[c-nsp] Speaking of Netflow: how about a tcpreplay for netflow?

[Joel M Snyder]

I have an application where I actually want to "replay" netflow traffic.
The problem is that the NetFlow packets have real absolute timestamps in them,
which means that if you replay the traffic, it doesn't do you much good unless 
you want to pretend you're at a time when the traffic was captured.  (which is 
not part of my application)

I have looked for a netflow replay tool, and I've found a couple of ones that
sort-of fit the bill: nfdump will replay the packets, but it won't slew the 
timestamps.

There's also a couple of tools (canine is the best) which do anonymization, 
which might involve playing with timestamps.

However, neither of them do what I actually need, which is to replay netflow as 
if it were happening live NOW.  In other words, take the first timestamp, 
compute a delta from "now" to that timestamp, and add that delta to every single 
timestamp you replay.

I'm not opposed to diving into nfdump and adding that feature (hey, this is what 
open source is all about), but I'd rather see if anyone has a tool that already 
works.  Options?  (please: don't send me a link to some web page you found by 
typing "netflow replay" into Google; I already read all those, and while I 
appreciate you trying to be helpful, I'm hoping for someone who has experience 
with a tool to tell me "this works.")

If you haven't looked at a lot of Netflow tools, there's an excellent resource 
list (and meta pointer list) at:
http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html

Thanks for any help!

jms
-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms