Tcpreplay 3.3.1 and the future

I’m proud to release the second stable version of the Tcpreplay 3.3 train. Things seem pretty stable right now, with many end-user reported bugs resolved. I’m not sure, but I’m hoping this is the last of the 3.3.x series so I can start working on new features.

That’s where things start to get interesting… If you look at the open feature tickets you’ll see there are a lot of complex ideas. There are three main ideas I’m considering:

  1. Create a tcprewrite packet editing language. This could be simple declarative statements or via a full blown embedded language like Ruby or Lua.
  2. Add tomahawk-like features: multiply flows and wait for packets before sending. I’d have to do something significantly better then tomahawk does for this to be worthwhile. No point just re-inventing the wheel.
  3. Generate graphs of hosts & traffic by utilizing Graphviz and tcpprep cache files

Of the three, the packet editing language and graphing seems to be the most unique features. The only pcap packet editing solution I’m aware of if is NetDude which is a bit clunky and requires people to develop plugins in C. Of course this is also the most complex feature and easiest to miss the mark on (complexity vs. power). There’s a lot of use cases that would need to be developed and I’d need to better understand my users. So far, most of the users have been unable/unwilling to provide much in the way of requirements for this feature, so unless I can find a few users willing to step up and help out I’m loathe to put a lot of effort into this and nobody use it because it’s too hard to learn/use or not powerful enough.

As for tomahawk, well what can I do better? Obviously higher performance would be good, but it’s hard to imagine I could do significantly better (going multi-threaded maybe?). Adding proper support for routers would be good too, but seems like a small corner case benefit. I’d probably just be better off adding the multiply flows feature (which has been asked for many times) and continue to skip reading packets.

I think though that being able to generate graphs of the traffic contained within a pcap would really help people visualize and understand the traffic. Wireshark of course has a lot of reporting features, but can’t do anything like I’ve proposed. The more I think about it, this seems to be a gateway feature which could grow the Tcpreplay user base and enhance the effectiveness of tcprewrite.

Leave a Reply

Your email address will not be published. Required fields are marked *