.\" $Id: tcpreplay.8 1132 2005-02-09 01:30:59Z aturner $ .TH "TCPREPLAY" "8" "2.0.3" "Aaron Turner" "Replay Captured Network Traffic" .SH "NAME" .LP tcpreplay \- replay packets back out onto the network from pcap files .SH "SYNTAX" .LP \fBtcpreplay\fR \fB\-i\fR \fIintf\fR [ \fBoptions\fR ] [ \fI ...\fR | \- ] .SH "DESCRIPTION" .LP \fBtcpreplay\fR is a tool for replaying network traffic from files saved with \fBtcpdump\fR or other tools which write \fBpcap(3)\fR files. .LP The basic operation of \fBtcpreplay\fR is to resend all packets from the input file(s) at the speed at which they were recorded, or a specified data rate, up to as fast as the hardware is capable. .LP Optionally, the traffic can be split between two interfaces, written to files, filtered and edited in various ways, providing the means to test firewalls, NIDS and other network devices. .SH "OPTIONS" .LP .TP .B \-A or "tcpdump_args" When enabling verbose mode (\-v) you may also specify one or more additional arguments to pass to \fBtcpdump\fR to modify the way packets are decoded. By default, \-n and \-l are used. Be sure to quote the arguments like: \-A "\-axxx" so that they are not interpreted by tcpreplay. The following arguments are vaild: .br [ \-aAeNqRStuvxX ] .br [ \-E spi@ipaddr algo:secret,...] .br [ \-s snaplen ] .TP .TP .B \-c or "cachefile" Specify the \fItcpprep cache\fR to use to process packets. .TP .B \-C or "cidr" Given a list of CIDR networks, packets with a source address matching an entry in the list are sent out the primary interface. All other packets are sent via the secondary interface. CIDR lists are comma\-separated and do not contain spaces, \fI192.168.0.0/28,10.0.0.0/16\fR and \fI10.1.1.0/29\fR, for example. Overrides the \-c option. .TP .B \-D or "datadump_mode" When used in conjunction with \-w and \-W, rather then dumping the entire packets to the files, only the layer 7 data is dumped. .TP .B \-e or "endpoints" Specifies a pair of IP addresses seperated by a colon which are then used to rewrite all IP traffic to appear to be between the two IP's. .TP .B \-f Specify a file that contains configuration options. Option tokens are listed next to the corresponding command\-line flag. .TP .B \-F or "fixchecksums" Fixes IP and TCP/UDP checksums in packets. Auto\-forced with \-s, \-u, \-T \-N or \-4 .TP .B \-h Prints help/usage .TP .B \-i or "intf" Specify the prmary interface in which to send packets. .TP .B \-I or "primary_mac" Specify the \fIdestination MAC\fR to use for packets being sent out the primary interface. .TP .B \-j or "second_intf" Specify the \fIsecondary interface\fR in which to send packets. .TP .B \-J or "second_mac" Specify the \fIdestination MAC\fR to use for packets being sent out the secondary interface. .TP .B \-k or "primary_smac" Specify the \fIsource MAC\fR to use for packets being sent out the primary interface. .TP .B \-K or "second_smac" Specify the \fIsource MAC\fR to use for packets being sent out the secondary interface. .TP .B \-l or "loop" Resend the capture file(s) \fIloop count\fR times. Setting this to 0 (zero) will cause tcpreplay to loop infinitely. .TP .B \-L or "limit_send" Causes tcpreplay to exit after sending the specified number of packets .TP .B \-m or "multiplier" Resend the packets at a \fImultiple\fR of the speed at which they were recorded, specified as a floating\-point number. .TP .B \-M or "no_martians" Disable sending martian packets (source networks: 0/8, 127/8, 255/8) .TP .B \-n or "not_nosy" Don't listen in promiscuous mode when sniffing with \-S .TP .B \-N or "nat" Specify the nat transation table(s) where a table is one or more pairs of CIDR's seperated by a colon and each pair is sererated by a comma: .br :,: .br The first instance of this argument is used for the primary interface while the second instance is used for the secondary interface. If no second instance of this argument exists, then the NAT table is used for both. .TP .B \-o or "offset" Jump to packet at the nearest specified byte offset and start replaying packets from there. .TP .B \-O or "one_output" Processes packets internally for dual interfaces/files for purposes of NAT and MAC rewriting, but only write packets to a single interface or file. .TP .B \-p or "packetrate" Specify the replay rate in packets per second. Negates all other speed options. .TP .B \-P .br Print the PID of the tcpreplay process at startup. Useful when wanting to use SIGUSR1 and SIGCONT to pause/restart. .TP .B \-r or "rate" Resend the packets at \fIrate\fR megabits per\-second, specified as a floating\-point number. .TP .B \-R or "topspeed" Resend the packets as fast as possible. Negates all other speed options. .TP .B \-s or "seed" Specify a seed value to allow rewriting the source and destination IP addresses (only in IP header) to pseudo\-random values. Will also recalculate the IP header as necessary. .TP .B \-S or "sniff_snaplen" Instead of reading from a saved tcpdump file, perform live capture. The argument is the number of bytes to capture off the wire. The name of the capture interface will be the nominal filename. Please read the FAQ for more details/warnings about this feature. .TP .B \-t or "mtu" Specify the MTU in bytes of the interface(s) being used. Default is 1500 which is standard for 10/100 Ethernet. .TP .B \-T or "truncate" If a packet is larger then the MTU of the interface, the frame will be truncated so that it can be sent. With out this, these frames are skipped. Not to be confused with \-u which pads/truncates packets which are larger then the snaplen used to capture the packet. .TP .B \-u or "untruncate" When a packet is truncated in the capture file because the snaplen was too small, this option will \fIpad\fR the end of the packet with zeros, or truncate (\fItrunc\fR) it by re\-adjusting the length in the IP header. The \fItrunc\fR option will only alter IPv4 packets, all others will be sent unmodified. .TP .B \-v or "verbose" .br Verbose mode, dump decoded packets via tcpdump to STDOUT. .TP .B \-V Print version info and exit. .TP .B \-w or "write" Specify the output file to write the primary packets to instead of the network. You still must specify the primary interface via \-i. If \-D is set before it, it will write only the layer 7 data. .TP .B \-W or "secondary_write" Specify the output file to write the secondary packets to instead of the network. You still must specify the secondary interface via \-j. If \-D is set before it, it will write only the layer 7 data. .TP .B \-x or "include" Specifies which packets from the capture file(s) to send. Can be one of: .br .br .TP .LP S:,... Src IP must match specified CIDR(s) .TP .LP D:,... Dst IP must match specified CIDR(s) .TP .LP B:,... Both src and dst addresses must match .TP .LP E:,... Either src or dst address must match .TP .LP P: Must be one of the listed packets where the list corresponds to the packet number in the capture file. Ex: \-x P:1\-5,9,15 would only send packets 1 through 5, 9 and 15. .TP .LP F:"" BPF filter. See the \fBtcpdump(1)\fR man page for syntax. .TP .B \-X or "exclude" Specifies which packets from the capture file(s) to NOT send. Can be one of: .TP .LP S:,... Src IP must match specified CIDR(s) .TP .LP D:,... Dst IP must match specified CIDR(s) .TP .LP B:,... Both src and dst addresses must match .TP .LP E:,... Either src or dst address must match .TP .LP P: Must be one of the listed packets where the list corresponds to the packet number in the capture file. Ex: \-X P:1\-5,9,15 would send all packets except 1 through 5, 9 and 15. .TP .B \-1 or one_at_a_time Resend one packet at a time, once for each keypress. .TP .B \-2 or l2data Specifies a string of comma seperated numbers in hex to be used instead of the Layer 2 header in the packet. Useful for converting between 802.x types or adding a header when the pcap file doesn't contain a header (as in the case of DLT_RAW). Currently this only supports the following pcap(3) types: DLT_EN10MB, DLT_LINUX_SLL, DLT_CHDLC and DLT_RAW. .TP .B \-4 or "portmap" Specify a port mapping, where the mapping looks like: .br :,: .br For example, if this mapping was specified: .br 80:8080 .br then any packets with a source or destination port of 80 would be changed to 8080. This option can be specified multiple times to specify multiple mappings. Mappings are not transitive: each source or destination port is mapped only once. .SH "SIGNALS" .LP .I Tcpreplay understands the following signals: .TP .B SIGUSR1 Suspend tcpreplay. .TP .B SIGCONT Restart tcpreplay after it has been suspended. .SH "SEE ALSO" .LP tcpdump(1), tcpprep(1), capinfo(1), editcap(1) .SH "AUTHORS" .LP Aaron Turner .br Matt Undy, Anzen Computing. .br Matt Bing .br .SH "AVAILABILITY" .LP The current version is available via HTTP: .LP .RS .I http://www.sourceforge.net/projects/tcpreplay/ .RE .SH "LIMITATIONS" .LP Please see the tcpreplay FAQ for a list of limitations and any possible work\-arounds: .I http://tcpreplay.sourceforge.net/