TCPPREP

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
SEE ALSO
AUTHOR
BUGS

NAME

tcpprep − create a tcpreplay cache file from a saved capture file

SYNOPSIS

tcpprep [ −a −n [ bridge | router | client | server ] | −c CIDR,... | −r regex | −p ] [ −h | −V ] [ −i pcapfile ] [ −v ] [ −m minmask ] [ −M maxmask ] [ −N client | server ] [ −R ratio ] [ −x include | −X exclude ] [ −C comment ] −o | −P cachefile

DESCRIPTION

Tcpprep is a program for creating a cache file for later use with tcpreplay(8). By using tcpprep to pre-process a pcap, tcpreplay in dual-nic mode can match the performance of the traditional tcpreplay single-nic mode.

The basic operation of tcpprep is to compare each packet from it’s input file and compare it to either a regular expression or against a list of CIDR’s. It then writes the result of this comparison to the cache file for later use with tcpreplay. This cache file is a string of characters, with each bit representing a single packet. This provides an efficent and portable means of storing the necessary data.

OPTIONS

−a

Auto mode. Tcpprep will try to learn the roles of systems on the network, and split traffic between the two interfaces based upon whether a system is classified as a "server" or "client". Servers are sent out the primary interface, clients out the secondary. Requires the use of -n and excludes the use of -c, -p and -r.

−c

CIDR mode. Specify a list of CIDR’s (network1/masklen1,network2/masklen2,...) to match against the source IP of each packet. Packets matching any of the CIDR’s are sent out the primary interface; remaining packets are sent out the secondary interface. Can’t be used with -r or -a.

−C

Imbed a comment in the tcpprep cache file which can be later viewed via -P.

−h

Help.

−i

Input file (pcap format)

−m

Minimum mask length. Used in auto/router mode to set the minimum valid network size. Defaults to 30 (bits).

−M

Maximum mask length. Used in auto/router mode to set the maximum valid network size. Defaults to 8 (bits).

−n

Network type. Used to specify the network type in auto mode as either bridge, client, server or router. Required with -a.

Bridge mode processes each packet to try to determine if the sender is a client or server. Once all the packets are processed, the results are weighed according to the server/client ratio (-R) and systems are assigned an interface. If tcpprep is unable to determine what role a system plays, tcpprep will abort.

Client mode works just like bridge mode, except that unclassified systems are treated as clients.

Server mode works just like bridge mode, except that unclassified systems are treated as servers.

Router mode works just like bridge mode, except that after weighing is done, systems which are undetermined are considered a server if they fall inside a network known to contain other servers. Router mode will never abort on systems which can’t be determined.

Router mode trys to build a list of networks containing only servers and unknown IP’s. It starts out with very large networks (8 bit netmask by default, change with -M) and works it’s way down to the minimum mask len (-m). If tcpprep is unable to determine one or more networks which only contains servers and unknowns, tcpprep will abort.

Port mode looks at the source/destination port of the TCP or UDP packet. Client traffic goes out the primary interface, and server traffic out the secondary interface. Non-TCP and UDP traffic goes out the same interface as non-IP traffic does. Note that this mode does not track IP addresses; so an IP may appear to jump between interfaces depending on if it is the client or server.

In all cases, servers are sent out the primary interface, and clients out the secondary.

−N

Non-IP packet classification. Non-IP datagrams (such as arp) currently aren’t handled by tcpprep. This option allows you to define an interface to send them out. Default is client.

−o

Output file (tcpreplay cache file)

−p

Port mode. Split TCP/UDP traffic based on the destination port.

-P

Print the embeded tcpprep cache file comment.

−r

Regex mode. Specifies a regular expression to match against the source ip of each packet. Packets matching are sent out the primary interface; remaining packets are sent out the secondary interface. Can’t be used with -a or -c.

−R

The ratio of server connections to client connections necessary to be classified as a server in auto mode. A system is classified as a server if [# server connections] >= ([# client connections] * [ratio]). Default is: 2.0

−x

Specifies which packets from the capture file(s) to send. Can be one of:

S:<CIDR1>,... - Src IP must match specified CIDR(s)
D:<CIDR1>,... - Dst IP must match specified CIDR(s)
B:<CIDR1>,... - Both src and dst addresses must match
E:<CIDR1>,... - Either src or dst address must match
P:<list> - Must be one of the listed packets where the list corresponds to the packet number in the capture file. Ex: -x P:1-5,9,15 would only send packets 1 through 5, 9 and 15.
F:"<filter>" - BPF filter. See the tcpdump(8) man page for syntax.

−X

Specifies which packets from the capture file(s) to NOT send. Can be one of:

S:<CIDR1>,... - Src IP must match specified CIDR(s)
D:<CIDR1>,... - Dst IP must match specified CIDR(s)
B:<CIDR1>,... - Both src and dst addresses must match
E:<CIDR1>,... - Either src or dst address must match
P:<list> - Must be one of the listed packets where the list corresponds to the packet number in the capture file. Ex: -X P:1-5,9,15 would send all packets except 1 through 5, 9 and 15.

−v

Enable verbose status printing to stderr. (Probably only interesting for large input files.)

−V

Print version info and exit.

SEE ALSO

tcpdump(8), tcpreplay(8), capinfo(1), editcap(1)

AUTHOR

Aaron Turner <aturner@pobox.com>

The current version is packaged with tcpreplay which is available via HTTP:

http://www.sourceforge.net/projects/tcpreplay/

BUGS

There may be a memory leak in the auto mode portion of the code. I’m seeing tcpprep growing to almost 15MB on a 900MB input file.

Accuracy in auto modes and handling of non-IP datagrams could be improved by various means.

It would be nice to support compressed files and other file formats than just libpcap.

Please send bug reports to aturner@pobox.com.