originating from the 192.168.94.200 destined to the 192.168.94.100 and we used tcpdump to capture 5 icmp echo request alone from 192.168.94.200 towards 192.168.94.100.

You can use tcpdump with read option ( -r) to view the .pcap file we are going to use 

[root@discoveringsystems-centos /]# tcpdump -nevvr discovering-systems.pcap
reading from file discovering-systems.pcap, link-type EN10MB (Ethernet)
23:59:21.756673 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58743, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.756289 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 59332, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.754849 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60333, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.753171 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60431, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.751693 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64

With tcpreplay we are going to replay these packets to get the response from the 192.168.94.100 .Let’s get started with the important option , Option ‘-i ‘ is used to reference the interface through which are looking to send the packets out , followed by the Actual pcap file. Following command example will replay all the 5 packets present on the discovering-systems.pcap file out of the ens33 interface in the speed at which the packets are recorded in the original pcap. After replaying the packets ,  it will also print statistics . 

[root@discoveringsystems-centos /]# tcpreplay -i ens33 discovering-systems.pcap
Actual: 5 packets (490 bytes) sent in 3.99 seconds
Rated: 122.6 Bps, 0.000 Mbps, 1.25 pps
Flows: 1 flows, 0.25 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

While the replay is performed , we also performed the capture on the receiving device for the icmp packets and we were able to see the replayed packets and also the responses generated for the replayed packets 

root@DiscoveringSystems-ubuntu:/# tcpdump -nevvi ens38 icmp
tcpdump: listening on ens38, link-type EN10MB (Ethernet), snapshot length 262144 bytes
04:05:17.685114 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58743, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
04:05:17.685139 00:0a:0a:0a:0a:0a > 00:0b:0b:0b:0b:0b, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 4917, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.94.100 > 192.168.94.200: ICMP echo reply, id 38769, seq 1, length 64
04:05:18.683274 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 59332, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
04:05:18.683302 00:0a:0a:0a:0a:0a > 00:0b:0b:0b:0b:0b, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 5052, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.94.100 > 192.168.94.200: ICMP echo reply, id 38769, seq 2, length 64
04:05:19.680273 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60333, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
04:05:19.680303 00:0a:0a:0a:0a:0a > 00:0b:0b:0b:0b:0b, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 5211, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.94.100 > 192.168.94.200: ICMP echo reply, id 38769, seq 3, length 64
04:05:20.677003 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60431, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
04:05:20.677028 00:0a:0a:0a:0a:0a > 00:0b:0b:0b:0b:0b, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 5357, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.94.100 > 192.168.94.200: ICMP echo reply, id 38769, seq 4, length 64
04:05:21.673867 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
04:05:21.673899 00:0a:0a:0a:0a:0a > 00:0b:0b:0b:0b:0b, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 5558, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.94.100 > 192.168.94.200: ICMP echo reply, id 38769, seq 5, length 64

How to use Tcpreplay with help option(-h)

To view all the options available for use with the tcpreplay tool you can use the help option 

[root@discoveringsystems-centos /]# tcpreplay --help
tcpreplay (tcpreplay) - Replay network traffic stored in pcap files
Usage:  tcpreplay [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \
                <pcap_file(s)> | <pcap_dir(s)>
.
.
.

How to use Tcpreplay with topspeed option (-t)

Sometimes we might have requirements to replay the pcap at top speed instead of replaying at the same speed at which it is recorded. Tcpreplay with  topspeed option can help you with this  

Here it took only 221 microseconds to send the packets . Option “-t “ means topspeed 

[root@discoveringsystems-centos /]# tcpreplay -t -i ens33 discovering-systems.pcap
Actual: 5 packets (490 bytes) sent in 0.000221 seconds
Rated: 2217194.5 Bps, 17.73 Mbps, 22624.43 pps
Flows: 1 flows, 4524.88 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay with Bit rate or packets per second option 

Instead of using the Top speed , we were trying to take a larger control on the rate at which the packets are getting replayed. 

How to use Tcpreplay with Per Second option ( –pps) 

In the following example we have asked the tool to send 4 packets per second out of the ens33 interface 

[root@discoveringsystems-centos /]# tcpreplay --pps=4 -i ens33 discovering-systems.pcap
Actual: 5 packets (490 bytes) sent in 1.00 seconds
Rated: 489.9 Bps, 0.003 Mbps, 4.99 pps
Flows: 1 flows, 0.99 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay with Bit rate option ( –mpbs)

In the following example we have asked the tool to replay the packets out of ens33  in the speed of 100 mbps

[root@discoveringsystems-centos /]# tcpreplay --mbps=100 -i ens33 discovering-systems.pcap
Actual: 5 packets (490 bytes) sent in 0.000257 seconds
Rated: 1906614.7 Bps, 15.25 Mbps, 19455.25 pps
Flows: 1 flows, 3891.05 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay  with Multiplier option (  –multiplier )

We can use the Multiplier option to replay  the packets at a speed which they recorded * multiplier. In the following example , we were able to see that every packet is now delayed twice. Per the .pcap file each icmp echo request needs to be sent every 1 second , now after using the multiplier option to influence it with 0.5 speed of the original is now delayed twice 

[root@discoveringsystems-centos /]# tcpreplay --multiplier=0.5 -i ens33 discovering-systems.pcap
Actual: 5 packets (490 bytes) sent in 7.99 seconds
Rated: 61.3 Bps, 0.000 Mbps, 0.62 pps
Flows: 1 flows, 0.12 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0



05:37:43.042417 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58743, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64

05:37:45.037723 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 59332, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64

05:37:47.031040 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60333, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64

05:37:49.038174 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60431, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64

05:37:51.042230 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64

How to use Tcpreplay with verbose option ( -v)

Apart from replaying the packets out of the desired interface , using the verbose option also prints the packets being sent out via the tcpdump as Stdout. In the following example we can see the packets are both printed in the stdout and also replayed by the tcpreplay 

[root@discoveringsystems-centos /]# tcpreplay  -v -i ens33 discovering-systems.pcap
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
Actual: 5 packets (490 bytes) sent in 4.01 seconds
Rated: 121.9 Bps, 0.000 Mbps, 1.24 pps
Flows: 1 flows, 0.24 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay with decode option (-A)

There is a another option called Decode which we can club with the Verbose option to use tcpdump command like extra options for showing the ethernet header , printing the entire packets , etc 

In this example while replaying the packet , we are asking tcpreplay tool to show the packets using the verbose option(-v) and  also to show it  with more verbosity (-vvv) ,  with the ethernet header (-e). These extra tcpdump type options were possible because of using the decode option (-A)  

[root@discoveringsystems-centos /]# tcpreplay -A "-evvv" -v  -i ens33 discovering-systems.pcap
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58743, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 59332, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60333, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60431, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
Actual: 5 packets (490 bytes) sent in 4.02 seconds
Rated: 121.8 Bps, 0.000 Mbps, 1.24 pps
Flows: 1 flows, 0.24 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay  with “one at a time” option ( -o)

With One at a time option , tcpreplay replays the first packet , then prompts the user to check how many to send next and after sending the requested number , again it prompts to get user inputs on how many more we are planning to send out.

 In the following example we were able to see it sent out one packet and mentioned that the next packet waiting to be sent out is packet number 2 and in the user input we mentioned 3. It sent out 3 packets based on our inputs and again was waiting for user inputs to start with packet number 5  

[root@discoveringsystems-centos /]# tcpreplay -o  -i ens33 discovering-systems.pcap
**** Next packet #2 out ens33.  How many packets do you wish to send? 3
Sending packet 2 out: ens33
**** Next packet #5 out ens33.  How many packets do you wish to send? 5
Sending packet 5 out: ens33
Actual: 5 packets (490 bytes) sent in 4.44 seconds
Rated: 110.3 Bps, 0.000 Mbps, 1.12 pps
Flows: 1 flows, 0.22 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

I have added  verbose option (-v) along with one at a time option (-o) to understand this behavior better

[root@discoveringsystems-centos /]# tcpreplay -o -v  -i ens33 discovering-systems.pcap
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
**** Next packet #2 out ens33.  How many packets do you wish to send? 3
Sending packet 2 out: ens33
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
**** Next packet #5 out ens33.  How many packets do you wish to send? 5
Sending packet 5 out: ens33
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
Actual: 5 packets (490 bytes) sent in 4.33 seconds
Rated: 113.0 Bps, 0.000 Mbps, 1.15 pps
Flows: 1 flows, 0.23 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay with Limit option (-L)

We  can limit the number of packets being sent out using the “limit “ option with tcpreplay . we know that there are 5 packets in pcap file , however I am sending only 2 out of them using the limit option in the following example 


[root@discoveringsystems-centos /]# tcpreplay -L 2 -v  -i ens33 discovering-systems.pcap
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
Actual: 2 packets (196 bytes) sent in 1.01 seconds
Rated: 192.4 Bps, 0.001 Mbps, 1.96 pps
Flows: 1 flows, 0.98 fps, 2 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        2
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay with Duration option (–duration )

We can use the duration option with tcpreplay  to send the packets as per the duration mentioned in seconds , in the below example I am sending the packets from the pcap for 2 seconds. Note that without the top speed option it replays the packets from the pcap file in the rate at which they are recorded. So for a 2 second duration it was able to send only 3 packets from the 5 packet  pcap file. I also used verbose option along with duration option to visualize this more easily 

[root@discoveringsystems-centos /]# tcpreplay --duration=2 -v  -i ens33 discovering-systems.pcap
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
Actual: 3 packets (294 bytes) sent in 2.01 seconds
Rated: 145.6 Bps, 0.001 Mbps, 1.48 pps
Flows: 1 flows, 0.49 fps, 3 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        3
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay with loop option ( –loop)

Tcpreplay by default will replay the packets from the pcap file and stops after it has no more packets to replay from the pcap. With the loop option we can ask the tcpreplay to loop again after replaying all the packets from the pcap file. In the following example we were able to see that , it is a infinite loop , when the –loop=0 and the tcpreplay sends the packets from the pcap file again and again until we stop using the “ctrl + c” key interrupt 

[root@discoveringsystems-centos /]# tcpreplay --loop=0 -v  -i ens33 discovering-systems.pcap
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
^C User interrupt...
sendpacket_abort
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64

Actual: 18 packets (1764 bytes) sent in 14.03 seconds
Rated: 125.7 Bps, 0.001 Mbps, 1.28 pps
Flows: 1 flows, 0.07 fps, 72 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        17
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

If you want to automatically stop after several times using the loop count ,In the following example we asked tcpreplay to loop for two times , as we used loop count as 2 

[root@discoveringsystems-centos /]# tcpreplay --loop=2 -v  -i ens33 discovering-systems.pcap
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
Actual: 10 packets (980 bytes) sent in 8.03 seconds
Rated: 121.9 Bps, 0.000 Mbps, 1.24 pps
Flows: 1 flows, 0.12 fps, 20 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        10
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay loop option along with  loopdelay-ms option ( –loop , –loopdelay-ms)

We can also set how much time to wait between loop iterations , here using the  option  –loopdelay-ms  along with the loop option I was able to set 5 seconds of delay ( 5000 ms ) between loop iterations

[root@discoveringsystems-centos /]# tcpreplay --loop=2 --loopdelay-ms=5000 -v  -i ens33 discovering-systems.pcap
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
Actual: 10 packets (980 bytes) sent in 13.03 seconds
Rated: 75.1 Bps, 0.000 Mbps, 0.76 pps
Flows: 1 flows, 0.07 fps, 20 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        10
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay with Unique-ip option along with loop option (–loop, –unique-ip)

TCP replay has a feature called unique-ip to be used along with a loop option to change the Ips of the replayed packets after the loop iteration. This unique-ip option needs the loop option to work . Here only the Ips will be modified , but not the mac address.

In the following example we have asked tcpreplay to replay the packets in pcap for times using loop option and also used unique-ip option along with that to change the ips every iteration .TO visualize this we also used verbose option. , those remains the same 

[root@discoveringsystems-centos /]# tcpreplay  --unique-ip  --loop=3 -v  -i ens33 discovering-systems.pcap
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.201 > 192.168.94.99: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.201 > 192.168.94.99: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.201 > 192.168.94.99: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.201 > 192.168.94.99: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.201 > 192.168.94.99: ICMP echo request, id 38769, seq 5, length 64
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.202 > 192.168.94.98: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.202 > 192.168.94.98: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.202 > 192.168.94.98: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.202 > 192.168.94.98: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.202 > 192.168.94.98: ICMP echo request, id 38769, seq 5, length 64
Actual: 15 packets (1470 bytes) sent in 12.06 seconds
Rated: 121.8 Bps, 0.000 Mbps, 1.24 pps
Flows: 3 flows, 0.24 fps, 45 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        15
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

We can add another option called  –unique-ip-loops along with –unique-ip option  and make it even more customized , where instead of changing the Unique IPs for every loop , we are asking tcpreplay  to change after some number of loops . This –unique-ip-loop option requires the –unique-ip option to work and the –unique-ip option needs the –loop option to work 

In the below example , we can see that for the two loops the Ips remained the same as it is seen on the pcap file used . Then after two loops we started to change the Ips used . this –unique-ip-loops=”num” option requires the –unique-ip option to work and the –unique-ip option needs the –loop option to work 

[root@discoveringsystems-centos /]# tcpreplay  --unique-ip --unique-ip-loops=2  --loop=3 -v  -i ens33 discovering-system
s.pcap
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64
reading from file -, link-type EN10MB (Ethernet)
23:59:21.1659585561 IP 192.168.94.201 > 192.168.94.99: ICMP echo request, id 38769, seq 1, length 64
23:59:22.1659585562 IP 192.168.94.201 > 192.168.94.99: ICMP echo request, id 38769, seq 2, length 64
23:59:23.1659585563 IP 192.168.94.201 > 192.168.94.99: ICMP echo request, id 38769, seq 3, length 64
23:59:24.1659585564 IP 192.168.94.201 > 192.168.94.99: ICMP echo request, id 38769, seq 4, length 64
23:59:25.1659585565 IP 192.168.94.201 > 192.168.94.99: ICMP echo request, id 38769, seq 5, length 64
Actual: 15 packets (1470 bytes) sent in 12.05 seconds
Rated: 121.9 Bps, 0.000 Mbps, 1.24 pps
Flows: 2 flows, 0.16 fps, 45 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        15
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay with maxsleep option (–maxsleep)

We can set an interval in ms  between replaying two packets from the pcap file by using the -maxsleep option. In the following example , we were able to replay the packets with 500 ms interval between them 

[root@discoveringsystems-centos /]# tcpreplay   --maxsleep=500   -i ens33 discovering-systems.pcap
Actual: 5 packets (490 bytes) sent in 2.00 seconds
Rated: 244.9 Bps, 0.001 Mbps, 2.49 pps
Flows: 1 flows, 0.49 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0


root@DiscoveringSystems-ubuntu:/# tcpdump -nevvi ens38 icmp
tcpdump: listening on ens38, link-type EN10MB (Ethernet), snapshot length 262144 bytes

05:59:06.844450 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58743, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64

05:59:07.344529 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 59332, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64

05:59:07.844545 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60333, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64

05:59:08.344470 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60431, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64

05:59:08.844411 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64

In the following example ,  even though I set maxsleep interval to be 10 seconds ,  the tcpreplay  sends the packet with the same timer as its recorded ( 1 sec each ). So the maxsleep needs to be lesser than the actual recorded time interval in the pcap file. In my case the pcap file has 1 packet every 1 second as the recorded time 

[root@discoveringsystems-centos /]# tcpreplay   --maxsleep=10000   -i ens33 discovering-systems.pcap
Actual: 5 packets (490 bytes) sent in 3.99 seconds
Rated: 122.6 Bps, 0.000 Mbps, 1.25 pps
Flows: 1 flows, 0.25 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0


root@DiscoveringSystems-ubuntu:/# tcpdump -nevvi ens38 icmp
tcpdump: listening on ens38, link-type EN10MB (Ethernet), snapshot length 262144 bytes

06:00:35.336253 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58743, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 1, length 64

06:00:36.339581 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 59332, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 2, length 64

06:00:37.341102 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60333, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 3, length 64

06:00:38.341750 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60431, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 4, length 64

06:00:39.342094 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.94.200 > 192.168.94.100: ICMP echo request, id 38769, seq 5, length 64

How to use Tcpreplay with print pid option (-P)

We have an option on the tcpreplay to print the PID while starting to  replay  the packets . This is useful to kill the process if the CLI is timed out after sometime. 

[root@discoveringsystems-centos /]# tcpreplay  -P   -i ens33 discovering-systems.pcap
PID: 2629
Actual: 5 packets (490 bytes) sent in 3.99 seconds
Rated: 122.6 Bps, 0.000 Mbps, 1.25 pps
Flows: 1 flows, 0.25 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

How to use Tcpreplay with print statistics option (–stats)

Using the print statistics option with tcpreplay  we can print the statistics of the packet sent out every few seconds . In the following example , I asked the tcpreplay  to print packet sent statistics every two seconds and also the one which prints finally after all the packets are sent. This helps in situation if we have thousands of packets to replay and you want a statistics to get printed to track the number of packets sent so far 

[root@discoveringsystems-centos /]# tcpreplay   --stats=2 -i ens33 discovering-systems.pcap

Test start: 2022-08-06 02:18:47.953631 ...
Actual: 4 packets (392 bytes) sent in 2.99 seconds
Rated: 130.7 Bps, 0.001 Mbps, 1.33 pps
Test complete: 2022-08-06 02:18:51.949830
Actual: 5 packets (490 bytes) sent in 3.99 seconds
Rated: 122.6 Bps, 0.000 Mbps, 1.25 pps

Flows: 1 flows, 0.25 fps, 5 flow packets, 0 non-flow
Statistics for network device: ens33
        Successful packets:        5
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe