Tcpdump / Tcpreplay

Enable Javascript to display Table of Contents.

Recording Iperf Dump

For capturing the iperf dump, you first start the tcpdump (and later stop it with CTRL+C)...

$ sudo tcpdump -i eth1 udp port 5001 -w tsi_5001_PRE.pcap
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C65547 packets captured
65547 packets received by filter
0 packets dropped by kernel
$

and after that start the iperf client:

$ iperf -u -T 32 -c 10.0.0.4 -b 5M -l 200 -t 20
------------------------------------------------------------
Client connecting to 10.0.0.4, UDP port 5001
Sending 200 byte datagrams, IPG target: 305.18 us (kalman adjust)
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 10.0.1.137 port 39100 connected with 10.0.0.4 port 5001
[  3] WARNING: did not receive ack of last datagram after 10 tries.
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-20.0 sec  12.5 MBytes  5.24 Mbits/sec
[  3] Sent 65537 datagrams
$

The dump (when not starting an iperf server) has last packets like this:

iperf dump with stop packets

So the packet with number 65537+1 is the stop-packet, which causes the iperf server to stop and show the result. All packets after that - which are sent with a delay of 250ms - are copies of this packets which are sent by the iperf client, since it does not get a acknowledge by the server.

$ editcap -r -F pcap tsi_5001_PRE.pcap tsi_5001_PRE_cut.pcap 1-65538
$

To remove the dupplicate stop packets, we use editcap -r. The flags -F pcap causes to have the pcap file format (instead of pcapnc, which cannot be read by tcpreplay).

$ editcap -r -F pcap tsi_5001_PRE.pcap tsi_5001_PRE_last.pcap 65538
$ mergecap -F pcap -w tsi_5001_PRE_final.pcap tsi_5001_PRE_cut.pcap tsi_5001_PRE_last.pcap
$

To be sure, that the stop-packet is not getting lost - and without any additional delays - we append on copy of the stop-packet manually.

Manipulating the Dump

Changing Destination Port:
We can create a second stream with identical timestamps by creating a copy with an different destination port:
```
$ tcprewrite --portmap=22010:22020 --fixcsum --infile tsi_22010_TEST.pcap --outfile tsi_22010_TEST_to_22020.pcap
$
```

pcap

pcapng

Inserting Time Offset (when having two streams):
- ...
Removing Single Packets:
- ...

Replaying the Dump

Replaying is simply done with the command tcpreplay, with defining the network interface on which the dump shall be replayed:

$ sudo tcpreplay --preload-pcap --intf1=eth1 tsi_5001_PRE_final.pcap
File Cache is enabled
Actual: 65539 packets (15860438 bytes) sent in 20.03 seconds
Rated: 791491.8 Bps, 6.33 Mbps, 3270.62 pps
Statistics for network device: eth1
	Successful packets:        65539
	Failed packets:            0
	Truncated packets:         0
	Retried packets (ENOBUFS): 0
	Retried packets (EAGAIN):  0
$

When replaying two streams, they have to be merged (see mergecap above) before and replayed with one single instance of tcpreplay.