#LyX 1.4.0 created this file. For more info see http://www.lyx.org/ \lyxformat 245 \begin_document \begin_header \textclass article \language english \inputencoding latin1 \fontscheme times \graphics default \paperfontsize default \spacing single \papersize letterpaper \use_geometry true \use_amsmath 1 \cite_engine basic \use_bibtopic false \paperorientation portrait \leftmargin 10mm \topmargin 10mm \rightmargin 10mm \bottommargin 15mm \secnumdepth 4 \tocdepth 3 \paragraph_separation skip \defskip medskip \quotes_language english \papercolumns 1 \papersides 1 \paperpagestyle default \tracking_changes false \output_changes true \end_header \begin_body \begin_layout Title Tcpreplay 3.x FAQ \end_layout \begin_layout Author Aaron Turner \newline http://tcpreplay.sourceforge.net/ \end_layout \begin_layout Standard \newpage \begin_inset LatexCommand \tableofcontents{} \end_inset \newpage \end_layout \begin_layout Section General Info \end_layout \begin_layout Subsection What is this FAQ for? \end_layout \begin_layout Standard Tcpreplay is a suite of powerful tools, but with that power comes complexity. While I have done my best to write good man pages for tcpreplay and it's associated utilities, I understand that many people may want more information then I can provide in the man pages. Additionally, this FAQ attempts to cover material which I feel will be of use to people using tcpreplay, as well as common questions that occur on the Tcpreplay-Users mailing list. \end_layout \begin_layout Subsection What tools come with tcpreplay? \end_layout \begin_layout Itemize tcpreplay - replay ethernet packets stored in a pcap file as they were captured \end_layout \begin_layout Itemize tcprewrite - edit packets stored in a pcap file \end_layout \begin_layout Itemize tcpprep - a pcap pre-processor for tcpreplay \end_layout \begin_layout Itemize flowreplay \begin_inset Foot status collapsed \begin_layout Standard Flowreplay is still \begin_inset Quotes eld \end_inset alpha \begin_inset Quotes erd \end_inset quality and is not usable for most situations. Anyone interested in helping me develop flowreplay is encouraged to contact me. \end_layout \end_inset - connects to a server(s) and replays the client side of the connection stored in a pcap file \end_layout \begin_layout Subsection What tools no longer come with Tcpreplay? \end_layout \begin_layout Standard Recently, other people and projects have developed better versions of two applications that shipped with tcpreplay 2.x: \end_layout \begin_layout Itemize pcapmerge - merges two or more pcap files into one. Ethereal now ships with a more powerful appliation called 'mergecap'. \end_layout \begin_layout Itemize capinfo - displays basic information about a pcap file. Ethereal now ships with a more powerful application of the same name. \end_layout \begin_layout Subsection How can I get tcpreplay's source? \end_layout \begin_layout Standard The source code is available in tarball format on the tcpreplay homepage: \begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/} \end_inset I also encourage users familiar with Subversion to try checking out the latest code as it often has additional features and bugfixes not found in the tarballs. \end_layout \begin_layout Standard svn checkout https://www.synfin.net/svn/tcpreplay/trunk tcpreplay \end_layout \begin_layout Subsection What requirements does tcpreplay have? \end_layout \begin_layout Enumerate You'll need recent versions of the libnet \begin_inset Foot status collapsed \begin_layout Standard http://www.packetfactory.net/libnet/ \end_layout \end_inset and libpcap \begin_inset Foot status collapsed \begin_layout Standard http://www.tcpdump.org/ \end_layout \end_inset libraries. \end_layout \begin_layout Enumerate To support the packet decoding feature you'll need tcpdump \begin_inset Foot status collapsed \begin_layout Standard http://www.tcpdump.org/ \end_layout \end_inset installed. \end_layout \begin_layout Enumerate You'll also need a compatible operating system. Basically, any UNIX-like or UNIX-based operating system should work. Linux, *BSD, Solaris, OS X and others should all work. If you find any compatibility issues with any UNIX-like/based OS, please let me know. \end_layout \begin_layout Subsection Are there binaries available? \end_layout \begin_layout Standard The tcpreplay project does not maintain binaries for any platforms. However some operating systems such as Debian GNU/Linux (apt-get) and OS X (fink) have packages available. Try searching on Google. \end_layout \begin_layout Subsection Is there a Microsoft Windows port? \end_layout \begin_layout Standard Not really. We had one user port the code over for an old version of tcpreplay to Windows. Now we're looking for someone to help merge and maintain the code in to the main development tree. If you're interested in helping with this please contact Aaron Turner or the tcpreplay-users list. Other then that, you can download the tcpreplay-win32.zip file from the website and give it a go. Please understand that the Win32 port of tcpreplay comes with no support whatsoever, so if you run into a problem you're on your own. \end_layout \begin_layout Subsection How is tcpreplay licensed? \end_layout \begin_layout Standard Tcpreplay is licensed under a three clause BSD-style license. For details see the docs/LICENSE file included with the source code. \end_layout \begin_layout Subsection What is tcpreplay? \end_layout \begin_layout Standard In the simplest terms, tcpreplay is a tool to send network traffic stored in pcap format back onto the network; basically the exact opposite of tcpdump. Just to make things more confusing, tcpreplay is also a suite of tools: tcpreplay, tcpprep, tcprewrite and flowreplay. \end_layout \begin_layout Standard \begin_inset Note Comment status collapsed \begin_layout Standard What isn't tcpreplay? \end_layout \begin_layout Standard Tcpreplay is \emph on not \emph default a tool to replay captured traffic to a server or client. Specifically, tcpreplay does not have the ability to rewrite IP addresses to a user-specified value or synchronize TCP sequence and acknowledgment numbers. In other words, tcpreplay can't \begin_inset Quotes eld \end_inset connect \begin_inset Quotes erd \end_inset to a server or be used to emulate a server and have clients connect to it. If you're looking for that, check out flowreplay. \end_layout \end_inset \end_layout \begin_layout Subsection What are some uses for tcpreplay? \end_layout \begin_layout Standard Originally, tcpreplay was written to test network intrusion detection systems (NIDS), however tcpreplay has been used to test firewalls, routers, and other network devices. With the addition of flowreplay, most \begin_inset Foot status collapsed \begin_layout Standard Note the flowreplay does not support protocols such as ftp which use multiple connections. \end_layout \end_inset any udp or tcp service on a server can be tested as well. \end_layout \begin_layout Subsection What are some uses for flowreplay? \end_layout \begin_layout Standard A lot of people wanted a tool like tcpreplay, but wanted to be able to replay traffic \emph on to \emph default a server. Since tcpreplay was unable to do this, I developed flowreplay which replays the data portion of the flow, but recreates the connection to the specified server(s). This makes flowreplay an ideal tool to test host intrusion detection systems (HIDS) as well as captured exploits and security patches when the actual exploit code is not available. Please note that flowreplay is still alpha quality code which means it doesn't work very well (some would argue it doesn't work at all) and is currently missing some important features. Feel free to try flowreplay, but unless you're willing and able to contribute, don't bother complaining that it doesn't work. \end_layout \begin_layout Subsection What is the history of tcpreplay? \end_layout \begin_layout Standard Tcpreplay has had quite a few authors over the past five or so years. One of the advantages of the BSD and GPL licenses is that if someone becomes unable or unwilling to continue development, anyone else can take over. \end_layout \begin_layout Standard Originally, Matt Undy of Anzen Computing wrote tcpreplay. Matt released version 1.0.1 sometime in 1999. Sometime after that, Anzen Computing was (at least partially) purchased by NFR and development ceased. \end_layout \begin_layout Standard Then in 2001, two people independently started work on tcpreplay: Matt Bing of NFR and Aaron Turner of OneSecure. After developing a series of patches (the -adt branch), Aaron attempted to send the patches in to be included in the main development tree. \end_layout \begin_layout Standard After some discussion between Aaron and Matt Bing, they decided to continue development together. Since then, two major rewrites have occured, and more then thirty new features have been added, including the addition of a number of accessory tools. \end_layout \begin_layout Standard Today, Aaron continues active development of the code. \end_layout \begin_layout Section Bugs, Feature Requests, and Patches \end_layout \begin_layout Subsection Where can I get help, report bugs or contact the developers? \end_layout \begin_layout Standard The best place to get help or report a bug is the Tcpreplay-Users mailing list: \newline \begin_inset LatexCommand \htmlurl{http://lists.sourceforge.net/lists/listinfo/tcpreplay-users} \end_inset \end_layout \begin_layout Standard Please do not email the author directly as it prevents others from learning from your questions. \end_layout \begin_layout Subsection What information should I provide when I report a bug? \end_layout \begin_layout Standard One of the most frustrating things for any developer trying to help a user with a problem is not enough information. Please be sure to include \emph on at minimum \emph default the following information, however any additional information you feel may be helpful will be appreciated. \end_layout \begin_layout Itemize Version information (output of -V) \end_layout \begin_layout Itemize Command line used (options and arguments) \end_layout \begin_layout Itemize Platform (Red Hat Linux 9 on Intel, Solaris 7 on SPARC, etc) \end_layout \begin_layout Itemize Error message (if available) and/or description of problem \end_layout \begin_layout Itemize If possible, attach the pcap file used (compressed with bzip2 or gzip preferred) \end_layout \begin_layout Itemize The core dump or backtrace if available \end_layout \begin_layout Subsection I have a feature request, what should I do? \end_layout \begin_layout Standard Let us know! Many of the features exist today because users like you asked for them. To make a feature request, email the tcpreplay-users mailing list (see above). \end_layout \begin_layout Subsection I've written a patch for tcpreplay, how can I submit it? \end_layout \begin_layout Standard I'm always willing to include new features or bug fixes submitted by users. You may email me directly or the tcpreplay-users mailing list. Please \emph on do not \emph default use the Patch Tracker on the tcpreplay SourceForge web site. But before you start working on adding a feature or fixing a bug in tcpreplay, please make sure you checkout the latest source code from the Subversion repository. Patches against released versions are almost surely not going to apply cleanly if at all. \end_layout \begin_layout Subsection Patch requirements \end_layout \begin_layout Itemize Be aware that submitting a patch, \emph on you are assigning your copyright to me. \emph default If this is not acceptable to you, then \emph on do not \emph default send me the patch! I have people assign their copyright to me to help prevent licensing issues that may crop up in the future. \end_layout \begin_layout Itemize Please provide a description of what your patch does! \end_layout \begin_layout Itemize Comment your code! I won't use code I can't understand. \end_layout \begin_layout Itemize Make sure you are patching a branch that is still being maintained. Generally that means that most recent stable and development branches (2.0 and 3.0 at the time of this writing). \end_layout \begin_layout Itemize Make sure you are patching against the most recent release for that branch. \end_layout \begin_layout Itemize Please submit your patch in the \emph on unified diff \emph default format so I can better understand what you're changing. \end_layout \begin_layout Itemize Please provide any relevant personal information you'd like listed in the CREDITS file. \end_layout \begin_layout Standard Please note that while I'm always interested in patches, I may rewrite some or all of your submission to maintain a consistent coding style. \end_layout \begin_layout Section Understanding tcpprep \end_layout \begin_layout Subsection What is tcpprep? \end_layout \begin_layout Standard Tcpreplay can send traffic out two network cards, however it requires the calculations be done in real-time. These calculations can be expensive and can significantly reduce the throughput of tcpreplay. \end_layout \begin_layout Standard Tcpprep is a libpcap pre-processor for tcpreplay which enables using two network cards to send traffic without the performance hit of doing the calculations in real-time. \end_layout \begin_layout Subsection How does tcpprep work? \end_layout \begin_layout Standard Tcpprep reads in a libpcap (tcpdump) formatted capture file and does some processing to generate a tcpreplay cache file. This cache file tells tcpreplay which interface a given packet should be sent out of. \end_layout \begin_layout Subsection Does tcpprep modify my libpcap file? \end_layout \begin_layout Standard No. \end_layout \begin_layout Subsection Why use tcpprep? \end_layout \begin_layout Standard There are three major reasons to use tcpprep: \end_layout \begin_layout Enumerate Tcpprep can split traffic based upon more methods and criteria then tcpreplay. \end_layout \begin_layout Enumerate By pre-processing the pcap, tcpreplay has a higher theoretical maximum throughpu t. \end_layout \begin_layout Enumerate By pre-processing the pcap, tcpreplay can be more accurate in timing when replaying traffic at normal speed. \end_layout \begin_layout Subsection Can a cache file be used for multiple (different) libpcap files? \end_layout \begin_layout Standard Cache files have nothing linking them to a given libpcap file, so there is nothing to stop you from doing this. However running tcpreplay with a cache file from a different libpcap source file is likely to cause a lot of problems and is not supported. \end_layout \begin_layout Subsection Why would I want to use tcpreplay with two network cards? \end_layout \begin_layout Standard Tcpreplay traditionally is good for putting traffic on a given network, often used to test a network intrusion detection system (NIDS). However, there are cases where putting traffic onto a subnet in this manner is not good enough- you have to be able to send traffic *through* a device such as a IPS, router, firewall, or bridge. \end_layout \begin_layout Standard In these cases, being able to use a single source file (libpcap) for both ends of the connection solves this problem. \end_layout \begin_layout Subsection How big are the cache files? \end_layout \begin_layout Standard Very small. Actual size depends on the number of packets in the dump file. Two bits of data is stored for each packet. On a test using a 900MB dump file containing over 500,000 packets, the cache file was only 150K. \end_layout \begin_layout Section Common Error and Warning Messages \end_layout \begin_layout Subsection Can't open eth0: libnet_select_device(): Can't find interface eth0 \end_layout \begin_layout Standard Generally this occurs when the interface (eth0 in this example) is not up or doesn't have an IP address assigned to it. \end_layout \begin_layout Subsection Can't open lo: libnet_select_device(): Can't find interface lo \end_layout \begin_layout Standard Version 1.1.0 of Libnet is unable to send traffic on the loopback device. Upgrade to a later release of the Libnet library to solve this problem. \end_layout \begin_layout Subsection Can't open eth0: UID != 0 \end_layout \begin_layout Standard Tcpreplay requires that you run it as root. \end_layout \begin_layout Subsection 100000 write attempts failed from full buffers and were repeated \end_layout \begin_layout Standard When tcpreplay displays a message like "100000 write attempts failed from full buffers and were repeated", this usually means the kernel buffers were full and it had to wait until memory was available. This is quite common when replaying files as fast as possible with the "-R" option. See the tuning OS section in this document for suggestions on solving this problem. \end_layout \begin_layout Subsection Unable to process test.cache: cache file version missmatch \end_layout \begin_layout Standard Cache files generated by tcpprep and read by tcpreplay are versioned to allow enhancements to the cache file format. Anytime the cache file format changes, the version is incremented. Since this occurs on a very rare basis, this is generally not an issue; however anytime there is a change, it breaks compatibility with previously created cache files. The solution for this problem is to use the same version of tcpreplay and tcpprep to read/write the cache files. Cache file versions match the following versions of tcpprep/tcpreplay: \end_layout \begin_layout Itemize Version 1: \newline Prior to 1.3.beta1 \end_layout \begin_layout Itemize Version 2: \newline 1.3.beta2 to 1.3.1/1.4.beta1 \end_layout \begin_layout Itemize Version 3: \newline 1.3.2/1.4.beta2 to 2.0.3 \end_layout \begin_layout Itemize Version 4: \newline 2.1.0 and above. Note that prior to version 2.3.0, tcpprep had a bug which broke cache file compatibility between big and little endian systems. \end_layout \begin_layout Subsection Skipping SLL loopback packet. \end_layout \begin_layout Standard Your capture file was created on Linux with the 'any' parameter which then captured a packet on the loopback interface. However, tcpreplay doesn't have enough information to actual send the packet, so it skips it. Specifying a destination and source MAC address (-D and -S) will allow tcpreplay to send these packets. \end_layout \begin_layout Subsection Packet length (8892) is greater then MTU; skipping packet. \end_layout \begin_layout Standard The packet length (in this case 8892 bytes) is greater then the maximum transmition unit (MTU) on the outgoing interface. Tcpreplay must skip the packet. Alternatively, you can specify the -T option and tcpreplay will truncate the packet to the MTU size, fix the checksums and send it. This often occurs with pcaps captured over loopback interfaces which have much larger MTU's then ethernet. \end_layout \begin_layout Section Common Questions from Users \end_layout \begin_layout Subsection Why is tcpreplay not sending all the packets? \end_layout \begin_layout Standard Every now and then, someone emails the tcpreplay-users list, asking if there is a bug in tcpreplay which causes it not to send all the packets. This usually happens when the user uses the -t flag or is replaying a high-spee d pcap file (> 50Mbps, although this number is dependant on the hardware in use). \end_layout \begin_layout Standard The short version of the answer is: no, we are not aware of any bugs which might cause a few packets to not be sent. \end_layout \begin_layout Standard The longer version goes something like this: \end_layout \begin_layout Standard If you are running tcpreplay multiple times and are using tcpdump or other packet sniffer to count the number packets sent and are getting different numbers, it's not tcpreplay's fault. The problem lies in one of two places: \end_layout \begin_layout Enumerate It is well known that tcpdump and other sniffers have a problem keeping up with high-speed traffic. Furthermore, the OS in many cases \emph on lies \emph default about how many packets were dropped. Tcpdump will repeat this lie to you. In other words, tcpdump isn't seeing all the packets. Usually this is a problem with the network card, driver or OS kernel which may or may not be fixable. Try another network card/driver. \end_layout \begin_layout Enumerate When tcpreplay sends a packet, it actually gets copied to a send buffer in the kernel. If this buffer is full, the kernel is supposed to tell tcpreplay that it didn't copy the packet to this buffer. If the kernel has a bug which squelches this error, tcpreplay will not keep trying to send the packet and will move on to the next one. Currently I am not aware of any OS kernels with this bug, but it is possible that it exists. If you find out that your OS has this problem, please let me know so I can list it here. \end_layout \begin_layout Standard If for some reason, you still think its a bug in tcpreplay, by all means read the code and tell me how stupid I am. The do_packets() function in do_packets.c is where tcpreplay processes the pcap file and sends all of the packets. \end_layout \begin_layout Subsection Can tcpreplay read gzip/bzip2 compressed files? \end_layout \begin_layout Standard Yes, but not directly. Since tcpreplay can read data via STDIN, you can decompress the file on the fly like this: \end_layout \begin_layout Standard \emph on gzcat myfile.pcap.gz | tcpreplay -i eth0 - \end_layout \begin_layout Standard Note that decompressing on the fly will require additional CPU time and will likely reduce the overall performance of tcpreplay. \end_layout \begin_layout Subsection How fast can tcpreplay send packets? \end_layout \begin_layout Standard First, if performance is important to you, then upgrading to tcpreplay 3.x is worthwhile since it is more optimized then the 1.x or 2.x series. After that, there are a number of variables which effect performance, including on how you measure it (packets/sec or bytes/sec). 100Mbps and 120K pps are quite doable. Generally speaking here are some points to consider: \end_layout \begin_layout Itemize Profiling tcpreplay has shown that a significant amount of time is spent writing packets to the network. Hence, your OS kernel implimentation of writing to raw sockets is one of the most important aspects since that is where tcpreplay spends most of it's time. \end_layout \begin_layout Itemize Like most network based I/O, it is faster to send the same amount of data in a few large packets then many small packets. \end_layout \begin_layout Itemize Most operating systems will cache disk reads in RAM; hence making subsequent access to the file faster the second time. \end_layout \begin_layout Itemize Re-opening small files repeatly will reduce performance. Consider using mergecap to generate a single large file. \end_layout \begin_layout Itemize Network cards and drivers, disk speed (RPM is more important then seek), amount of RAM and system bus speed are all important. \end_layout \begin_layout Itemize In general servers with faster disks and bus speeds will be faster then desktops which will be faster then laptops. \end_layout \begin_layout Subsection Is tcpreplay stateful? \end_layout \begin_layout Standard No. Tcpreplay processes each packet in the order it is stored in the pcap file. The default is to send each packet based on the timestamp stored in the pcap file. If your pcap file has packets out of order, tcpreplay will send them out of order. In certain situations a packet may have an earlier timestamp then the packet before it, tcpreplay will then send the second packet as soon as possible. \end_layout \begin_layout Standard The basic point is that if your pcap file is well formed and has the packets in the correct order, then tcpreplay will create a \begin_inset Quotes eld \end_inset stateful \begin_inset Quotes erd \end_inset packet stream. If your pcap file has errors, then tcpreplay will repeat those errors. Garbage in, garbage out. \end_layout \begin_layout Section Testing Methodologies \end_layout \begin_layout Standard A topic which comes up regularly, is how to use tcpreplay to test products like intrusion detection/prevention devices (IDS/IPS) and deep inspection firewalls. Generally, I hear people suggest three things: \end_layout \begin_layout Enumerate Use security scanners like Nessus \end_layout \begin_layout Enumerate Use \begin_inset Quotes eld \end_inset real attacks \begin_inset Quotes erd \end_inset like those generated by Metasploit \end_layout \begin_layout Enumerate Use a replay tool like tcpreplay to generate attack traffic \end_layout \begin_layout Standard First, let me say that security scanners like Nessus do a really crappy job of testing the effectiveness of IDS/IPS and firewalls. The simple reason is that security scanners don't try to exploit vulnerabilitie s because it creates problems on the network. IT managers don't like it when their servers start rebooting or routers crash, so scanners use other non-agressive techniques like banner grabbing to find potentially vulnerable systems. Simply put, these non-agressive techniques often look nothing like a real attack. \end_layout \begin_layout Standard That leaves generating \begin_inset Quotes eld \end_inset real attacks \begin_inset Quotes erd \end_inset and replay tools. \end_layout \begin_layout Standard Advantages of real attacks: \end_layout \begin_layout Itemize It's clear when you have a valid test case because the target system is compromised \end_layout \begin_layout Itemize Exploit code and attack tools are widely available for many attacks \end_layout \begin_layout Standard Disadvantages of real attacks: \end_layout \begin_layout Itemize After the test case is run, the target system may be unstable or corrupted, requiring a reboot or re-install \end_layout \begin_layout Itemize Generally requires two systems: a target (often running VMWare) and an attacker system \end_layout \begin_layout Itemize Installing, configuring and managing various operating systems and applications to attack is a lot of work \end_layout \begin_layout Itemize Difficult to automate test cases since there is no standardized interface to these tools \end_layout \begin_layout Itemize You have to be careful about trojaned exploit code or worms which escape your lab \end_layout \begin_layout Standard Advantages of replay tools: \end_layout \begin_layout Itemize Since both the victim and attacker are virtual, there is no need to reboot/re-in stall systems after each test \end_layout \begin_layout Itemize A complete test bed requires only a single system with two NIC's \end_layout \begin_layout Itemize Once you have a library of pcap files, there is virtually zero management overhead \end_layout \begin_layout Itemize Replay tools provide a common interface to emulating any attack against any OS/application making automation simple \end_layout \begin_layout Itemize Pcap files are not executable, so trojans and escaping worms aren't an issue \end_layout \begin_layout Standard Disadvantages of replay tools; \end_layout \begin_layout Itemize There are trust issues regarding pcap files. Are you 100% sure that pcap file is correct (not corrupted, doesn't have truncated packets, actually contains the valid exploit) \end_layout \begin_layout Itemize There are few publicly available pcap's which contain attacks useful for testing so you must create your own \end_layout \begin_layout Section Required Libraries and Tools \end_layout \begin_layout Subsection Libpcap \end_layout \begin_layout Standard As of tcpreplay v1.4, you'll need to have libpcap installed on your system. As of v2.0, you'll need at least version 0.6.0 or better, but I only test our code with the latest version. Libpcap can be obtained on the tcpdump homepage \begin_inset Foot status collapsed \begin_layout Standard \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/} \end_inset \end_layout \end_inset . \end_layout \begin_layout Subsection Libnet \end_layout \begin_layout Standard Tcpreplay v1.3 is the last version to support the old libnet API (everything before 1.1.x). As of v1.4 you will need to use Libnet 1.1.0 or better which can be obtained from the Libnet homepage \begin_inset Foot status collapsed \begin_layout Standard \begin_inset LatexCommand \htmlurl{http://www.packetfactory.net/Projects/Libnet/} \end_inset \end_layout \end_inset . \end_layout \begin_layout Subsection Libpcapnav \end_layout \begin_layout Standard Starting with v2.0, tcpreplay can use libpcapnav to support the jump offset feature. If libpcapnav is not found on the system, that feature will be disabled. Libpcapnav can be found on the NetDude homepage \begin_inset Foot status collapsed \begin_layout Standard \begin_inset LatexCommand \htmlurl{http://netdude.sourceforge.net/} \end_inset \end_layout \end_inset . \end_layout \begin_layout Subsection Tcpdump \end_layout \begin_layout Standard As of 2.0, tcpreplay uses tcpdump (the binary, not code) to decode packets to STDOUT in a human readable (with practice) format as it sends them. If you would like this feature, tcpdump must be installed on your system. \end_layout \begin_layout Standard \noun on Note: \noun default The location of the tcpdump binary is hardcoded in tcpreplay at compile time. If tcpdump gets renamed or moved, the feature will become disabled. \end_layout \begin_layout Section Other pcap tools available \end_layout \begin_layout Subsection Tools to capture network traffic or decode pcap files \end_layout \begin_layout Itemize tcpdump \newline \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/} \end_inset \end_layout \begin_layout Itemize ethereal \newline \begin_inset LatexCommand \htmlurl{http://www.ethereal.com/} \end_inset \end_layout \begin_layout Itemize ettercap \newline \begin_inset LatexCommand \htmlurl{http://ettercap.sourceforge.net/} \end_inset \end_layout \begin_layout Subsection Tools to edit pcap files \end_layout \begin_layout Itemize tcpslice \newline Splits pcap files into smaller files \newline \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/} \end_inset \end_layout \begin_layout Itemize mergecap \newline Merges two pcap capture files into one \newline \begin_inset LatexCommand \htmlurl{http://www.ethreal.com/} \end_inset \end_layout \begin_layout Itemize pcapmerge \newline Merges two or more pcap capture files into one \newline \begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/} \end_inset \end_layout \begin_layout Itemize editcap \newline Converts capture file formats (pcap, snoop, etc) \newline \begin_inset LatexCommand \htmlurl{http://www.ethreal.com/} \end_inset \end_layout \begin_layout Itemize netdude \newline GTK based pcap capture file editor. Allows editing most anything in the packet. \newline \begin_inset LatexCommand \htmlurl{http://netdude.sourceforge.net/} \end_inset \end_layout \begin_layout Subsection Other useful tools \end_layout \begin_layout Itemize capinfo \newline Prints statistics and basic information about a pcap file \newline \begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/} \end_inset \end_layout \begin_layout Itemize text2pcap \newline Generates a pcap capture file from a hex dump \newline \begin_inset LatexCommand \htmlurl{http://www.ethreal.com/} \end_inset \end_layout \begin_layout Itemize tcpflow \newline Extracts and reassembles the data portion on a per-flow basis on live traffic or pcap capture files \newline \begin_inset LatexCommand \htmlurl{http://www.circlemud.org/~jelson/software/tcpflow/} \end_inset \end_layout \end_body \end_document