Adding Timestamps To Packet Payload with TCPREPLAY
That kind of editing isn't supported by tcpreplay/tcprewrite, so you'd have to write the code yourself. If you don't mind corrupting your packet data (which sounds like you're ok with) then it should be pretty easy by editing tcpedit.c.
tcpreplay and timestamps
If you sniff traffic at the same time with tcpdump or Wireshark, it will timestamp each packet on the way out and the replies.
Just a warning though, tcpreplay generally doesn't support replaying TCP streams to servers since it doesn't track state of the TCP stream. Generally all you'll get are Reset packets in reply. UDP should generally be ok. ICMP often works. If you want more information, be sure to check out the Tcpreplay FAQ:
http://tcpreplay.synfin.net/wiki/FAQ#Doestcpreplaysupportsendingtraffictoaserver
How to modify the timestamp range of a .pcap file?
This can be accomplished with Wireshark using its "Time Shift" feature.
Assuming the timestamp for packet 1 is 2017-08-17 12:00:00.000000
, select packet 1 then choose "Edit -> Time Shift..." and set the time for packet 1 to 2017-08-17 12:00:00.000000
(i.e., don't change this one). Click the box next to "...then set packet" and enter 2 for the packet number and 2017-08-17 12:04:00.000000
as the timestamp. You'll notice that it also indicates, "and extrapolate the time for all other packets", which is what you want. Hit Apply.
At this point, the timestamps should be adjusted to what you want, although the sub-second component might not end up being exactly the same for all packets and for some reason even packet 1's sub-second component is not exactly what was originally specified. If you really want to retain the original sub-second component, then you'll have to adjust one packet at a time. Considering that there are only 4 packets to adjust, this should be feasible. I might suggest filing a Wireshark bug report for the erroneous sub-second adjustment though.
TCPReplay - Time Interval between loops
simple little shell script:
#!/bin/bash
i=0
while [ $i -lt 10 ]; do
tcpreplay -i eth1 --pktlen -p 3200 Sample.pcap
i=$(($i + 1))
sleep 20
done
Modify a PCAP file using Perl with checksum update
You could use Net::PCap to parse such files: http://search.cpan.org/~kcarnut/Net-Pcap-0.05/Pcap.pm
Here is an example: http://hype-free.blogspot.co.uk/2010/03/parsing-pcap-files-with-perl.html
use Net::TcpDumpLog;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use strict;
use warnings;
my $log = Net::TcpDumpLog->new();
$log->read("foo.pcap");
foreach my $index ($log->indexes) {
my ($length_orig, $length_incl, $drops, $secs, $msecs) = $log->header($index);
my $data = $log->data($index);
my $eth_obj = NetPacket::Ethernet->decode($data);
next unless $eth_obj->{type} == NetPacket::Ethernet::ETH_TYPE_IP;
my $ip_obj = NetPacket::IP->decode($eth_obj->{data});
next unless $ip_obj->{proto} == NetPacket::IP::IP_PROTO_TCP;
my $tcp_obj = NetPacket::TCP->decode($ip_obj->{data});
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($secs + $msecs/1000);
print sprintf("%02d-%02d %02d:%02d:%02d.%d",
$mon, $mday, $hour, $min, $sec, $msecs),
" ", $eth_obj->{src_mac}, " -> ",
$eth_obj->{dest_mac}, "\n";
print "\t", $ip_obj->{src_ip}, ":", $tcp_obj->{src_port},
" -> ",
$ip_obj->{dest_ip}, ":", $tcp_obj->{dest_port}, "\n";
}
TcpDump: showing the absolute timestamp (date + time) of pcap file
You can use the -tttt
option:
$ tcpdump -tttt -nr tmp.pcap
reading from file tmp.pcap, link-type EN10MB (Ethernet)
2018-01-19 17:50:43.275918 IP 172.24.0.97.45386 > 93.153.221.29.80: Flags [.], ack 3335572340, win 251, options [nop,nop,TS val 98777655 ecr 230462279], length 0
2018-01-19 17:50:43.287273 IP 93.153.221.29.80 > 172.24.0.97.45386: Flags [.], ack 1, win 285, options [nop,nop,TS val 230464839 ecr 98706059], length 0
2018-01-19 17:50:44.138480 ARP, Request who-has 172.24.0.73 tell 172.24.0.78, length 46
2018-01-19 17:50:45.162482 ARP, Request who-has 172.24.0.73 tell 172.24.0.78, length 46
tcpreplay: -T option
Yes, it was separated into tcprewrite
(which transforms capture files) and then the options were merged back in the command tcpreplay-edit
.
The FAQ shows tcpreplay-edit --mtu-trunc
is now the equivalent of the previous -T
option and should imply -C
to correct the checksum, but you may need --mtu=n
if you aren't dealing with a standard 1500 or need -F
if part of the problem is inconsistent header and real length at collection time.
Related Topics
How to Stop Apache from Listing the Contents of My User Directories
Permission Denied (Publickey), on Linux Aws Server How to Fix It
Arm: Disabling Mmu and Updating Pc
How to Escape Unusual/Uniq Characters from Expect Scripts
Bash Extglob Negate Not Working as I Expect
How to Install Flash Builder 4 or a Flash Builder Plugin on Eclipse in Ubuntu 10.04
Listing Files Using a Variable Filter
How to Set Firefox Binary Path of Firefox in Selenium in Linux
How to Delete the Matching Pattern from Given Occurrence
Screen Command Disable the Control Key Ctrl-A to Use It in Vim
Linux C Socket: Blocked on Recv Call
How to Modify Eip's Tracee Forked Procee
Write to Port 0Cf8H Fails with Segfault