Adding Timestamps to Packet Payload with Tcpreplay

Adding Timestamps To Packet Payload with TCPREPLAY

That kind of editing isn't supported by tcpreplay/tcprewrite, so you'd have to write the code yourself. If you don't mind corrupting your packet data (which sounds like you're ok with) then it should be pretty easy by editing tcpedit.c.

tcpreplay and timestamps

If you sniff traffic at the same time with tcpdump or Wireshark, it will timestamp each packet on the way out and the replies.

Just a warning though, tcpreplay generally doesn't support replaying TCP streams to servers since it doesn't track state of the TCP stream. Generally all you'll get are Reset packets in reply. UDP should generally be ok. ICMP often works. If you want more information, be sure to check out the Tcpreplay FAQ:

http://tcpreplay.synfin.net/wiki/FAQ#Doestcpreplaysupportsendingtraffictoaserver

How to modify the timestamp range of a .pcap file?

This can be accomplished with Wireshark using its "Time Shift" feature.

Assuming the timestamp for packet 1 is 2017-08-17 12:00:00.000000, select packet 1 then choose "Edit -> Time Shift..." and set the time for packet 1 to 2017-08-17 12:00:00.000000 (i.e., don't change this one). Click the box next to "...then set packet" and enter 2 for the packet number and 2017-08-17 12:04:00.000000 as the timestamp. You'll notice that it also indicates, "and extrapolate the time for all other packets", which is what you want. Hit Apply.

At this point, the timestamps should be adjusted to what you want, although the sub-second component might not end up being exactly the same for all packets and for some reason even packet 1's sub-second component is not exactly what was originally specified. If you really want to retain the original sub-second component, then you'll have to adjust one packet at a time. Considering that there are only 4 packets to adjust, this should be feasible. I might suggest filing a Wireshark bug report for the erroneous sub-second adjustment though.

TCPReplay - Time Interval between loops

simple little shell script:

#!/bin/bash
i=0
while [ $i -lt 10 ]; do
    tcpreplay -i eth1 --pktlen -p 3200 Sample.pcap
    i=$(($i + 1))
    sleep 20
done

Modify a PCAP file using Perl with checksum update

You could use Net::PCap to parse such files: http://search.cpan.org/~kcarnut/Net-Pcap-0.05/Pcap.pm

Here is an example: http://hype-free.blogspot.co.uk/2010/03/parsing-pcap-files-with-perl.html

use Net::TcpDumpLog;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use strict;
use warnings;

my $log = Net::TcpDumpLog->new(); 
$log->read("foo.pcap");

foreach my $index ($log->indexes) { 
  my ($length_orig, $length_incl, $drops, $secs, $msecs) = $log->header($index); 
  my $data = $log->data($index);

  my $eth_obj = NetPacket::Ethernet->decode($data);    
  next unless $eth_obj->{type} == NetPacket::Ethernet::ETH_TYPE_IP;

  my $ip_obj = NetPacket::IP->decode($eth_obj->{data});
  next unless $ip_obj->{proto} == NetPacket::IP::IP_PROTO_TCP;

  my $tcp_obj = NetPacket::TCP->decode($ip_obj->{data});
  my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($secs + $msecs/1000);
  print sprintf("%02d-%02d %02d:%02d:%02d.%d", 
    $mon, $mday, $hour, $min, $sec, $msecs), 
    " ", $eth_obj->{src_mac}, " -> ", 
    $eth_obj->{dest_mac}, "\n";    
  print "\t", $ip_obj->{src_ip}, ":", $tcp_obj->{src_port}, 
    " -> ", 
    $ip_obj->{dest_ip}, ":", $tcp_obj->{dest_port}, "\n";
}

TcpDump: showing the absolute timestamp (date + time) of pcap file

You can use the -tttt option:

$ tcpdump -tttt -nr tmp.pcap 
reading from file tmp.pcap, link-type EN10MB (Ethernet)
2018-01-19 17:50:43.275918 IP 172.24.0.97.45386 > 93.153.221.29.80: Flags [.], ack 3335572340, win 251, options [nop,nop,TS val 98777655 ecr 230462279], length 0
2018-01-19 17:50:43.287273 IP 93.153.221.29.80 > 172.24.0.97.45386: Flags [.], ack 1, win 285, options [nop,nop,TS val 230464839 ecr 98706059], length 0
2018-01-19 17:50:44.138480 ARP, Request who-has 172.24.0.73 tell 172.24.0.78, length 46
2018-01-19 17:50:45.162482 ARP, Request who-has 172.24.0.73 tell 172.24.0.78, length 46

tcpreplay: -T option

Yes, it was separated into tcprewrite (which transforms capture files) and then the options were merged back in the command tcpreplay-edit.

The FAQ shows tcpreplay-edit --mtu-trunc is now the equivalent of the previous -T option and should imply -C to correct the checksum, but you may need --mtu=n if you aren't dealing with a standard 1500 or need -F if part of the problem is inconsistent header and real length at collection time.

---

Related Topics