PCAP

Some useful command-line tools when working with pcap files.

Ubuntu

$ sudo apt-get install wireshark-common tcpreplay tcpdump

Inspect

$ capinfos cme_globex30_MboS_344_A_20230629.pcap

File name:           cme_globex30_MboS_344_A_20230629.pcap
File type:           Wireshark/tcpdump/... - nanosecond pcap
File encapsulation:  Ethernet
File timestamp precision:  nanoseconds (9)
Packet size limit:   file hdr: 262144 bytes
Number of packets:   3,121 k
File size:           4,553 MB
Data size:           4,503 MB
Capture duration:    84959.283341757 seconds
First packet time:   2023-06-28 21:30:02.543845959
Last packet time:    2023-06-29 21:06:01.827187716
Data byte rate:      53 kBps
Data bit rate:       424 kbps
Average packet size: 1442.76 bytes
Average packet rate: 36 packets/s
SHA256:              8733d24b1d5e47f1c75c63522f0b89258acf8c3756d3cb02d12be943ec24b19a
RIPEMD160:           4ac1550c42ff39142bf55b5921f4bb4e3c0e5a8f
SHA1:                a42d763f61504f3e32478143a84258fc69934d91
Strict time order:   True
Number of interfaces in file: 1
Interface #0 info:
                     Encapsulation = Ethernet (1 - ether)
                     Capture length = 262144
                     Time precision = nanoseconds (9)
                     Time ticks per second = 1000000000
                     Time resolution = 0x09
                     Number of stat entries = 0
                     Number of packets = 3121619

Merge

$ mergecap -w all.pcap cme_*.pcap

Truncate

$ editcap -A '2023-06-29 10:00:00' -B '2023-06-29 11:00:00' all.pcap trunc.pcap

Replay

Note

You need to run this on another server, I don’t think tcpreplay supports loopback.

$ sudo tcpreplay -i eno1 trunc.pcap

Check

$ sudo tcpdump -i enp2s0 '(host 224.0.31.110 and port 14344) or (host 224.0.32.110 and port 15344) or (host 224.0.31.68 and port 14344) or (host 224.0.32.68 and port 15344) or (host 224.0.31.89 and port 14344) or (host 224.0.32.89 and port 15344) or (host 233.72.75.33 and port 23344) or (host 233.72.75.96 and port 22344)'