Replay UDP Packet Capture

sniffing playback

I have a UDP packet capture which was streamed from Port1 on IP1 to Port2 on IP2 on network N1. I need to replay these packets on another network N2 from Port3 on IP3 to Port4 on IP4.

I need to know what software to use in order to do this and how I would go about replaying these packets so that I can detect/capture them again in N2.

So far, I've tried strictly replaying these packets using a program called Colasoft Packet Player, with little luck.


tcpreplay (http://tcpreplay.synfin.net) would also appear be able to do what you want, maybe in a single step using the tcprelat-edit program, but I haven't personally run this software.

From the tcpreplay-edit overview:

tcpreplay has evolved quite a bit over the years. In the 1.x days, it merely read packets and sent then back on the wire. In 2.x, tcpreplay was enhanced significantly to add various rewriting functionality but at the cost of complexity, performance and bloat. Now in 3.x, tcpreplay has returned to its roots to be a lean packet sending machine and the editing functions have moved to tcprewrite and a powerful tcpreplay-edit which combines the two.

Since tcpreplay-edit includes all the functionality of both tcpreplay and tcprewrite please see those wiki pages for how to use tcpreplay-edit.


BitTwist (http://bittwist.sourceforge.net) should be able to do what you want.

With Bit-Twist, you can now regenerate your captured traffic onto a live network! Packets are generated from tcpdump trace file (.pcap file). Bit-Twist also comes with a comprehensive trace file editor to allow you to change the contents of a trace file.

The "trace file editor" part is what you are most interested in here.

I think you need to transform in two passes: one to change the IP addresses, another to change the UDP port numbers. I believe you can do this in either order.

bittwiste -I original.pcap -O changedip.pcap -T ip -s IP1,IP3 -d IP2,IP4
bittwiste -I changedip.pcap -O changedipandport.pcap -T udp -s Port1,Port3 -d Port2,Port4

where you need to stick in the IP addresses and port numbers, eg

bittwiste -I original.pcap -O changedip.pcap -T ip -s 192.168.0.1,10.10.0.3 -d 192.168.0.2,10.10.0.4
bittwiste -I changedip.pcap -O changedipandport.pcap -T udp -s 12345,24680 -d 80,8080

If your original capture file only has the IPs and port numbers of your original machines, you can simplify this by not mentioning the old IPs and port numbers in the edit commands, eg

bittwiste -I original.pcap -O changedip.pcap -T ip -s 10.10.0.3 -d 10.10.0.4
bittwiste -I changedip.pcap -O changedipandport.pcap -T udp -s 24680 -d 8080

to generate packets from 10.10.0.3:24680 to 10.10.0.4:8080.

From a machine in your network N2, you should be able to play back the changedipandport.pcap file using Colasoft Packet Player (http://www.colasoft.com/packet_player) or the commandline BitTwist player, eg

bittwist -i 1 changedipandport.pcap

where the "1" here is device 1. Use bittwist -d to list the devices.

There are other nifty options with the BitTwist player that you can't do with the Colasoft Packet Player, notably by changing the speed of the packets sent by a multiplier (eg 5 times original speed or 0.1 times original speed).

I have successfully tested this method using Wireshark (http://www.wireshark.org) to capture OSC data (UDP packets) sent from TouchOSC on an i-device to my laptop (via WiFi) at port 8000, using bittwiste (the editor) to change destination IP address to my wired ethernet adapter address and the UDP port to 8001, then replaying using bittwist (the player) to a Pure Data (http://puredata.info) patch listening on port 8001.

Related

Is flash storage affected by magnetic fields?
Transparent background in Notepad++?
Any way to change dark Netbeans IDE theme?
Proof that monotone functions are integrable with the classical definition of the Riemann Integral
Improper integral from 1 to infinity $\Rightarrow$ integrated function converges towards zero?
Shortest Path and Minimum Curvature Path - implementation
$G$ is a group $,H \cong K$, then is $G/H \cong G/ K$?
How many $k$ tuples of subsets $S_1,...,S_k$ are there such that $S_1 \cap ..... \cap S_k = \emptyset $.
Is the union of finitely many open sets in an omega-cover contained within some member of the cover?
maximum area of a rectangle inscribed in a semi - circle with radius r.
Sum of first n natural numbers proof
Maximizing the trace in an elegant way