Fos-R, the synthetic network traffic generator

Table of contents

Fos-R is a high-quality and high-throughput network traffic generator based on AI models. Fos-R can be used for:

creating in a few minutes network datasets lasting for weeks, for example to learn AI models or to evaluate intrusion detection systems;
generating background traffic in cyber ranges so the exercise is more realistic and attacks are more difficult to detect;
generating background traffic in low- or high-interactivity honeypots to deceive attackers.

Get Fos-R

The sources are available on the GitLab repository or the GitHub mirror.

Cargo features

Fos-R make use of Cargo features for conditional compilation. The available features:

iptables: a method for network injection (Linux only)
ebpf: a method for network injection (Windows and Linux) [default]

If you do not enable iptables or ebpf, Fos-R won’t be able to inject traffic on the network. Generation is always available.

Stable binaries

The binaries of the last stable versions are stored on GitHub.

Experimental binaries

Build version db85fb87, compiled on 2025-12-15 (changelog).

Linux

Target	Binary file	.deb package
x86 (32 bits)	link	link
x86 (64 bits)	link	link
ARM (32 bits)	link	link
ARM (64 bits)	link	link

Windows

Windows builds can only generate data but cannot inject data into the network.

Target	Iptables	eBPF	Binary file
x86 (64 bits)			link
x86 (32 bits)			link

How to use

Fos-R contains several subcommands.

Pcap creation

Check the “Configuration file” section for more information on how to customize the generation.

If you want to generate a large pcap file, you may not have enough RAM to fit the entire dataset. In that case, use the -p efficient --no-order-pcap to generate an out-of-order pcap, and then use a tool like reordercap to reorder the pcap file. The RAM usage is minimal and is constant relative to the output pcap with these options.

Create a pcap file. If you require deterministic generation, you must specify -d, -t, --tz and --seed

Usage: fosr create-pcap [OPTIONS] <--duration <DURATION>|--packets-count <PACKETS_COUNT>>

Options:
  -o, --outfile <OUTFILE>
          Output pcap file for synthetic network packets [default: output.pcap]
      --taint
          Taint the packets
  -p, --profile <PROFILE>
          The generation profile to use. Either "fast" that optimizes CPU use but the entire dataset must fit in RAM, or "efficient" that requires less RAM but is slower [default: efficient] [possible values: fast, efficient]
  -c, --config <CONFIG>
          Path to the configuration file
  -n, --packets-count <PACKETS_COUNT>
          Minimum number of packets to generate
  -d, --duration <DURATION>
          Minimum pcap traffic duration described in human-friendly time, such as "15days 30min 5s"
  -t, --start-time <START_TIME>
          Beginning time of the pcap in RFC3339 style ("2025-05-01 10:28:07") or a Unix timestamp. By default, use the current time. Date time is considered to be in the timezone specified with --tz
  -f, --flow-per-day <FLOW_PER_DAY>
          Average number of flows to generate per day. Actual number of generated flows can be lower or higher
  -j, --jobs <JOBS>
          Number of generation jobs. By default, use half the available cores.
  -s, --seed <SEED>
          Seed for random number generation
      --default-models <DEFAULT_MODELS>
          Use a default model [default: legacy] [possible values: legacy]
      --custom-models <CUSTOM_MODELS>
          Use a custom model
      --tz <TZ>
          Timezone of the generated, used for realistic work hours. By default, local timezone is used. Use a IANA time zone (like Europe/Paris) or an abbreviation (like CET). The offset is assumed constant during the generation time range
      --no-order-pcap
          Disable the temporal sorting of the generated pcap. Reduce significantly the RAM usage with "--profile efficient"
  -h, --help
          Print help

Example: fosr create-pcap -o example.pcap -d 1day --order-pcap.

Untaint pcap file

Remove the Fos-R taint from a pcap file

Usage: fosr untaint --input <INPUT> --output <OUTPUT>

Options:
  -i, --input <INPUT>    Pcap file to untaint
  -o, --output <OUTPUT>  Pcap file output
  -h, --help             Print help

Configuration file

By default, Fos-R generates traffic that is similar to its learning data. The main way to customize the generated data is through a configuration file. This configuration file allows to describe the hosts of a network.

Here is a minimal configuration file with a user (IP address: 192.168.0.9) and a server (IP address: 192.168.0.8) which provides two services: an SSH server (on port 2222) and an HTTPS server.

metadata:
  title: Sample configuration
hosts:
  - interfaces:
      - ip_addr: 192.168.0.8
        services:
          - https
          - ssh:2222
  - interfaces:
      - ip_addr: 192.168.0.9

Besides metadata, a configuration file consists of a list of hosts, which contain a list of interfaces. For the moment, Fos-R cannot properly simulate the routing of packets, so the IP addresses should be the same subnet.

The next example showcases the different available fields:

metadata:
  title: Sample configuration # Mandatory. The title of the configuration file.
  desc: A sample configuration file to show all the different available fields # Optional. A description of the configuration file.
  author: Jane Doe # Optional. Author of the file.
  date: 2025/11/05 # Optional. Last modification date.
  version: 0.1.0 # Optional. The version number of this configuration file. Format is free.
  format: 1 # Reserved for now. The version will be bumped when the format changes.

hosts:
  - hostname: host1 # Optional. The hostname of the host.
    os: Linux # Optional (default value: Linux). The OS of the host
    usage: 0.8 # Optional (default value: 1.0). The usage intensity of the host. 1 is the baseline, < 1 means less usage than usual, and > 1 means higher usage
    type: server  # Optional (default value: "server" if there is at least one service, "user" otherwise). Whether this host is used by a user and is a server. Can be either "server" or "user"
    client: # Optional (default value: all available services if type is "user", none otherwise). Specify what services the host is a client of. The protocols must be written in lowercase.
        - http
        - https
        - ssh
    interfaces:
      - mac_addr: 00:14:2A:3F:47:D8 # Optional. The MAC address of that interface
        services: # Optional (default value: empty list). The list of available services
          - http:8080 # an HTTP server on port 8080
          - https     # an HTTPS server
          - ssh       # an SSH server
        ip_addr: 192.168.0.8 # Mandatory. The IP address of this interface.
      - ip_addr: 192.168.0.9 # This host has another interface that does not provide any service
  - interfaces:
      - ip_addr: 192.168.0.11 # Another host with a single interface

You can also use a JSON file with a similar structure.

This format is still experimental and we are willing to extend it to handle more use cases.

Fos-R & other software

Feel free to contact us if you would like some help integrating Fos-R in your tool!

Wireshark

To visualize easily the taint on packets generated by Fos-R on Wireshark, right click on any column name > Column Preferences... > +. Set the fields of the new column as follow:

Title: Fos-R
Type: Custom
Custom Expression: ip.flags&4>0
Field occurrence: 0.

Finally, consider moving the column up in the columns list.

Alternatively, you can modify the configuration file of Wireshark and add the line "Fos-R", "%Cus:ip.flags&4>0:0:R" in the gui.column.format list.

How it works

Fos-R generates data with a four-staged generation, as indicated in the schema below.

If you want to know more about the science behind Fos-R, check the publications.

Fos-R library

Fos-R also includes a Rust library that exposes the main parts of the software. Its documentation is here. You can add the stable version of Fos-R to a Rust project with:

cargo add fosr-lib

For the experimental version:

cargo add --git https://gitlab.inria.fr/pirat-public/Fos-R.git fosr-lib.

The Fos-R library is licensed under GPL-3.0.

Roadmap

Fos-R is currently at v0.1. The following roadmap is indicative. Priorities may change over time.

v1.0 - generation

Goal: reproducible and evaluated generation

An enhanced stage 0 with temporal profiles
A new stage 1 based on Bayesian networks
An automated and deterministic build and evaluation

v2.0 - portability

Goal: a documented Fos-R library, a GUI and more generation portability

A GUI for Fos-R
Cross-compilation (generation only) for most platforms (Linux, Windows, macOS, BSD)
A WASM version for in-browser generation
A well-documented library

v3.0 - net injection

Goal: High-throughput network injection

A new network enabler for reliable and high-throughput network injection
Injection mode on Windows
New injection modes
New taint options

Real-world uses

BreizhCTF 2025

Fos-R created background network traffic for the Pirhack challenge during the BreizhCTF 2025 hacking competition for about 600 participants. During that competition, Fos-R was deployed on 750 virtual machines for a total of 23,000 cumulated hours.

Education

Fos-R was also used for smaller CTF competitions used for education, such as TCE CTF and RESSI CTF.

Sample synthetic data analysis

Download here the sample data that has been generated by Fos-R with the following command line: fosr create-pcap -o sample.pcap -s 0 -d 1min -t 0 --tz CET. All the analyses pertain to this pcap file. They have been automatically computed by the CI pipeline to ensure reproducibility.

Limitations

While Fos-R aims to produce high-quality generation, it still relies on some assumptions and is not suitable for all use cases. Here is what Fos-R should not be used for:

works relying on deep packet inspection (DPI). The payloads generated by Fos-R are replayed and may be semantically incorrect.
works for advanced networking analysis. Fos-R does not simulate caching or routing. Besides, it simulates an omniscient sensor that would magically capture all emitted packets.
anonymizing a dataset. Fos-R has no guarantee about the privacy protection of the training data.

If you are a researcher interested in helping us lift some of the assumptions Fos-R relies on, please contact us!

Publications

Synthetic Network Traffic Generation for Intrusion Detection Systems: a Systematic Literature Review
- Published in ESORICS 2025 International Workshops, 2025
- Authors: Pierre-François Gimenez (Inria)
TADAM: Learning Timed Automata From Noisy Observations
- Published in SIAM International Conference on Data Mining (SDM25), 2025
- Authors: Lénaïg Cornanguer (CISPA), Pierre-François Gimenez (Inria)
FlowChronicle: Synthetic Network Flow Generation through Pattern Set Mining
- Published in 20th International Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2024
- Authors: Joscha Cüppers (CISPA), Adrien Schoen (Inria), Gregory Blanc (Télécom SudParis), Pierre-Francois Gimenez (Inria)
A Tale of Two Methods: Unveiling the limitations of GAN and the Rise of Bayesian Networks for Synthetic Network Traffic Generation
- Published in 9th International Workshop on Traffic Measurements for Cybersecurity (WTMC 2024), 2024
- Authors: Adrien Schoen (Inria), Gregory Blanc (Télécom SudParis), Pierre-François Gimenez (CentraleSupélec), Yufei Han (Inria), Frédéric Majorczyk (DGA-MI), Ludovic Mé (Inria)

The following software have been created for Fos-R:

TADAM, an automata learner
FlowChronicle, a pattern miner

Contributors

Inria: Pierre-François Gimenez, Adrien Schoen
CISPA: Lénaïg Cornanguer, Joscha Cüppers
CentraleSupélec: Dorian Bachelot, Evan Morin, Florentin Labelle, Samuel Cordon, Quentin Blin

Contact

You can contact the maintainer at pierre-francois.gimenez@inria.fr.