PCAP Publisher Stage

This stage allows you to read a PCAP file and publish its contents as either UDP or TCP packet groups. This allows you to deterministically test sensor interfaces that are parsing/receiving UDP/TCP packet groups.

This stage works similarly to the Log Reader Stage – it will start the simulation at the time that the PCAP file begins, and then publish packets at the same timestamps that they were captured.


You can configure the PCAP publisher stage to replay any number of streams. Each stream is configured with a PcapStreamConfiguration, which contains:

  • source_address_match - If a packet has this source address, it will be published.
  • destination_address_match - If a packet has this destination address, it will be published.
  • publisher_name - The full publisher name to write packet groups on.
  • group_size - Number of packets to group before publishing.
  • minimum_time - The start time to begin publishing packets from (also --minimum-time on the command line).

These are placed into a PcapPublisherStageConfiguration:

  • pcap_path - The input path to the PCAP file you wish to play back.
  • udp_streams - The stream configurations for UDP sockets.
  • tcp_streams - The stream configurations for TCP sockets.

Note that the address matchers can be regular expressions. For example, .*:8080 will match anything against port 8080.

Futher, if you don’t specify a matcher, everything will match. In other words, if you have just a source matcher, only packets that match the source matcher will be transmitted. If you have both a source and destination matcher, packets need to match both the source and destination to be transmitted.


Data is simply read from the PCAP file and published, there are no controls provided for this stage.


Statistics are emitted periodically that report the number of processed packets, dropped packets, and filtered packets. Use this to debug if you don’t seem to be receiving the packets you expect to be seeing.