We capture many pcap files every day on many different multicast groups. For the purposes of testing & benchmarking, we wish to replay these files in an isolated environment and in a controlled way. These pcap files are captured simultaneously, but on different multicast groups & ports.
I want to replay these files back on to the network (possibly with ttl=0 or 1) in the order in which the packets were recorded, and on different (and specifyable) multicast groups. This ordering must be synchronized accross all of the files being played back.
For example, suppose we have two capture files, foo.pcap and bar.pcap. We want to replay foo.pcap packets on mcast group 239.255.0.1:30001, and the bar.pcap packets should be replayed on 239.255.0.2:30002.
foo.pcap has packets recorded at time offsets 0, 1, and 5. bar.pcap has packets recorded at time offsets (relative to foo.pcap) 3, 4, and 5.
So what I'm looking for is a way to replay these packets in an order synchronized accross both foo.pcap and bar.pcap. In other words, the first 2 packets from foo.pcap should go out on to 239.255.0.1:30001, and then the first two packets from bar.pcap should go out on 239.255.0.2:30002, and then the past packet from foo.pcap should go out at the same time (or close to it) as the last packet from bar.pcap.
We also need to be able to tune the rate at which packets are replayed. eg, at recorded speed; 10x recorded speed; 1 GB/sec; etc.
How can I accomplish this?
I have looked in to tools such as tcpreplay and bittwist, but these tools either won't send on different groups, or won't synchronize the egress order across all the files.
I will be working in Linux only (RHEL 6.5 primarily & also Ubuntu 12.04)
Best Answer
I've done this sort of thing before using
tcpreplayandmergecap(one of the tools that is distributed with Wireshark). The first step is to usetcprewrite(part of tcpreplay) to edit the destination IPs of foo.pcap to be first address you are looking to send as, and bar.pcap to be the second. Then usemergecapto merge the packets chronologically so you get them interleaved the way that you want. Note that when using mergecap, you might need to first edit the timestamps of the packets (e.g. if you took foo.pcap a day before bar.pcap, they won't interleave). In that case, you can useeditcap(another tool from wireshark) to modify the packet times.The really difficult part is going to be playing them back with the timing options that you want. Depending on the speed of the original captures, and your tolerance for variance, you might be all set simply using
tcpreplay --multiplier=XXX. But if the traffic rate is fast, or you need it to be really precise, then you are going to be out of luck until you invest in special hardware from vendors like Spirent or Ixia. Note that if you do buy one of those tools, they have utilities that can do all the packet manipulation for you as part of the setup process.