A deterministic HTTP traffic generator for cybersecurity laboratories and WAF testing.
PCAP Lab Generator is a specialized tool designed to bridge the gap between synthetic packet crafting and manual browsing. It generates deterministic HTTP traffic that blends realistic user behavior with sophisticated web attacks, outputting industry-standard PCAP files ready for deep packet inspection (DPI) and security analysis.
Unlike traditional random traffic generators, this tool ensures 100% reproducibility by using a seed-based approach. This makes it the ideal companion for cybersecurity educators building labs, and security engineers validating WAF (Web Application Firewall) rules, IDS/IPS signatures, or ModSecurity CRS configurations.
- 🎯 Deterministic Traffic: Uses a
STUDENT_IDseed to guarantee identical attack sequences and payloads for every run—perfect for consistent grading and benchmarking. - 🧱 Realistic Simulation: Emulates diverse User-Agents, varied HTTP headers, and normal navigation patterns to hide malicious signatures in noise.
- 🧪 Multi-Vector Attack Library: Built-in modules for SQL Injection (SQLi), XSS, RCE, LFI, IDOR, CSRF, and Command Injection.
- ✅ Automated Ground Truth: Generates a detailed
answer_key.jsonmapping every attack to its exact timestamp and payload for automated validation. - 📦 Modern CLI: A unified Python interface built with
Clickfor seamless generation, replay, and testing workflows.
# Clone the repository
git clone https://github.com/agugliotta/pcap-lab.git
cd pcap-lab
# Setup virtual environment
python3 -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install -r requirements.txtImportant
Packet capture (tcpdump) and traffic replay (tcpreplay) require root privileges. Always run generation and replay commands with sudo.
Generate a unique trace for a student named agustin on the loopback interface:
# Generate deterministic traffic
sudo .venv/bin/python main.py generate agustin loThe artifacts will be generated in output/agustin/:
traffic.pcap: The full raw network capture.answer_key.json: The "ground truth" metadata for automated grading or verification.
This tool facilitates a complete Attack-Detection-Defense cycle:
- Offense (Generate): Fire the generator to create a trace containing a mix of malicious and normal traffic.
- Analysis (Detect): Students use Wireshark or TShark to identify attack signatures based on the
answer_key.json. - Defense (Mitigate): Write and apply defensive rules (e.g., ModSecurity CRS) to block the identified vectors.
- Validation (Replay): Use the
replaycommand to fire the exact same traffic against the protected target to verify mitigation success.
Focus your lab on specific vulnerabilities or control the "noise" ratio:
# Focus only on Remote Code Execution and SQLi
sudo .venv/bin/python main.py generate test lo --attacks rce,sqli
# Set exact attack volume (e.g., 20% malicious traffic)
sudo .venv/bin/python main.py generate test lo --requests 100 --attack-ratio 0.2Replay captured traffic against an external WAF or a Docker container:
# Rewrite destination IP and Port on the fly
sudo .venv/bin/python main.py replay lo output/agustin/traffic.pcap --target-ip 172.17.0.2 --target-port 80We use pytest to ensure everything is working correctly:
.venv/bin/python main.py testValidate your rules against deterministic payloads. Here are some typical rules to detect the attacks generated by this lab:
SecRule ARGS "@detectSQLi" \
"id:1001,phase:2,t:none,t:urlDecodeUni,block,msg:'SQL Injection Detected'"SecRule ARGS "@pm system exec passthru shell_exec" \
"id:1002,phase:2,t:none,t:lowercase,block,msg:'Potential RCE detected'"
SecRule ARGS "@rx [;&|`\$]" \
"id:1003,phase:2,t:none,block,msg:'Command Injection Characters Detected'"SecRule ARGS "@rx \.\./\.\./" \
"id:1004,phase:2,t:none,t:urlDecodeUni,block,msg:'Path Traversal Attempt'"