Dumping sFlow/NetFlow/IPFIX flows in pcap format can be very useful for troubleshooting or for creating a compact traffic dump. For instance you can dump flow traffic with n2disk (wireshark, or tcpdump) and store them in pcap format, and eventually share them with a shared disk or sent via email. Flows are usually analysed live with nProbe/ntopng but how can you analyse them when saved in pcap format and not captured from the wire?
The nProbe package includes a companion tool that allows flows to be extracted from a pcap file and reproduced as if they were sent on the wire.
Welcome to sendPcap: sFlow/NetFlow/IPFIX pcap flow replay
Copyright 2011-23 ntop.org
sendPcap -i <file>.pcap [-p <port>] [-n <num pkts>]
[-d <destination IP>] [-l] [-1 <num>] [-s]
[ -f <filter> ] [-6][-t <pps>]
Usage:
-i <file>.pcap Pcap to reply
-p <port> Collector port
-d <IP> Collector IP address
-f <filter> BPF Filter
-l Replay the pcap in loop
-1 <num> Replay packets in bunches of <num>
-s Replay the pcap at the original speed
-6 Send flows over IPv6
-t <pps> Replay this packet rate (packets/second)
This tool takes as input a pcap file containing the flows and reproduces it resending the original flows to the local <port> specified. Please make sure that the pcap contains only flow packets: if this is not your case please filter them (e.g. tcpdump -r unfiltered.pcap -w filtered.pcap “f<filter>”) before passing the pcap to the tool, or use -f <filter> to skip packets that do not contain flows.
Once you have your pcap ready you need to start nProbe and ntopng. In the example below we assume that all tools will run on the same host. Supposing to resend flows towards nProbe collecting on port 2055 do:
-
ntopng -i tcp://127.0.0.1:1234 --disable-purge
-
nprobe -i none -3 2055 --zmq tcp://127.0.0.1:1234
Note that in ntopng we use the flag “–disable-purge” that is used to tell ntopng not to purge flows after they have been received. This is important as reproducing flows from a pcap causes ntopng to receive flows with a date that is in the past: without the above flag, the flow would be immediately purged as they are considered as expired with respect to the current time and therefore they would not appear in the ntopng interface. Of course this flag has to be used only for debugging purposes, as disabling purge increases the memory usage as data is not purged when no longer necessary.
Once started the tools you can send flows stored on the flows.pcap pcap file as follows:
-
sendPcap -i flows.pcap -p 2055
By default sendPcap will send flows as fast as possible, and this can be too fast or not realistic. For this reason you can add the flow -s for reproducing the flows at the same speed they were collected, or send them in batches (-1). You can stress-test the collection pipeline using -l for reproducing the pcap in a loop.
Please note that flows have the date set to the original flow (i.e. the date/time is not reforged to the current date) so you can see the flows as they were sent originally.
Enjoy !