Packet Feeder is a PCAP-based traffic replay platform designed for security research and IDS/NDR testing.
It combines a CLI and a web-based GUI to inspect, rewrite, and replay network traffic, supporting multiple replay modes, MITRE ATT&CK-based attack simulations, and realistic lab environments.
- Browse, upload, and delete PCAP files
- Inspect packet metadata and payload-related data
- Generate and upload rewritten PCAP copies with modified network fields (IPs, MACs, ports, DNS)
- Select, upload, and delete PCAP files
- Global traffic overview (IPs, TCP/UDP ports, DNS)
- On-the-fly traffic rewriting (IPs, ports, DNS)
- Packet and payload inspection
Replay modes:
- Real-time (timestamps respected)
- Faster (no timestamps, live progress)
- Fastest (full injection, tcpreplay-like)
- Step-by-step (packet-by-packet)
- PCAP-based techniques aligned with the MITRE ATT&CK matrix
- Replay predefined attack patterns for security testing
- Designed to simulate simple and repeatable attack techniques
- Real traffic exchange between multiple systems
- Advanced lab-oriented IDS/NDR testing
Packet Feeder follows a modular client-server architecture designed to support both interactive and automated workflows.
-
Frontend (GUI)
A web-based interface built with React, providing PCAP management, traffic inspection, replay control, and live status updates. -
CLI
A command-line interface for automation, scripting, and headless execution of replays and MITRE techniques. -
Backend API
A Python backend based on Flask, exposing REST endpoints for PCAP management and control operations. -
Replay Engine
A Scapy-based packet injection engine responsible for replaying and rewriting traffic on a real network interface. -
Real-Time Communication
WebSocket (Socket.IO) channels used to stream replay progress, status, and control events between the backend and the GUI.
Packet Feeder is composed of a Python backend and a web-based frontend.
# Create virtual environment
python3 -m venv venv --copies
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Allow raw packet injection without running as root
sudo setcap cap_net_raw,cap_net_admin=eip ./venv/bin/python3npm install
npm run devThis lab generates/replays traffic on an isolated network (lab-ovs) and captures it via a dedicated broker (no IDS engine installed). Traffic is copied with a persistent OVS mirror from lab-ovs to ids-ovs (via patch ports), then duplicated to the broker and ClearNDR using OpenFlow fanout on ids-ovs, with anti-return drop rules to prevent reinjection into the lab.
- Debian host: KVM/libvirt + Open vSwitch.
- Bridges:
br0: MGMT/Internet (home LAN192.168.1.0/24, gateway192.168.1.254)lab-ovs: LAB network (attack traffic10.10.10.0/24)wan-ovs: EXTERNAL network (simulated attacker subnet172.16.10.0/24)ids-ovs: IDS feed network (mirrored lab traffic distribution to sensors/engines)
- pfSense
- WAN:
br0 - LAN:
lab-ovs(10.10.10.1/24) - OPT1 (External):
wan-ovs(172.16.10.1/24)
- WAN:
- attacker-ext (simulated external attacker)
- MGMT:
br0 - EXTERNAL:
wan-ovs(DHCP reservation172.16.10.40/24)
- MGMT:
- attacker
- MGMT:
br0 - LAB:
lab-ovs(DHCP reservation10.10.10.10)
- MGMT:
- debian-ssh
- LAB:
lab-ovs(DHCP reservation10.10.10.20)
- LAB:
- debian-web
- LAB:
lab-ovs(DHCP reservation10.10.10.40)
- LAB:
- winsrv
- LAB:
lab-ovs(Windows Server 2025 target host / Domain Controller / DHCP reservation10.10.10.30)
- LAB:
- win11
- LAB:
lab-ovs(Windows 11 target host / DHCP reservation10.10.10.50)
- LAB:
- broker
- MGMT:
br0 - CAPTURE:
ids-ovs(tap-brk-ids,UP + PROMISC, no IP) β PCAP capture interface (receives mirrored lab traffic viapatch-ids2labfan-out)
- MGMT:
- clearndr
- MGMT:
br0 - SENSOR:
ids-ovs(tap-clear-ids, UP + PROMISC, no IP) β NDR engine (receives mirrored lab traffic via fan-out)
- MGMT:
- snort
- MGMT:
br0 - SENSOR:
ids-ovs(tap-snort-ids, UP + PROMISC, no IP) β Snort 3 IDS engine (receives mirrored lab traffic via fan-out, 4875 rules loaded)
- MGMT:
- Lab domain:
packetfeeder.lab - DNS is provided by pfSense (Unbound) with DHCP lease registration.
- Examples:
attacker.packetfeeder.labβ10.10.10.10,debian-ssh.packetfeeder.labβ10.10.10.20
- Examples:
lab-ovsuses an OVS Mirror to copy lab traffic to the IDS bus:- Mirror name:
mir-lab-to-ids select_all=true(mirrors all traffic onlab-ovs)output-port: thelab-ovspatch interface towardids-ovs(e.g.,patch-lab2ids)
- Mirror name:
- The copied stream crosses the patch pair:
patch-lab2ids(onlab-ovs) <=>patch-ids2lab(onids-ovs)
ids-ovsdoes explicit fan-out using OpenFlow (no genericFLOOD):in_port=patch-ids2lab->output:tap-bkr-ids,output:tap-clear-idsin_port=tap-bkr-ids->drop(anti-injection)in_port=tap-clear-ids->drop(anti-injection)- default ->
drop(fail-closed)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MGMT / HOME LAN (192.168.1.0/24) GW/Internet: 192.168.1.254 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
===================================================== br0 (MGMT bridge) =========================================================
| | | |
| | | |
ββββββββββββββΌββββββββββββββ βββββββββββΌββββββββββββββ ββββββββββΌβββββββββββββββββ ββββββββββΌββββββββββββββββββ
β pfSense VM β β attacker VM β β broker VM β β attacker-ext VM β
β--------------------------β β-----------------------β β-------------------------β β--------------------------β
β WAN NIC (br0) : DHCP β β MGMT NIC (br0) : DHCP β β MGMT NIC (br0) : DHCP β β MGMT NIC (br0) : DHCP β
ββββββββββββββββββββββββββββ βββββββββββββββββββββββββ βββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
==================================================== wan-ovs (EXTERNAL bridge) ====================================================
| |
| |
ββββββββββββββΌββββββββββββββ βββββββββββΌβββββββββββββββββ
β pfSense VM β β attacker-ext VM β
β--------------------------β β--------------------------β
β OPT1 (wan-ovs): β β EXTERNAL (wan-ovs): β
β 172.16.10.1/24 β β 172.16.10.40/24 β
ββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
======================================================================= lab-ovs (LAB bridge) ==================================================================
| | | | | |
| | | | | |
ββββββββββββββΌββββββββββββββ βββββββββββΌββββββββββββββ ββββββββββΌβββββββββββββββββ ββββββββββΌβββββββββββββββββ ββββββββββΌββββββββββββ ββββββββββΌββββββββββββ
β pfSense VM β β attacker VM β β debian-ssh VM β β debian-web VM β β winsrv VM (DC) β β win 11 VM β
β--------------------------β β-----------------------β β-------------------------β β-------------------------β β--------------------β β--------------------β
β LAN NIC (lab-ovs): β β LAB NIC (lab-ovs): β β LAB NIC (lab-ovs): β β LAB NIC (lab-ovs): β β LAB NIC (lab-ovs): β β LAB NIC (lab-ovs): β
β 10.10.10.1/24 β β 10.10.10.10/24 β β 10.10.10.20/24 β β 10.10.10.40/24 β β 10.10.10.30/24 β β 10.10.10.50/24 β
ββββββββββββββββββββββββββββ βββββββββββββββββββββββββ βββββββββββββββββββββββββββ βββββββββββββββββββββββββββ ββββββββββββββββββββββ ββββββββββββββββββββββ
==================================================== ids-ovs (IDS FEED BUS) ========================================================
| | |
| | |
ββββββββββββββΌββββββββββββββ ββββββββββββββΌβββββββββββββ ββββββββββββββΌββββββββββββββ
β broker VM β β ClearNDR VM β β Snort β
β--------------------------β β-------------------------β β--------------------------β
β SENSOR NIC (ids-ovs): β β SENSOR NIC (ids-ovs): β β SENSOR NIC (ids-ovs): β
β tap-bkr-ids β β tap-clear-ids β β tap-snort-ids β
β NO IP / promisc / PCAP β β NO IP / promisc β β NO IP / promisc β
ββββββββββββββββββββββββββββ βββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
- KVM/libvirt + Open vSwitch host (bridges:
lab-ovs,ids-ovs) - pfSense routing/NAT on
lab-ovs(10.10.10.1/24) - DHCP/DNS on pfSense (
packetfeeder.lab) with reservations - Broker VM up
- Selective OVS mirroring on
lab-ovs(attacker/victims β broker CAPTURE) - Add more victims/workloads and expand mirror selection
- IDS engines on
ids-ovs- ClearNDR
- Snort
- Zeek
- PCAP upload, listing, and deletion
- PCAP inspection and metadata extraction
- Generation of rewritten PCAP copies
- Traffic field rewriting (IPs, MACs, ports, DNS)
- PCAP replay through real network interfaces
- Multiple replay modes:
- real-time (timestamps respected)
- accelerated replay (with progress)
- full-speed injection
- step-by-step execution
- Replay progress tracking and status reporting
- PCAP-based technique definitions
- Frontend MITRE mode
- MITRE ATT&CKβaligned attack techniques
- Reconnaissance (TA0043)
- T1595 β Active Scanning (parent: external IP block scanning)
- T1595.002 β Active Scanning: Vulnerability Scanning
- T1595.003 β Active Scanning: Wordlist Scanning
- Discovery (TA0007)
- T1018 β Remote System Discovery
- T1046 β Network Service Discovery
- T1069.002 β Permission Groups Discovery: Domain Groups
- T1083 β File and Directory Discovery
- T1087.002 β Account Discovery: Domain Account
- T1135 β Network Share Discovery
- T1201 β Password Policy Discovery
- Credential Access (TA0006)
- T1003 β OS Credential Dumping
- T1003.001 β OS Credential Dumping: LSASS Memory
- T1003.003 β OS Credential Dumping: NTDS
- T1110.001 β Brute Force: Password Guessing
- T1110.003 β Brute Force: Password Spraying
- T1110.004 β Brute Force: Credential Stuffing
- T1187 β Forced Authentication
- T1557.001 β Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning
- T1557.002 β Adversary-in-the-Middle: ARP Cache Poisoning
- T1558.003 β Steal or Forge Kerberos Tickets: Kerberoasting
- T1558.004 β Steal or Forge Kerberos Tickets: AS-REP Roasting
- Defense Evasion (TA0005)
- T1550.002 β Use Alternate Authentication Material: Pass the Hash
- T1550.003 β Use Alternate Authentication Material: Pass the Ticket
- Lateral Movement (TA0008)
- T1021.001 β Remote Services: Remote Desktop Protocol
- T1021.002 β Remote Services: SMB/Windows Admin Shares
- T1021.004 β Remote Services: SSH
- T1021.006 β Remote Services: Windows Remote Management
- T1210 β Exploitation of Remote Services
- T1021.003 β Remote Services: Distributed Component Object Model
- Collection (TA0009)
- T1039 β Data from Network Shared Drive
- Execution (TA0002)
- T1053.005 β Scheduled Task/Job: Scheduled Task
- Persistence (TA0003)
- T1505.003 β Server Software Component: Web Shell
- T1136.002 β Create Account: Domain Account
- Exfiltration (TA0010)
- T1048.001 β Exfiltration Over Alternative Protocol: DNS
- T1048.003 β Exfiltration Over Alternative Protocol: HTTP
- Command and Control (TA0011)
- T1071.001 β Application Layer Protocol: Web Protocols
- T1071.004 β Application Layer Protocol: DNS
- T1090.001 β Proxy: Internal Proxy
- T1095 β Non-Application Layer Protocol
- T1102 β Web Service
- T1568.002 β Dynamic Resolution: Domain Generation Algorithms
- T1572 β Protocol Tunneling
- Reconnaissance (TA0043)
- Compose attack scenarios from event PCAPs
- Reorder / duplicate / remove steps
- Basic pacing (delays between steps)
- Build a single PCAP (merged timeline)
- Export scenario config
- Simple builder UI (timeline / drag-and-drop)
- Real traffic exchange between multiple systems
- Hybrid replay and live traffic execution
- Advanced lab-oriented workflows