NAME

tcpprep - Create a tcpreplay cache cache file from a pcap file.

SYNOPSIS

tcpprep [-flag [value]]... [--opt-name [[=| ]value]]...

All arguments must be options.

tcpprep is a pcap(3) file pre-processor which creates a cache file which provides "rules" for tcprewrite(1) and tcpreplay(1) on how to process and send packets.

DESCRIPTION

This manual page documents, briefly, the tcpprep command. The basic operation of tcpreplay is to resend all packets from the input file(s) out a single file. Tcpprep processes a pcap file and applies a set of user-specified rules to create a cache file which tells tcpreplay wether or not to send each packet and which interface the packet should be sent out of.

OPTIONS

-d number, --dbug=number

Enable debugging output. This option may appear up to 1 times. The default number for this option is:


0

If configured with --enable-debug, then you can specify a verbosity level for debugging output. Higher numbers increase verbosity.

-a string, --auto=string

Auto-split mode. This option may appear up to 1 times. This option must not appear in combination with any of the following options: cidr, port, regex.

Tcpprep will try to automatically determine the primary function of hosts based on the traffic captured and classify each host as client or server. In order to do so, you must provide a hint to tcpprep as to how to search for clients and servers. Valid hints are:

bridge Bridge mode processes each packet to try to determine if the sender is a client or server. Once all the packets are processed, the results are weighed according to the server/client ratio (--ratio) and systems are assigned an interface. If tcpprep is unable to determine what role a system plays, tcpprep will abort.

router Router mode works just like bridge mode, except that after weighing is done, systems which are undetermined are considered a server if they fall inside a network known to contain other servers. Router has a greater chance of successfully splitting clients and servers but is not 100% foolproof.

client Client mode works just like bridge mode, except that unclassified systems are treated as clients. Client mode should always complete successfully.

server Server mode works just like bridge mode, except that unclassified systems are treated as servers. Server mode should always complete successfully.


-c string, --cidr=string

CIDR-split mode. This option may appear up to 1 times. This option must not appear in combination with any of the following options: auto, port, regex.

Specify a comma delimited list of CIDR netblocks to match against the source IP of each packet. Packets matching any of the CIDR's are classified as servers.

-r string, --regex=string

Regex-split mode. This option may appear up to 1 times. This option must not appear in combination with any of the following options: auto, port, cidr.

Specify a regular expression to match against the source IP of each packet. Packets matching the regex are classified as servers.

-p, --port

Port-split mode. This option must not appear in combination with any of the following options: auto, regex, cidr.

Specifies that TCP and UDP traffic should be classified as client or server based upon the destination port of the header.

-C string, --comment=string

Embeded cache file comment. This option may appear up to 1 times.

Specify a comment to be imbedded within the output cache file and later viewed.

--no-arg-comment

Do not embed any cache file comment. This option may appear up to 1 times.

By default, tcpprep includes the arguments passed on the command line in the cache file comment (in addition to any user specified --comment). If for some reason you do not wish to include this, specify this option.

-x string, --include=string

Include only packets matching rule. This option may appear up to 1 times. This option must not appear in combination with any of the following options: exclude.

Override default of sending all packets stored in the capture file and only send packets which match the provided rule. Rules can be one of:

S:<CIDR1>,... - Source IP must match specified CIDR(s)

D:<CIDR1>,... - Destination IP must match specified CIDR(s)

B:<CIDR1>,... - Both source and destination IP must match specified CIDR(s)

E:<CIDR1>,... - Either IP must match specified CIDR(s)

P:<LIST> - Must be one of the listed packets where the list corresponds to the packet number in the capture file.

    -x P:1-5,9,15,72-

would send packets 1 thru 5, the 9th and 15th packet, and packets 72 until the end of the file

F:'<bpf>' - BPF filter. See the tcpdump(8) man page for syntax.


-X string, --exclude=string

Exclude any packet matching this rule. This option may appear up to 1 times. This option must not appear in combination with any of the following options: include.

Override default of sending all packets stored in the capture file and only send packets which do not match the provided rule. Rules can be one of:

S:<CIDR1>,... - Source IP must not match specified CIDR(s)

D:<CIDR1>,... - Destination IP must not match specified CIDR(s)

B:<CIDR1>,... - Both source and destination IP must not match specified CIDR(s)

E:<CIDR1>,... - Either IP must not match specified CIDR(s)

P:<LIST> - Must not be one of the listed packets where the list corresponds to the packet number in the capture file.

    -x P:1-5,9,15,72-

would drop packets 1 thru 5, the 9th and 15th packet, and packets 72 until the end of the file


-o string, --cachefile=string

Output cache file. This option may appear up to 1 times.

-i string, --pcap=string

Input pcap file to process. This option may appear up to 1 times.

-P string, --print-comment=string

Print embedded comment in the specified cache file.

-I string, --print-info=string

Print basic info from the specified cache file.

-s string, --services=string

Load services file for server ports.

This option has not been fully documented.

-N, --nonip

Send non-IP traffic out server interface.

By default, non-IP traffic which can not be classified as client or server is classified as "client". Specifiying --nonip will reclassify non-IP traffic as "server".

-R string, --ratio=string

Ratio of client to server packets. This option may appear up to 1 times. This option must appear in combination with the following options: auto.

Since a given host may have both client and server traffic being sent to/from it, tcpprep uses a ratio to weigh these packets. If you would like to override the default of 2:1 server to client packets required for a host to be classified as a server, specify it as a floating point value.

-m number, --minmask=number

Minimum network mask length in auto mode. This option may appear up to 1 times. This option must appear in combination with the following options: auto.

By default, auto modes use a minimum network mask length of 30 bits to build networks containing clients and servers. This allows you to override this value. Larger values will increase performance but may provide inaccurate results.

-M number, --maxmask=number

Maximum network mask length in auto mode. This option may appear up to 1 times. This option must appear in combination with the following options: auto.

By default, auto modes use a maximum network mask length of 8 bits to build networks containing clients and servers. This allows you to override this value. Larger values will decrease performance and accuracy but will provide greater chance of success.

-v, --verbose

Print decoded packets via tcpdump to STDOUT. This option may appear up to 1 times.

-A string, --decode=string

Arguments passed to tcpdump decoder. This option may appear up to 1 times. This option must appear in combination with the following options: verbose.

When enabling verbose mode (-v) you may also specify one or more additional arguments to pass to tcpdump to modify the way packets are decoded. By default, -n and -l are used. Be sure to quote the arguments so that they are not interpreted by tcprewrite. The following arguments are valid: [ -aAeNqRStuvxX ] [ -E spi@ipaddr algo:secret,... ] [ -s snaplen ]

-V, --version

Print version information.

-h, --less-help

Display less usage information and exit.

This option has not been fully documented.

-H, --help

Display usage information and exit.

-!, --more-help

Extended usage information passed thru pager.

- [rcfile], --save-opts[=rcfile]

Save the option state to rcfile. The default is the last configuration file listed in the OPTION PRESETS section, below.

- rcfile, --load-opts=rcfile, --no-load-opts

Load options from rcfile. The no-load-opts form will disable the loading of earlier RC/INI files. --no-load-opts is handled early, out of order.

OPTION PRESETS

Any option that is not marked as not presettable may be preset by loading values from configuration ("RC" or ".INI") file(s). The homerc file is "$$/", unless that is a directory. In that case, the file ".tcppreprc" is searched for within that directory.

SEE ALSO

tcpdump(1), tcprewrite(1), tcpreplay(1)

AUTHOR

Copyright 2000-2005 Aaron Turner

For support please use the tcpreplay-users@lists.sourceforge.net mailing list.

Released under the Free BSD License.

This manual page was AutoGen-erated from the tcpprep option definitions.