tcpreplay: replay a pcap in reverse order

Question

is there any way to replay a pre-recorded pcap file in reverse order? That is, starting from the last packet in the file and without changing the delay between packets?

I also tried reversing the pcap itself using scapy as follows:

>>> from scapy.all import *
>>> pkts = rdpcap("telemetry.pcap")
>>> pkts.reverse()
>>> wrpcap("telemetry_rev.pcap", pkts)

This code actually works, in the sense that the packets order in the file is inverted. The problem is that it doesn't touch the packets' timestamps, so that I ended up with a negative delay between packets (look at the image below), which is not handled by tcpreplay. Any idea?

Christopher Maynard Christopher Maynard · Accepted Answer · 2020-07-08T21:25:18

Wireshark offers a "Time Shift" feature. You could try Edit -> Time Shift on the reversed file, and then set the time for packet 1 to some time of your choosing, followed by setting the time for the last packet to another time of your choosing, and let Wireshark extrapolate the timestamps for all other packets in between.

You might also want to look into editcap, which also offers a time adjustment feature.

tcpreplay: replay a pcap in reverse order

1 Answers