123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448 |
- .de1 NOP
- . it 1 an-trap
- . if \\n[.$] \,\\$*\/
- ..
- .ie t \
- .ds B-Font [CB]
- .ds I-Font [CI]
- .ds R-Font [CR]
- .el \
- .ds B-Font B
- .ds I-Font I
- .ds R-Font R
- .TH tcpprep 1 "26 Aug 2022" "tcpprep" "User Commands"
- .\"
- .\" DO NOT EDIT THIS FILE (in-mem file)
- .\"
- .\" It has been AutoGen-ed
- .\" From the definitions tcpprep_opts.def
- .\" and the template file agman-cmd.tpl
- .SH NAME
- \f\*[B-Font]tcpprep\fP
- \- Create a tcpreplay cache cache file from a pcap file.
- .SH SYNOPSIS
- \f\*[B-Font]tcpprep\fP
- .\" Mixture of short (flag) options and long options
- [\f\*[B-Font]\-flags\f[]]
- [\f\*[B-Font]\-flag\f[] [\f\*[I-Font]value\f[]]]
- [\f\*[B-Font]\-\-option-name\f[][[=| ]\f\*[I-Font]value\f[]]]
- .sp \n(Ppu
- .ne 2
- All arguments must be options.
- .sp \n(Ppu
- .ne 2
- tcpprep is a \fIpcap(3)\fP file pre-processor which creates a cache
- file which provides "rules" for \fItcprewrite(1)\fP and \fItcpreplay(1)\fP
- on how to process and send packets.
- .SH "DESCRIPTION"
- The basic operation of tcpreplay is to resend all packets from the
- input file(s) out a single file. Tcpprep processes a pcap file and
- applies a set of user-specified rules to create a cache file which
- tells tcpreplay whether or not to send each packet and which interface the
- packet should be sent out of.
- .sp
- For more details, please see the Tcpreplay Manual at:
- http://tcpreplay.appneta.com
- .SH "OPTIONS"
- .TP
- .NOP \f\*[B-Font]\-d\f[] \f\*[I-Font]number\f[], \f\*[B-Font]\-\-dbug\f[]=\f\*[I-Font]number\f[]
- Enable debugging output.
- This option may appear up to 1 times.
- This option takes an integer number as its argument.
- The value of
- \f\*[I-Font]number\f[]
- is constrained to being:
- .in +4
- .nf
- .na
- in the range 0 through 5
- .fi
- .in -4
- The default
- \f\*[I-Font]number\f[]
- for this option is:
- .ti +4
- 0
- .sp
- If configured with \--enable-debug, then you can specify a verbosity
- level for debugging output. Higher numbers increase verbosity.
- .TP
- .NOP \f\*[B-Font]\-a\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-auto\f[]=\f\*[I-Font]string\f[]
- Auto-split mode.
- This option may appear up to 1 times.
- This option must not appear in combination with any of the following options:
- cidr, port, regex, mac.
- .sp
- Tcpprep will try to automatically determine the primary function of hosts
- based on the traffic captured and classify each host as client or server.
- In order to do so, you must provide a hint to tcpprep as to how to search
- for clients and servers. Valid hints are:
- .sp
- .sp 1
- \fBbridge\fP
- Bridge mode processes each packet to try to determine if the sender is a
- client or server. Once all the packets are processed, the results are weighed
- according to the server/client ratio (\fB--ratio\fP) and systems are assigned an
- interface. If tcpprep is unable to determine what role a system plays, tcpprep
- will abort.
- .sp 1
- \fBrouter\fP
- Router mode works just like bridge mode, except that after weighing is done,
- systems which are undetermined are considered a server if they fall inside a
- network known to contain other servers. Router has a greater chance of
- successfully splitting clients and servers but is not 100% foolproof.
- .sp 1
- \fBclient\fP
- Client mode works just like bridge mode, except that unclassified systems are
- treated as clients. Client mode should always complete successfully.
- .sp 1
- \fBserver\fP
- Server mode works just like bridge mode, except that unclassified systems are
- treated as servers. Server mode should always complete successfully.
- .sp 1
- \fBfirst\fP
- First mode works by looking at the first time each IP is seen in the SRC and DST
- fields in the IP header. If the host is first seen in the SRC field, it is a
- client and if it's first seen in the DST field, it is marked as a server. This
- effectively replicates the processing of the tomahawk test tool. First
- mode should always complete successfully.
- .br
- .TP
- .NOP \f\*[B-Font]\-c\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-cidr\f[]=\f\*[I-Font]string\f[]
- CIDR-split mode.
- This option may appear up to 1 times.
- This option must not appear in combination with any of the following options:
- auto, port, regex, mac.
- .sp
- Specify a comma delimited list of CIDR netblocks to match against
- the source IP of each packet. Packets matching any of the CIDR's
- are classified as servers.
- .sp
- IPv4 Example:
- .nf
- \--cidr=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
- .fi
- IPv6 Example:
- .nf
- \--cidr=[::ffff:0:0/96],[fe80::/16]
- .fi
- .TP
- .NOP \f\*[B-Font]\-r\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-regex\f[]=\f\*[I-Font]string\f[]
- Regex-split mode.
- This option may appear up to 1 times.
- This option must not appear in combination with any of the following options:
- auto, port, cidr, mac.
- .sp
- Specify a regular expression to match against the source IP of each
- packet. Packets matching the regex are classified as servers.
- .TP
- .NOP \f\*[B-Font]\-p\f[], \f\*[B-Font]\-\-port\f[]
- Port-split mode.
- This option may appear up to 1 times.
- This option must not appear in combination with any of the following options:
- auto, regex, cidr, mac.
- .sp
- Specifies that TCP and UDP traffic over IPv4 and IPv6 should be classified
- as client or server based upon the destination port of the header.
- .TP
- .NOP \f\*[B-Font]\-e\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-mac\f[]=\f\*[I-Font]string\f[]
- Source MAC split mode.
- This option may appear up to 1 times.
- This option must not appear in combination with any of the following options:
- auto, regex, cidr, port.
- .sp
- Specify a list of MAC addresses to match against the source MAC
- of each packet. Packets matching one of the values are classified
- as servers.
- .TP
- .NOP \f\*[B-Font]\-\-reverse\f[]
- Matches to be client instead of server.
- This option may appear up to 1 times.
- .sp
- Normally the \fB--mac\fP, \fB--regex\fP and \fB--cidr\fP flags specify are used to specify
- the servers and non-IP packets are classified as clients. By using \fB--reverse\fP, these
- features are reversed so that the flags specify clients and non-IP packets are classified as
- servers.
- .TP
- .NOP \f\*[B-Font]\-C\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-comment\f[]=\f\*[I-Font]string\f[]
- Embedded cache file comment.
- This option may appear up to 1 times.
- .sp
- Specify a comment to be imbedded within the output cache file and later
- viewed.
- .TP
- .NOP \f\*[B-Font]\-\-no\-arg\-comment\f[]
- Do not embed any cache file comment.
- This option may appear up to 1 times.
- .sp
- By default, tcpprep includes the arguments passed on the command line
- in the cache file comment (in addition to any user specified \--comment).
- If for some reason you do not wish to include this, specify this option.
- .TP
- .NOP \f\*[B-Font]\-x\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-include\f[]=\f\*[I-Font]string\f[]
- Include only packets matching rule.
- This option may appear up to 1 times.
- This option must not appear in combination with any of the following options:
- exclude.
- .sp
- Override default of processing all packets stored in the capture file and only
- send/edit packets which match the provided rule. Rules can be one of:
- .sp
- .sp
- .IR "S:<CIDR1>,..."
- - Source IP must match specified IPv4/v6 CIDR(s)
- .sp
- .IR "D:<CIDR1>,..."
- - Destination IP must match specified IPv4/v6 CIDR(s)
- .sp
- .IR "B:<CIDR1>,..."
- - Both source and destination IP must match specified IPv4/v6 CIDR(s)
- .sp
- .IR "E:<CIDR1>,..."
- - Either IP must match specified IPv4/v6 CIDR(s)
- .sp
- .IR "P:<LIST>"
- - Must be one of the listed packets where the list
- corresponds to the packet number in the capture file.
- .nf
- \-x P:1-5,9,15,72-
- .fi
- would process packets 1 through 5, the 9th and 15th packet, and packets 72 until the
- end of the file
- .sp
- .IR "F:'<bpf>'"
- - BPF filter. See the \fItcpdump(8)\fP man page for syntax.
- .br
- .TP
- .NOP \f\*[B-Font]\-X\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-exclude\f[]=\f\*[I-Font]string\f[]
- Exclude any packet matching this rule.
- This option may appear up to 1 times.
- This option must not appear in combination with any of the following options:
- include.
- .sp
- Override default of processing all packets stored in the capture file and only
- send/edit packets which do NOT match the provided rule. Rules can be one of:
- .sp
- .sp
- .IR "S:<CIDR1>,..."
- - Source IP must not match specified IPv4/v6 CIDR(s)
- .sp
- .IR "D:<CIDR1>,..."
- - Destination IP must not match specified IPv4/v6 CIDR(s)
- .sp
- .IR "B:<CIDR1>,..."
- - Both source and destination IP must not match specified IPv4/v6 CIDR(s)
- .sp
- .IR "E:<CIDR1>,..."
- - Either IP must not match specified IPv4/v6 CIDR(s)
- .sp
- .IR "P:<LIST>"
- - Must not be one of the listed packets where the list
- corresponds to the packet number in the capture file.
- .nf
- \-x P:1-5,9,15,72-
- .fi
- would skip packets 1 through 5, the 9th and 15th packet, and packets 72 until the
- end of the file
- .br
- .TP
- .NOP \f\*[B-Font]\-o\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-cachefile\f[]=\f\*[I-Font]string\f[]
- Output cache file.
- This option may appear up to 1 times.
- .sp
- .TP
- .NOP \f\*[B-Font]\-i\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-pcap\f[]=\f\*[I-Font]string\f[]
- Input pcap file to process.
- This option may appear up to 1 times.
- .sp
- .TP
- .NOP \f\*[B-Font]\-P\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-print\-comment\f[]=\f\*[I-Font]string\f[]
- Print embedded comment in the specified cache file.
- This option may appear up to 1 times.
- .sp
- .TP
- .NOP \f\*[B-Font]\-I\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-print\-info\f[]=\f\*[I-Font]string\f[]
- Print basic info from the specified cache file.
- This option may appear up to 1 times.
- .sp
- .TP
- .NOP \f\*[B-Font]\-S\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-print\-stats\f[]=\f\*[I-Font]string\f[]
- Print statistical information about the specified cache file.
- This option may appear up to 1 times.
- .sp
- .TP
- .NOP \f\*[B-Font]\-s\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-services\f[]=\f\*[I-Font]string\f[]
- Load services file for server ports.
- This option may appear up to 1 times.
- This option must appear in combination with the following options:
- port.
- .sp
- Uses a list of ports used by servers in the same format as of /etc/services:
- <service_name> <port>/<protocol> # comment
- .sp
- Example:
- http 80/tcp
- .TP
- .NOP \f\*[B-Font]\-N\f[], \f\*[B-Font]\-\-nonip\f[]
- Send non-IP traffic out server interface.
- This option may appear up to 1 times.
- .sp
- By default, non-IP traffic which can not be classified as client
- or server is classified as "client". Specifying \fB--nonip\fP
- will reclassify non-IP traffic as "server". Note that the meaning
- of this flag is reversed if \fB--reverse\fP is used.
- .TP
- .NOP \f\*[B-Font]\-R\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-ratio\f[]=\f\*[I-Font]string\f[]
- Ratio of client to server packets.
- This option may appear up to 1 times.
- This option must appear in combination with the following options:
- auto.
- The default
- \f\*[I-Font]string\f[]
- for this option is:
- .ti +4
- 2.0
- .sp
- Since a given host may have both client and server traffic being sent
- to/from it, tcpprep uses a ratio to weigh these packets. If you would
- like to override the default of 2:1 server to client packets required for
- a host to be classified as a server, specify it as a floating point value.
- .TP
- .NOP \f\*[B-Font]\-m\f[] \f\*[I-Font]number\f[], \f\*[B-Font]\-\-minmask\f[]=\f\*[I-Font]number\f[]
- Minimum network mask length in auto mode.
- This option may appear up to 1 times.
- This option must appear in combination with the following options:
- auto.
- This option takes an integer number as its argument.
- The value of
- \f\*[I-Font]number\f[]
- is constrained to being:
- .in +4
- .nf
- .na
- in the range 0 through 32
- .fi
- .in -4
- The default
- \f\*[I-Font]number\f[]
- for this option is:
- .ti +4
- 30
- .sp
- By default, auto modes use a minimum network mask length of 30 bits
- to build networks containing clients and servers. This allows you
- to override this value. Larger values will increase performance but
- may provide inaccurate results.
- .TP
- .NOP \f\*[B-Font]\-M\f[] \f\*[I-Font]number\f[], \f\*[B-Font]\-\-maxmask\f[]=\f\*[I-Font]number\f[]
- Maximum network mask length in auto mode.
- This option may appear up to 1 times.
- This option must appear in combination with the following options:
- auto.
- This option takes an integer number as its argument.
- The value of
- \f\*[I-Font]number\f[]
- is constrained to being:
- .in +4
- .nf
- .na
- in the range 0 through 32
- .fi
- .in -4
- The default
- \f\*[I-Font]number\f[]
- for this option is:
- .ti +4
- 8
- .sp
- By default, auto modes use a maximum network mask length of 8 bits
- to build networks containing clients and servers. This allows you
- to override this value. Larger values will decrease performance
- and accuracy but will provide greater chance of success.
- .TP
- .NOP \f\*[B-Font]\-v\f[], \f\*[B-Font]\-\-verbose\f[]
- Print decoded packets via tcpdump to STDOUT.
- This option may appear up to 1 times.
- .sp
- .TP
- .NOP \f\*[B-Font]\-A\f[] \f\*[I-Font]string\f[], \f\*[B-Font]\-\-decode\f[]=\f\*[I-Font]string\f[]
- Arguments passed to tcpdump decoder.
- This option may appear up to 1 times.
- This option must appear in combination with the following options:
- verbose.
- .sp
- When enabling verbose mode (\fB-v\fP) you may also specify one or
- more additional arguments to pass to \fBtcpdump\fP to modify
- the way packets are decoded. By default, \-n and \-l are used.
- Be sure to quote the arguments so that they are not interpreted
- by tcprewrite. The following arguments are valid:
- [ \-aAeNqRStuvxX ]
- [ \-E spi@ipaddr algo:secret,... ]
- [ \-s snaplen ]
- .TP
- .NOP \f\*[B-Font]\-V\f[], \f\*[B-Font]\-\-version\f[]
- Print version information.
- .sp
- .TP
- .NOP \f\*[B-Font]\-h\f[], \f\*[B-Font]\-\-less\-help\f[]
- Display less usage information and exit.
- .sp
- This option has not been fully documented.
- .TP
- .NOP \f\*[B-Font]\-H\f[], \f\*[B-Font]\-\-help\f[]
- Display usage information and exit.
- .TP
- .NOP \f\*[B-Font]\-\&!\f[], \f\*[B-Font]\-\-more-help\f[]
- Pass the extended usage information through a pager.
- .TP
- .NOP \f\*[B-Font]\-\-save-opts\f[] [=\f\*[I-Font]cfgfile\f[]]
- Save the option state to \fIcfgfile\fP. The default is the \fIlast\fP
- configuration file listed in the \fBOPTION PRESETS\fP section, below.
- The command will exit after updating the config file.
- .TP
- .NOP \f\*[B-Font]\-\-load-opts\f[]=\f\*[I-Font]cfgfile\f[], \f\*[B-Font]\-\-no-load-opts\f[]
- Load options from \fIcfgfile\fP.
- The \fIno-load-opts\fP form will disable the loading
- of earlier config/rc/ini files. \fI\-\-no-load-opts\fP is handled early,
- out of order.
- .PP
- .SH "OPTION PRESETS"
- Any option that is not marked as \fInot presettable\fP may be preset
- by loading values from configuration ("RC" or ".INI") file(s).
- The \fIhomerc\fP file is "\fI$$/\fP", unless that is a directory.
- In that case, the file "\fI.tcppreprc\fP"
- is searched for within that directory.
- .SH "FILES"
- See \fBOPTION PRESETS\fP for configuration files.
- .SH "EXIT STATUS"
- One of the following exit values will be returned:
- .TP
- .NOP 0 " (EXIT_SUCCESS)"
- Successful program execution.
- .TP
- .NOP 1 " (EXIT_FAILURE)"
- The operation failed or the command syntax was not valid.
- .TP
- .NOP 66 " (EX_NOINPUT)"
- A specified configuration file could not be loaded.
- .TP
- .NOP 70 " (EX_SOFTWARE)"
- libopts had an internal operational error. Please report
- it to autogen-users@lists.sourceforge.net. Thank you.
- .PP
- .SH "AUTHORS"
- Copyright 2013-2022 Fred Klassen \- AppNeta
- Copyright 2000-2012 Aaron Turner
- For support please use the tcpreplay-users@lists.sourceforge.net mailing list.
- The latest version of this software is always available from:
- http://tcpreplay.appneta.com/
- .SH "COPYRIGHT"
- Copyright (C) 2000-2022 Aaron Turner and Fred Klassen all rights reserved.
- This program is released under the terms of the GNU General Public License, version 3 or later.
- .SH "BUGS"
- Please send bug reports to: tcpreplay-users@lists.sourceforge.net
- .SH "NOTES"
- This manual page was \fIAutoGen\fP-erated from the \fBtcpprep\fP
- option definitions.
|