Pcap file replay based on the packet timestamp using scapy

1
votes

I have one pcap file (~90M), and i want to replay that file. I came across scapy and it provides the way to read the pcap file and replay it. I tried following two ways to replay the packets

sendp(rdpcap(<filename>)

and 

pkts = PcapReader(<filename>);
for pkt in pkts:
     sendp(pkt)

First one game me memory error, memory consumption of the python process went up to 3 gig and finally it died. But second option worked fine for me because it did not read the whole file into memory. I have following three question

  1. Is 90M pcap file is too big for scapy to replay?

  2. Whenever we use tcpdump/wireshark, every packet has its timestamp associated with it. Assume packet 1 came at time T and packet 2 came at time T+10, will scapy replay the packets in similar manner, first packet at time T and second at T+10? or it will just keep sending them in loop, i think later is the case with PcapReader.

  3. If the answer is no for above question ( its just replay in loop, without considering the packet inter arrival time), do we have any other python library which can do this job for me? Even python is not the constraint for me.

2
pythonnetworkingpacketscapy

2 Answers

1
votes

To answer your first question, well it sounds like you answered it yourself! Try running the first option again on another pcap file that's 40-50 MB instead and see if that errors out. That way you can at least check it the file is to big for your system in combination with Scapy to handle (not enough RAM in your system to handle how Scapy runs its algorithms as it was built to handle a few packets at a time, not a 90MB pcap file) or if it's just something in the code.

To answer your second question, based off of reading's I've been doing on Scapy over the past few weeks I strongly believe that this is a yes. However, I don't know of any sources off the top of my head to back up this verification.

Ninja edit - I saw this on another StackOverflow question - Specify timestamp on each packet in Scapy?

While that is for a single packet - if every packet is timestamped within Scapy then I imagine that it would be the same for every packet in a large pcap file that you read in. In this way when you replay the packets it should go in the same order.

A lot of educated guessing going on in this answer, hope it helps you though!

1
votes

  1. No. It shouldn't take up 3GBs of memory. I frequently open up larger pcap files on machines with only 2GBs of memory. Just try doing pkts = rdpcap(<filename>) to see how much memory that takes, then go from there. If the problem persists, you may wish to try different versions of scapy.

  2. No, sendp() does not do this by default. You could try the realtime parameter (type help(sendp) on the console). But overall, based on my experience, scapy isn't so good at keeping accurate timing.

  3. tcpreplay (linux CLI tool) is what I use. It has many options including various time keeping mechanisms.