Using packet capture softwares or “sniffers” can be often useful to debug network issues or for educational purposes (they can also be used to perform malicious activities but let’s stay on the visible side of the iceberg ;-)). Well known softwares are tcpdump on UNIX and Wireshark on Windows platforms (non exhaustive list of course). All of them are based on the same API: pcap (libpcap or winpcap).
For a few months, there is a free repository of packet captures available on the Net where administrators or security guys can exchange traces. Sometimes, you would like to share data but stay anonymous. How to post-process your capture files?
tcpreplay is the solution! It’s a package of free tools which help you to manipulate files created by a libpcap compatible software. From this toolbox, tcprewrite is a “re-writer”. Basically, it takes an input pcap file, apply changes and save the output to a new file. What “changes” are supported?
- Add or remove VLAN tags (layer 2)
- Change the MAC addresses (layer2)
- Change source and destination IP addresses or randomize them (layer3)
- Remap ports (layer 4)
- Packets padding (layer 5-7)
The following example will rewrite the sessions with respectively source and destination IP as 10.0.0.1 and 192.168.0.1:
$ tcprewrite --endpoints=10.0.0.1:192.168.0.1 \ --cachefile=input.cache \ --infile=input.pcap \ --outfile=output.pcap \ --skipbroadcast
Note that in this example, you need a “cache” file. This file is first generated by tcpprep. The third interesting tool is tcpreplay. As the name suggests it, it allows you to re-inject data traffic from a pcap file to a specific interface:
# tcpreplay --pps=25 --intf1=eth0 sample.pcap
The example below will replay the content of sample.pcap via eth0 at a rate of 25 packets/sec. Very very interesting to test an IDS/IPS or to generate network traffic to test a new server. Happy anonymizing!