[c-nsp] Speaking of Netflow: how about a tcpreplay for netflow?

Frank Bulk frnkblk at iname.com
Fri Jan 11 17:11:53 EST 2008 

What about Bittwist?

http://bittwist.sourceforge.net/

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joel M Snyder
Sent: Friday, January 11, 2008 11:12 AM
To: Cisco NSP; Joel M Snyder
Subject: [c-nsp] Speaking of Netflow: how about a tcpreplay for netflow?

I have an application where I actually want to "replay" netflow traffic.
The problem is that the NetFlow packets have real absolute timestamps in
them,
which means that if you replay the traffic, it doesn't do you much good
unless
you want to pretend you're at a time when the traffic was captured.  (which
is
not part of my application)

I have looked for a netflow replay tool, and I've found a couple of ones
that
sort-of fit the bill: nfdump will replay the packets, but it won't slew the
timestamps.

There's also a couple of tools (canine is the best) which do anonymization,
which might involve playing with timestamps.

However, neither of them do what I actually need, which is to replay netflow
as
if it were happening live NOW.  In other words, take the first timestamp,
compute a delta from "now" to that timestamp, and add that delta to every
single
timestamp you replay.

I'm not opposed to diving into nfdump and adding that feature (hey, this is
what
open source is all about), but I'd rather see if anyone has a tool that
already
works.  Options?  (please: don't send me a link to some web page you found
by
typing "netflow replay" into Google; I already read all those, and while I
appreciate you trying to be helpful, I'm hoping for someone who has
experience
with a tool to tell me "this works.")

If you haven't looked at a lot of Netflow tools, there's an excellent
resource
list (and meta pointer list) at:
http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html

Thanks for any help!

jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list