程式扎記: [Linux 文章收集] How to capture and replay network traffic on Linux

標籤

2015年5月13日 星期三

[Linux 文章收集] How to capture and replay network traffic on Linux

Source From Here 
Preface
When you are testing or debugging middlebox hardware such as routers, switches, or IDS/IPS, it is extremely useful to perform the testing with reproducible network traffic. Using repeatable traffic minimizes any kind of uncertainty in the testing environment, thereby making testing results easier to interprete and analyze. In Linux, there is a suites of command-line utilities called tcpreplay which can replay captured network traffic.

In this tutorial, I will show you how to capture live network traffic, and replay the captured network traffic elsewhere by using tcpreplaytcpdump andtcprewrite.

Capture Live Network Traffic
First, install tcpreplay and tcpdump on Linux. To install tcpreplay, follow the instruction here.

The next step is to capture live network traffic, and dump it to a pcap file. To do so, run tcpdump command as follows. I assume that eth0 is the sniffing interface which is set to promiscuous mode:
# tcpdump -w dump.pcap -i eth0


Rewrite Packets in Traffic Dump
Next, rewrite packets captured in a pcap file, so that we can replay them between a pair of any two arbitrary hosts (different from the original traffic source and sink). Run a series of the following commands to perform such packet rewriting.

1. Rewrite any destination IP address and MAC address in traffic dump to 192.168.1.20 and E0:DB:55:CC:13:F1, respectively:
# tcprewrite --infile=dump.pcap --outfile=temp1.pcap --dstipmap=0.0.0.0/0:192.168.1.20 --enet-dmac=E0:DB:55:CC:13:F1

2. Rewrite any source IP address and MAC address in traffic dump to 192.168.1.10 and 84:A5:C8:BB:58:1A, respectively:
# tcprewrite --infile=temp1.pcap --outfile=temp2.pcap --srcipmap=0.0.0.0/0:192.168.1.10 --enet-smac=84:A5:C8:BB:58:1A

3. Update the checksum of every packet:
# tcprewrite --infile=temp2.pcap --outfile=final.pcap --fixcsum

After you are done with packet rewriting, you can go ahead and replay the finalized packet dump as follows.
# tcpreplay --intf1=eth0 final.pcap

Customize Traffic Replay Settings
The tcpreplay command offers various options to customize replay settings (e.g., speed, duration, performance).

1. To loop through a pcap file 100 times:
# tcpreplay --loop=100 --intf1=eth0 final.pcap

2. To cache a pcap file in RAM after the first time, so that subsequent loops do not incur disk I/O latency:
# tcpreplay --loop=100 --enable-file-cache --intf1=eth0 final.pcap

3. To replay traffic five times as fast as the original traffic was captured
# tcpreplay --multiplier=5.0 --intf1=eth0 final.pcap

4. To replay traffic at a rate of 10Mbps:
# tcpreplay --mbps=10.0 --intf1=eth0 final.pcap

5. To replay traffic at 100 packets per second:
# tcpreplay --pps=100 --intf1=eth0 final.pcap

6. To replay traffic in infinite loops or until CTRL-C is pressed:
# tcpreplay --loop=0 --intf1=eth0 final.pcap

7. Replay traffic as quickly as possible:
# tcpreplay --topspeed --intf1=eth0 final.pcap

Summary
In this tutorial, I demonstrated how to modify packet traces in a systematic way using tcprewrite, and inject them on to the network with tcpreplay. Combined withother pcap manipulation tools, they will give you an effective means to do various network testing and troubleshooting in a more controlled environment.

Supplement
Tcpdump Commands – A Network Sniffer Tool


沒有留言:

張貼留言

網誌存檔

關於我自己

我的相片
Where there is a will, there is a way!