How to Forward Captured PCAP Packets to a New Destination Using tcpreplay and Scapy


3 views

When working with network analysis or penetration testing, you might need to resend captured traffic to different endpoints. The key tools for this are:

  • tcpreplay (for high-performance replay)
  • Scapy (for packet manipulation)
  • tcprewrite (for packet modification)

The most efficient way to resend packets while maintaining original timing:


# Install tcpreplay
sudo apt-get install tcpreplay

# Basic packet replay (maintains original MAC addresses)
tcpreplay -i eth0 captured.pcap

# Rewrite layer 2/3 headers before sending
tcprewrite --dstipmap=192.168.1.0/24:10.0.0.0/24 --infile=captured.pcap --outfile=rewritten.pcap
tcpreplay -i eth0 rewritten.pcap

For more control over individual packets:


from scapy.all import *
packets = rdpcap("captured.pcap")

def forward_packet(pkt):
    # Modify destination IP
    if IP in pkt:
        pkt[IP].dst = "192.168.1.100"
        del pkt[IP].chksum  # Force checksum recalculation
    
    # Send with custom interface
    sendp(pkt, iface="eth0", verbose=0)

# Forward all packets with 1 second interval
for pkt in packets:
    forward_packet(pkt)
    time.sleep(1)

For complex scenarios:

  • Use tcprewrite --pnat for port and address translation
  • Combine with iptables for NAT operations
  • Implement rate limiting with tcpreplay --mbps=10

Always monitor the receiving end with:


tcpdump -ni eth0 host 192.168.1.100 -w received.pcap

When working with network packet analysis, we often capture traffic using tools like tcpdump/Wireshark and store it in PCAP format. The real engineering challenge emerges when we need to redirect these captured packets to alternative endpoints for testing, analysis, or simulation purposes.

Three robust approaches exist for resending captured packets:

1. tcpreplay - Fast binary-level replay
2. Scapy/Python - Programmatic control
3. Custom socket programming

The most efficient method for production environments:

# Basic packet replay
tcpreplay -i eth0 captured.pcap

# Advanced options
tcpreplay --topspeed --loop=5 --intf1=eth0 --intf2=eth1 capture.pcap

# Rate-limited replay
tcpreplay --mbps=10.0 --stats=5 capture.pcap

For precise packet manipulation and redirection:

from scapy.all import *

def redirect_pcap(input_file, new_dst_ip):
    packets = rdpcap(input_file)
    modified = []
    
    for pkt in packets:
        if IP in pkt:
            pkt[IP].dst = new_dst_ip
            # Recalculate checksum
            del pkt[IP].chksum
            modified.append(pkt)
    
    sendp(modified, iface="eth0")

redirect_pcap("capture.pcap", "192.168.1.100")

When dealing with complex scenarios:

# Rewrite both source and destination
tcprewrite --infile=input.pcap --outfile=output.pcap \
           --dstipmap=0.0.0.0/0:10.0.0.1 \
           --srcipmap=192.168.1.0/24:172.16.0.0/24

For high-throughput requirements, consider these optimizations:

  • Use tcpreplay's --enable-file-cache for large PCAPs
  • Implement packet batching in Scapy with sendpfast()
  • Consider kernel bypass techniques like DPDK for 10G+ networks

Key problems and solutions:

# Problem: ARP resolution failures
tcpreplay --enet-smac=00:de:ad:be:ef:00 --enet-dmac=00:12:34:56:78:90

# Problem: Timing inconsistencies
tcpreplay --timer=nano --preload-pcap