-
Notifications
You must be signed in to change notification settings - Fork 0
Replay Service
The replay service is a self built tool to replay captured traffic to any target. This service is mainly intended for easing development and fixing bugs and issues with certain types of traffic.
The replay service is part of the Docker/docker-compose.yml file and can be activated by enabling the dev profile (docker compose --profile dev up). Reference the Docker-Services page for more information.
Before starting make sure to configure necessary variables in the .env file. This service is configured with two environment variables:
-
REPLAY_FILE: Configures the file to replay found inDocker/replay/captures. Pass only the name of the file, likenetflow9-1.pcap. -
REPLAY_TARGET: To which destination the traffic should be replayed to. Examples can be found in the.envfile.
The replay service only supports replaying UDP packets supplied in a .pcap file. Other file formats and protocols are currently not supplied. On startup it uses tshark to extract the packet content into a temporary file which a python scrip then sends to the destination with a 1 second delay between each packet transmitted. This process never ends and if the end of the file is reached it will repeat from the beginning.
To add new data place the file into the Docker/replay/captures folder and name it properly follwing a rough guideline of <protocol>-<running_id>.pcap, like netflow9-1.pcap. Instead of the running_id you can also use a more descriptive summary.
You have to rebuild the container to add these new files using docker compose build --no-cache replay.
In this example we are receiving Netflow 9 data on port 2055 and we wish to extract it to be able to debug the parser. The process will be different for each case but this should provide a decent overview.
Step 1
Finding the correct interface. To be able to capture the data we first need to find the correct interface. Running ipconfig results in many virtual ones but running ip route | grep default -> default via 172.19.80.1 dev ens160 proto static tells us that the one we are searching for is ens160.
Step 2
Actually capturing the packets is fairly easy and can be done with the tcpdump command, like sudo tcpdump -i ens160 'port 2055' -w netflow9-2.pcap. You have to manually stop the capturing process using Ctrl + C, in this example I terminated it after 2 minutes.
Step 3
Extracting the data from the host is done using scp. This has to be run on your host machine and the following command worked just fine scp <user>@<server_ip>:~/netflow9-2.pcap Docker/replay/captures/, sensitive data has been removed please fill in accordingly.
Now that you have it in the repository you can either commit the files to the repository or share them with team members in another fashion.