Working With a Pcap Record¶

Note

This section is based on the experience of the Elecard company in implementing and using Boro probes. Most operations described in the section are done in OS Linux, unless specified otherwise. We highly recommend using OS Linux to run Boro probes in high-load applications.

To analyze a Pcap record, you need to retrieve a transport stream from it. After retrieval, you can stream it over the net or play it on a local computer to recreate the error state. You can get a stream from multiple records, but you need to “paste them together” first.

Getting a Stream From a Pcap Record¶

To get a stream from a Pcap record, use one of the tools below.

Gstreamer

Gstreamer is used to create multimedia apps, e.g. for file playback. It is included in most Linux distributions. If necessary, install Gstreamer using superuser rights.

Note

Gstreamer doesn’t support the pcapng format. You need to convert it into pcap (see the corresponding section).

You can retrieve a stream from a Pcap record using the following command:
```
gst-launch-1.0 -v filesrc location=/path/to/file.pcap ! pcapparse dst-ip=239.1.13.102 dst-port=1234 ! filesink location=/path/to/file.ts
```
In this example, a stream with 239.1.13.102:1234 multicast address is retrieved. The address can be found in the JSON description of a record. Instead /path/to/file, write a path to the Pcap record, e.g. /opt/myDump/dump.pcap. In the same way, specify a location where the resulting stream file with the ts extension will be placed.

If a Pcap record contains multiple streams (recorded by a third-party app without filters), you can use any combination of the following arguments in pcapparse to get the stream you need: src-ip, src-port, dst-ip, dst-port.

You can also retrieve a stream from multiple Pcap files (the files will be sorted and paste together based on the name!):

gst-launch-1.0 -v filesrc location=<(mergecap -w - path/to/pcap/files/*.pcap) ! \
pcapparse dst-ip=239.1.13.102 dst-port=1234 ! \
filesink location=path/to/file.ts

Sometimes, MPEG-TS is additionally wrapped in the RTP protocol. A clear sign of this is the size of data in the UDP datagram equal to 1328 bytes (an RTP header of 12 bytes + 7 transport streams). If you need to retrieve such a stream, use the command:
```
gst-launch-1.0 -v filesrc location=/path/to/file.pcap ! pcapparse dst-ip=239.1.13.102 dst-port=1234 ! \
application/x-rtp,encoding-name=MP2T,clock-rate=90000 ! rtpmp2tdepay ! filesink location=path/to/file.ts
```

tshark

The tshark utility is a console version of the Wireshark program for packet capturing. To get a stream using tshark, execute the following command:

tshark -r "/path/to/file.pcap" -z follow,udp,raw,0 -q |
grep -Ev '^(Follow|Filter|Node [01]): ' |
grep -Ev '^={60,80}$' |
xxd -r -p >"/path/to/file.ts"

In the example, tshark retrieves the first UDP stream indicated with number 0. Instead of selecting by a UDP stream, you can set a more explicit filtering using the follow,udp,raw,<src-ip>:<src-port>,<dst-ip>:<dst-port> expression. The tshark utility supports both pcap and pcapng formats.

Wireshark

To retrieve a stream in Wireshark, use a special lua script. The script and guidelines on how to use it are available via the link. The script works slowly.

Playing a Stream From a Pcap Record Over the Net¶

You can stream a record over the net using one of the tools below.

Gstreamer

To play a stream in Gstreamer, you will need a filter from the gstreamer1.0-plugins-bad module.

Note

Gstreamer doesn’t support the pcapng format. You need to convert it into pcap (see the corresponding section).

To start streaming, execute the following command:

gst-launch-1.0 -v filesrc location=/path/to/file.pcap ! pcapparse dst-ip=239.1.13.102 dst-port=1234 ! udpsink bind-address=127.0.0.1 host=224.1.1.1 port=5000 auto-multicast=true

In the example, a stream with 239.1.13.102:1234 address is retrieved from a Pcap record and then sent to 224.1.1.1:5000 address in localhost.

The streaming speed will correspond to the speed in the original stream. When you play a stream, mapping (the number of TS packets wrapped in an IP packet) will probably preserve, but not TTL and TOS/DSCP. You can set them in the udpsink filter after the port number, e.g. ttl-mc=1, qos-dscp=0.

tcpreplay

You can stream a Pcap file over the net using the tcpreplay utility (official documentation). The packets you send will be identical to those saved in the record. If necessary, you can change both МАС and IP addresses, as well as port numbers in the recording using the tcprewrite utility.

Attention

When using tcpreplay, you can’t take in streams on the same computer from which you stream. Besides, the program uses one processor core entirely to synchronize the timing of packet sending with the timing in the recording.

Useful Information¶

This section describes additional actions that can be useful when analyzing a Pcap record.

Converting Pcapng Into Pcap¶

The pcapparse plugin in Gstreamer takes in pcap files. To convert pcapng into pcap, use one of the two methods below:

Open the file in Wireshark and save it in the required format.
Convert the file using the mergecap command in tshark:
```
mergecap -F pcap in.pcapng -w out.pcap
```
Instead of in.pcapng and out.pcap, type in a path to the original Pcapng file and a path to a location where the Pcap file will be placed.

Pasting Multiple Pcap Records Together¶

You can join multiple records in one (the files will be sorted and paste together based on the name!) using the following command:

mergecap -F pcap path/to/pcap/files/*.pcap -w result.pcap

Viewing Traffic Statistics¶

You can view UDP traffic statistics within the stream using the following command:

tshark -nq -r in.pcap -z conv,udp

An example of using the command¶

# ================================================================================
# UDP Conversations
# Filter:<No Filter>
#                                                            |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
#                                                            | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
# 172.20.7.1:2021            <-> 231.14.7.1:2021                  0         0  110342 149844436  110342 149844436     0,000000000        64,5365
# ================================================================================

To view statistics for a stream wrapped in RTP, use the command:

tshark -nq -r in.pcap -z 'io,stat,0,
AVG(udp.length)udp.length,
MIN(udp.length)udp.length,
MAX(udp.length)udp.length,
COUNT(udp)udp'

An example of using the command¶

# ================================================
# | IO Statistics                                |
# |                                              |
# | Duration: 119.9 secs                         |
# | Interval: 119.9 secs                         |
# |                                              |
# | Col 1: AVG(udp.length)udp.length             |
# |     2: MIN(udp.length)udp.length             |
# |     3: MAX(udp.length)udp.length             |
# |     4: COUNT(udp)udp                         |
# |----------------------------------------------|
# |                |1     |2     |3     |4       |
# | Interval       |  AVG |  MIN |  MAX |  COUNT |
# |----------------------------------------------|
# |   0.0 <> 119.9 | 1336 | 1336 | 1336 | 341626 |
# ================================================