How to reproduce http traffic of a real site in another environment (e.g. VM)

Question

There is a bug in my web application which I cannot reproduce. All the logs look ok or at least I cannot see anything unusual. But it happens. So I thought I could record all the traffic to/from my web site waiting for the bug to happen and having that, replay it somehow in my testing environment. And it did happen! So I have the data captured by this:

tcpdump -s 1514 -X tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0) -Z root -C 20 -W 1000 -w capture.cap

and I don't know what can I do with it. I have a virtual machine running the same version of the web app and I'd like to replay the recorded data in it. How should I approach this?

[EDIT]

I tried doing this with tcpreplay following this example but my web server has not logged any traffic.

My testing machine (Fedora 8) runs in VMWare Player. Assuming that the IP of the machine is 192.168.41.128 and it has one network interface: eth0 (except loopback) - how the steps #2 and #3 from the example should look like in my case? Should I run it on the same machine or from another one?

score 5 · Answer 1 · answered Aug 12 '11 at 05:23

5

You have a few options, all of them cool and none of them drop-in products. Some assembly required.

There's the PERL application Sprocket to be able to replay web traffic. Here's the raw PERL.
There's TCPReplay.
If you use a Varnish server, you can use varnishreplay.
There's also a tool called "PReplay" that is for Windows machines.
JWireReplay will replay tcpdump captures.

What you will likely want to do is forget the logs you've already inspected, or at least abandon any desire to replay those files. Set up one of these systems and use it in a controlled manner to test out your traffic.

answered Aug 12 '11 at 05:23

Wesley

32,320
9
80
116

Thanks, for the reply however I'd like to use the dump I already have as the customer is pissed off and I cannot wait for the next occurrence of the bug. Do you have any experience with _tcpreplay_? I tried to use it according to the docs but without success. Can I run it on the machine being tested or from another one? It would be great if you could drop any snipped of code I could start with. – tomazy Aug 12 '11 at 06:38
I haven't used TCPReplay. I think it has to be used from a "transparent inline device" and not the machine being tested on though. – Wesley Aug 12 '11 at 07:34

score 2 · Answer 2 · answered Feb 15 '17 at 08:30

You can use tcptrace to convert the pcap file into separate requests which can then be replayed using netcat. Here is an example:

tcpdump -s 0 port http -i en0 -w dump.pcap
tcptrace -e dump.pcap
cat *.dat | nc -v <IP_OF_YOUR_TEST_HOST>

The second step might create too many files for * to work correctly. In this case, use a for loop for the third command:

for file in $(ls | grep .dat); do cat $file | nc -v <IP_OF_YOUR_TEST_HOST>; done

Note that this might be slower than your original traffic.

Lari Hotari · Answer 3 · 2017-02-15T12:16:15.717

1

GoReplay is designed for capturing production traffic and replaying that in test environments. See https://goreplay.org/ or https://github.com/buger/goreplay/wiki for more information.

edited Feb 15 '17 at 12:16

answered Jan 13 '17 at 12:44

Lari Hotari

171
6

How to reproduce http traffic of a real site in another environment (e.g. VM)

3 Answers3