There's PReplay for Windows, tcpreplay and capedit for Linux/UNIX, and then a bunch of specialized tools for replaying specific types of traffic, usually related to. Hi, Is there a windows equivalent of TCP Replay, preferably freeware. Using which it is possible to replay the snooped pcap files. There is an unofficial port of tcpreplay to Windows which you can try (personally I haven't tried it so I don't know if it's good or not).

• How Tcpreplay Work
• Tcpreplay Edit

You use the Advanced Packaging Tool (apt) to manage additionalapplications (in the form of packages) and to install the latestupdates.

Before running any apt-get commands or after changing the/etc/apt/sources.list file, you need to run apt-get update.

Network Disruptions When Updating/Upgrading

The apt-get upgrade and apt-get install commands cause disruptionsto network services:

• The apt-get upgrade command might result in services beingrestarted or stopped as part of the upgrade process.
• The apt-get install command might disrupt core services bychanging core service dependency packages.

In some cases, installing new packages with apt-get install might alsoupgrade additional existing packages due to dependencies. To view theadditional packages that will be installed and/or upgraded beforeinstalling, run apt-get install --dry-run.

If services are stopped, you might need to reboot the switch for thoseservices to restart.

Updating the Package Cache

To work properly, APT relies on a local cache of the available packages.You must populate the cache initially, and then periodically update itwith apt-get update:

Cumulus Networks recommends you use the -E option with sudo wheneveryou run any apt-get command. This option preserves your environmentvariables (such as HTTP proxies) before you install new packages orupgrade your distribution.

Listing Available Packages

After the cache is populated, use the apt-cache command to search thecache to find the packages in which you are interested or to getinformation about an available package. Here are examples of thesearch and show sub-commands:

The search commands look for the search terms not only in the packagename but in other parts of the package information; the search matcheson more packages than you might expect.

Adding a Package

To add a new package, first ensure the package is not already installedon the system:

If the package is installed already, ensure it is the version you need.If the package is an older version, update the package from the CumulusLinux repository:

If the package is not already on the system, add it by running apt-get install. This retrieves the package from the Cumulus Linux repositoryand installs it on your system together with any other packages on whichthis package might depend.

For example, the following adds the package tcpreplay to the system:

Listing Installed Packages

The APT cache contains information about all the packages available onthe repository. To see which packages are actually installed on yoursystem, use dpkg. The following example lists all the package names onthe system that contain tcp:

Upgrading to Newer Versions of Installed Packages

Upgrading a Single Package

You can upgrade a single package by running apt-get install. Performan update first so that the APT cache is populated with the latestpackage information.

To see if a package needs to be upgraded, run the apt-cache show <pkgname> command to show the latest version number of the package. Usedpkg -l <pkgname> to show the version number of the installed package.

Upgrading All Packages

You can update all packages on the system by running apt-get update,then apt-get upgrade. This upgrades all installed versions with theirlatest versions but does not install any new packages.

Adding Packages from Another Repository

As shipped, Cumulus Linux searches the Cumulus Linux repository foravailable packages. You can add additional repositories to search byadding them to the list of sources that apt-get consults. See man sources.list for more information.

Cumulus Networks has added features or made bug fixes to certainpackages; you must not replace these packages with versions from otherrepositories. Cumulus Linux is configured to ensure that the packagesfrom the Cumulus Linux repository are always preferred over packagesfrom other repositories.

If you want to install packages that are not in the Cumulus Linuxrepository, the procedure is the same as above, but with one additionalstep.

Packages that are not part of the Cumulus Linux Repository are nottypically tested and might not be supported by Cumulus Linux TechnicalSupport.

Installing packages outside of the Cumulus Linux repository requires theuse of apt-get; however, depending on the package, you can useeasy-install and other commands.

To install a new package, complete the following steps:

1. Run the dpkg command to ensure that the package is not alreadyinstalled on the system:

2. If the package is installed already, ensure it is the version youneed. If it is an older version, update the package from the CumulusLinux repository:

3. If the package is not on the system, the package source location ismost likely not in the /etc/apt/sources.list file. If thesource for the new package is not in sources.list, edit andadd the appropriate source to the file. For example, add thefollowing if you want a package from the Debian repository that isnot in the Cumulus Linux repository:

   Otherwise, the repository might be listed in /etc/apt/sources.listbut is commented out, as can be the case with the early-accessrepository:

   To uncomment the repository, remove the # at the start of the line,then save the file:

4. Run apt-get update then install the package and upgrade:

Cumulus Supplemental Repository

Cumulus Networks provides a Supplemental Repository that containsthird party applications commonly installed on switches.

The repository is provided for convenience only. You can download anduse these applications; however, the applications in this repository arenot tested, developed, certified, or supported by Cumulus Networks.

Below is a non-exhaustive list of some of the packages present in therepository:

• htop lets you view CPU, memory, and process information.
• scamper is an ECMP traceroute utility.
• mtr is an ECMP traceroute utility.
• dhcpdump is similar to TCPdump but focused only on DHCP traffic.
• vim is a text editor.
• fping provides a list of targets through textfile to checkreachability.
• scapy is a custom packet generator for testing.
• bwm-ng is a real-time bandwidth monitor.
• iftop is a real-time traffic monitor.
• tshark is a CLI version of wireshark.
• nmap is a network scanning utility.
• minicom is a USB/Serial console utility that turns your switchinto a terminal server (useful for out of band management switchesto provide a console on the dataplane switches in the rack).
• apt-cacher-ng caches packages for mirroring purposes.
• iptraf is a ncurses-based traffic visualization utility.
• swatch monitors system activity. It reads a configuration filethat contains patterns for which to search and actions to performwhen each pattern is found.
• dos2unix converts line endings from Windows to Unix.
• fail2ban monitors log files (such as /var/log/auth.log and/var/log/apache/access.log) and temporarily or persistently bansthe login of failure-prone IP addresses by updating existingfirewall rules. This utility is not hardware accelerated on aCumulus Linux switch, so only affects the control plane.

To enable the Supplemental Repository:

1. In a file editor, open the /etc/apt/sources.list file.

2. Uncomment the following lines:

3. Update the list of software packages:

4. Install the software in which you are interested:

Related Information

• man pages for apt-get, dpkg, sources.list, apt_preferences

Released:

tool to replay and work with pcap and smcap (smithproxy capture) files

Project description

Support

For comments, feedback or new feature discussion feel free to drop a message to pplay-users@googlegroups.com mailing list.If you can make use of .deb package, visit download section of this site.

History

recently I’ve been in the need of reproducing some issue with DLP, while I was provided with pcap when DLP was not involved in the traffic flow and everything was working.Originally I was trying to utilize netcat, however I’ve always ended up with some (my) mistake, or simply I just sent CR when it should have been CRLF… Reproduction was frankly tedious task.

Then I gave up on manual work, and tried tcpreplay. This is really fantastic tool in case you want to replay exactly what you have in pcap. However I quickly realized that DLP is changing sequential numbers of inspected TCP traffic, so it couldn’t have been used it too!! Looking around the net, I decided to write something myself which will help me now and next time it can help others too.

Quick start

PPlay is tool to replay/resend application data, it doesn’t care of transport layer parameters (which we want, reasons described above). It will grab only the payload from connection you explicitly specify and will make new connection and plays the content in the right order. Of course, you will need to run pplay on server and on client too, with the same pcap file parameter and also with other quite important arguments.

All data about to be sent will be printed out to be confirmed by you. When receiving data, it will tell you if they differ from what we expect and how much; there are 3 levels, OK, modified, different. If they differ significantly (marked as different), they will not be considered as the part of the expected data, so in most cases the logic of packet ordering will stay stable.

Output is colored; RED means anything related to received stuff, GREEN everything to data to be sent, or YELLOW for command line and other data eligible to be sent in the future but not now. WHITE is usually program notifications. At the first sight pplay’s output might look bit a messy, but colors really help.

Replaying PCAP

Replaying SMCAP (smithproxy captures)

Replaying PPlayScript

pplay also knows how to export data to a “script”. This is extremely convenient to do if you are repeating the same test again and again, needing to change parts of the payload dynamically. Output script is in fact a python class, containing also all necessary data, no –pcap or –smcap arguments are needed anymore.

You can produce script with –export <scriptname> (filename will be scriptname.py). You can then use it by –script scriptname (instead of –pcap or –smcap arguments).For example:

You can use “script” as the sniff file (NOTE: missing .py in –script argument)

Main purpose of it is the need of dynamic modification of the payload, or other “smart” stuff, that cannot be predicted and programmed for you in pplay directly.

Simplistic script example:

As you might see this gives to your hands power to export existing payload with –export and modify it on the fly as you want. You can make a string templates from it and just paste values as desired, or you can write even quite complex code around!

Creating and using self-contained package

This feature is extremely useful for automation. You can use SMCAP, PCAP or pplayscript, embed it into pplay itself,and use this self-contained pplay version by executing it over the SSH (or the other way, SSH is just the most obvious).

The rest is just the same normal pplay. Please note that pplay over ssh needs a bit different approach, so we execute it with:

Launch embedded server

Pack smcap file into pplay, resulting file in /tmp/smbla.py – smbla.py will contain pplay and also data from provided smcap file and launch server (on r32 host, options suitable for automation), using packed pplay:

Launch embbedded client

Please note that you need to have installed python-scapy on both remote servers. Of course, SSH needs to be reachable (i.e. you need to create firewall pin-holes for it).Also for (and only for) the automation you might want to create ssh key without the passphrase.

More details

PPlay forgets everything about original IP addresses. It’s because you will be testing it in your lab testbed. Only thing it will remember is the the destination port, for server side pplay it’s important, meaning the port where it should listen for incoming connections. But that’s really it.

Client-side pplay will connect to the server-side. Once connected, you will see on one side green hex data and on the other yellow hex data. For HTTP, the client-side would be typically green, since HTTP comes with the request first. On the line above green hex data you will also see e.g. “[1/2] (in sync) offer to send –>”. In sync is important here. Those data should be sent now according to pcap.If you see yellow data, that side is not on it’s turn, and you will not see also “(in sync)” above them.

Yellow or green, pplay will act on behalf of you by default in 5 seconds => green data will be sent.Hint: you can set –noauto, or –auto <big_seconds> program argument to change autosend feature. This feature could be also toggled on/off during the operation with “i” command shortcut.

Launch on remote SSH server

new in version 1.7.0You have learned so far how to “pack” data inside pplay. It’s pretty useful, but you need to always –pack, create a file, send it to the other side, and execute there.Even though in previous examples we mentioned how to send packed over ssh stdin, you still need linux command-line ssh.Since version 1.7.0 you can actually utilize –remote-ssh parameter, and pplay will send over ssh itself!

Nice on this is you don’t need anything on remote servers, just pure python. Nothing else is needed.

Limitation: since python on remote server receives pplay from stdin which must be closed to actually launch it, commands from standard input are not supported and –nostdin is automatically added to remote command line. Recommended running with --exitoneot and --auto.

Connect client using SOCKS

Another useful feature might be to use proxy for client outgoing connection (perhaps you are testing such a proxy, like I am).To do so, use –socks parameter, taking IP address optionally suffixed with a port, ie. 10.0.0.1:1080

Commands

Below hex data (green or yellow), there is some contextual help for you: pplay is waiting for your override action to it’s default – autosend. At the time being, you can enter:

Data sources

PPlay also supports smithproxy output, just use –smcap instead of –pcap argument option.You can wrap the traffic into SSL, just use –ssl option. With smithproxy together, pplay is quite powerful pair of tools: you can easily replay “decrypted” smcap file from smithproxy and wrap it again into SSL to further test.

Hint: Smithproxy it’s SSL mitm proxy written by me in C/C++, faking certificate subject. It utilizes iptables TPROXY target. SSL traffic is signed by local CA and plaintext is logged into files.

Requirements

Tool doesn’t have too requirements. You have to have installed scapy and colorama python packages.

Scapy is used to parse pcaps and to have scapy available for future features - runs on Linux, Mac and Windows (see instructions how to install scapy on windows here). It’s known to not work in Cygwin.

Note: I am deciding to drop scapy in the future.Colorama is responsible for multiplatform coloring. On windows, unpack zip-file, run cmd and run python setup.py install. That should make it.

I would recommend to run pplay in linux, I haven’t tested it on Windows yet.

SMCAP2PCAP tool

This tool is a bit hack. Basically it replays smcap file, while using tcpdump to sniff the traffic. There are dozens of reasons why you would like to convert smcap file to pcap. This is the tool for that purpose.

Also, this tools is very basic. There is only argument it takes: smcap file. Name and location of the converted pcap will be printed out.

Release historyRelease notifications | RSS feed

How Tcpreplay Work

2.0.5.post3

2.0.5.post2

2.0.5.post1

2.0.5

2.0.4

2.0.2

2.0.1

2.0.0.post6

2.0.0.post5

2.0.0.post1

1.7.4.post1

1.7.3.post5

1.7.3.post4

1.7.3.post3

1.7.3.post2

Music recorder program 10.6.8. 1.7.3.post1

1.7.3

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Hashes for pplay-2.0.5.post3-py3-none-any.whl

Tcpreplay Edit

Hashes for pplay-2.0.5.post3.tar.gz