Kismet can replay recorded data in the
pcap-ng formats. Pcap files are commonly generated by tools like
tshark, and Kismet itself.
Kismet can replay a pcapfile for testing, debugging, demo, or reprocessing.
Datasource - Pcapfile
The Pcapfile datasource will auto-detect pcap files and paths to files:
$ kismet -c /tmp/foo.pcap
It can be manually specified with
type=pcapfile, as in:
The pcapfile capture uses the ‘kismet_cap_pcapfile’ tool which does not need special privileges.
Currently Kismet supports pcap-ng files with a single interface in the capture; multi-interface captures will appear as coming from a single data source - that of the pcapfile itself.
In addition to the normal options supported by all sources (name, information elements, UUID, etc) the pcapfile source can also support:
pps=rateNormally, pcapfiles are replayed as quickly as possible. On larger pcaps this can lead to CPU and RAM contention, and dropped packets. Specifying a packets-per-second rate throttles processing of the packet to a more sustainable speed. This option cannot be combined with the
realtime=true | falseNormally, pcapfiles are replayed as quickly as possible. On larger pcaps this can lead to CPU and RAM contention, and dropped packets. Specifying
realtime=truein your source definition will reduce the packet processing rate to the original capture rate, and the packets will be processed with real-time delays equal to how they were received.
These options can be used in the kismet.conf and kismet_site.conf, as in:
Or from the command line:
$ kismet -c /tmp/foo.pcap:name=a_meaningful_name,pps=1000