tcpprep_opts.def 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611
  1. autogen definitions options;
  2. copyright = {
  3. date = "2000-2008";
  4. owner = "Aaron Turner";
  5. type = "bsd";
  6. author = <<- EOText
  7. Copyright 2000-2008 Aaron Turner
  8. For support please use the tcpreplay-users@lists.sourceforge.net mailing list.
  9. The latest version of this software is always available from:
  10. http://tcpreplay.synfin.net/
  11. EOText;
  12. };
  13. package = "tcpprep";
  14. prog-name = "tcpprep";
  15. prog-title = "Create a tcpreplay cache cache file from a pcap file.";
  16. long-opts;
  17. gnu-usage;
  18. help-value = "H";
  19. save-opts-value = "";
  20. load-opts-value = "";
  21. config-header = "config.h";
  22. include = "#include \"defines.h\"\n"
  23. "#include \"common.h\"\n"
  24. "#include \"config.h\"\n"
  25. "#include \"tcpprep.h\"\n"
  26. "#include <stdlib.h>\n"
  27. "#include <string.h>\n"
  28. "extern tcpprep_opt_t options;\n";
  29. homerc = "$$/";
  30. explain = <<- EOExplain
  31. tcpprep is a @file{pcap(3)} file pre-processor which creates a cache
  32. file which provides "rules" for @file{tcprewrite(1)} and @file{tcpreplay(1)}
  33. on how to process and send packets.
  34. EOExplain;
  35. detail = <<- EODetail
  36. The basic operation of tcpreplay is to resend all packets from the
  37. input file(s) out a single file. Tcpprep processes a pcap file and
  38. applies a set of user-specified rules to create a cache file which
  39. tells tcpreplay wether or not to send each packet and which interface the
  40. packet should be sent out of.
  41. For more details, please see the Tcpreplay Manual at:
  42. http://tcpreplay.synfin.net/trac/wiki/manual
  43. EODetail;
  44. man-doc = <<- EOMan
  45. .SH "SEE ALSO"
  46. tcpdump(1), tcprewrite(1), tcpreplay(1)
  47. EOMan;
  48. flag = {
  49. ifdef = DEBUG;
  50. name = dbug;
  51. value = d;
  52. arg-type = number;
  53. max = 1;
  54. immediate;
  55. arg-range = "0->5";
  56. arg-default = 0;
  57. descrip = "Enable debugging output";
  58. doc = <<- EOText
  59. If configured with --enable-debug, then you can specify a verbosity
  60. level for debugging output. Higher numbers increase verbosity.
  61. EOText;
  62. };
  63. /* Modes: -a bridge/router/client/server, -c (cidr) */
  64. flag = {
  65. name = auto;
  66. value = a;
  67. descrip = "Auto-split mode";
  68. arg-type = string;
  69. max = 1;
  70. flags-cant = cidr;
  71. flags-cant = port;
  72. flags-cant = regex;
  73. flags-cant = mac;
  74. flag-code = <<- EOAuto
  75. options.mode = AUTO_MODE;
  76. if (strcmp(OPT_ARG(AUTO), "bridge") == 0) {
  77. options.automode = BRIDGE_MODE;
  78. }
  79. else if (strcmp(OPT_ARG(AUTO), "router") == 0) {
  80. options.automode = ROUTER_MODE;
  81. }
  82. else if (strcmp(OPT_ARG(AUTO), "client") == 0) {
  83. options.automode = CLIENT_MODE;
  84. }
  85. else if (strcmp(OPT_ARG(AUTO), "server") == 0) {
  86. options.automode = SERVER_MODE;
  87. }
  88. else if (strcmp(OPT_ARG(AUTO), "first") == 0) {
  89. options.automode = FIRST_MODE;
  90. }
  91. else {
  92. errx(-1, "Invalid auto mode type: %s", OPT_ARG(AUTO));
  93. }
  94. EOAuto;
  95. doc = <<- EOText
  96. Tcpprep will try to automatically determine the primary function of hosts
  97. based on the traffic captured and classify each host as client or server.
  98. In order to do so, you must provide a hint to tcpprep as to how to search
  99. for clients and servers. Valid hints are:
  100. @table @bullet
  101. @item
  102. @var{bridge}
  103. Bridge mode processes each packet to try to determine if the sender is a
  104. client or server. Once all the packets are processed, the results are weighed
  105. according to the server/client ratio (@samp{--ratio}) and systems are assigned an
  106. interface. If tcpprep is unable to determine what role a system plays, tcpprep
  107. will abort.
  108. @item
  109. @var{router}
  110. Router mode works just like bridge mode, except that after weighing is done,
  111. systems which are undetermined are considered a server if they fall inside a
  112. network known to contain other servers. Router has a greater chance of
  113. successfully splitting clients and servers but is not 100% foolproof.
  114. @item
  115. @var{client}
  116. Client mode works just like bridge mode, except that unclassified systems are
  117. treated as clients. Client mode should always complete successfully.
  118. @item
  119. @var{server}
  120. Server mode works just like bridge mode, except that unclassified systems are
  121. treated as servers. Server mode should always complete successfully.
  122. @item
  123. @var{first}
  124. First mode works by looking at the first time each IP is seen in the SRC and DST
  125. fields in the IP header. If the host is first seen in the SRC field, it is a
  126. client and if it's first seen in the DST field, it is marked as a server. This
  127. effectively replicates the processing of the tomahawk test tool. First
  128. mode should always complete successfully.
  129. @end table
  130. EOText;
  131. };
  132. flag = {
  133. name = cidr;
  134. value = c;
  135. descrip = "CIDR-split mode";
  136. arg-type = string;
  137. max = 1;
  138. flags-cant = auto;
  139. flags-cant = port;
  140. flags-cant = regex;
  141. flags-cant = mac;
  142. flag-code = <<- EOCidr
  143. char *cidr = safe_strdup(OPT_ARG(CIDR));
  144. options.mode = CIDR_MODE;
  145. if (!parse_cidr(&options.cidrdata, cidr, ","))
  146. errx(-1, "Unable to parse CIDR map: %s", OPT_ARG(CIDR));
  147. free(cidr);
  148. EOCidr;
  149. doc = <<- EOText
  150. Specify a comma delimited list of CIDR netblocks to match against
  151. the source IP of each packet. Packets matching any of the CIDR's
  152. are classified as servers.
  153. EOText;
  154. };
  155. flag = {
  156. name = regex;
  157. value = r;
  158. descrip = "Regex-split mode";
  159. arg-type = string;
  160. max = 1;
  161. flags-cant = auto;
  162. flags-cant = port;
  163. flags-cant = cidr;
  164. flags-cant = mac;
  165. flag-code = <<- EORegex
  166. int regex_error;
  167. char ebuf[EBUF_SIZE];
  168. options.mode = REGEX_MODE;
  169. if ((regex_error = regcomp(&options.preg, OPT_ARG(REGEX),
  170. REG_EXTENDED|REG_NOSUB))) {
  171. regerror(regex_error, &options.preg, ebuf, EBUF_SIZE);
  172. errx(-1, "Unable to compile regex: %s", ebuf);
  173. }
  174. EORegex;
  175. doc = <<- EOText
  176. Specify a regular expression to match against the source IP of each
  177. packet. Packets matching the regex are classified as servers.
  178. EOText;
  179. };
  180. flag = {
  181. name = port;
  182. value = p;
  183. descrip = "Port-split mode";
  184. max = 1;
  185. flags-cant = auto;
  186. flags-cant = regex;
  187. flags-cant = cidr;
  188. flags-cant = mac;
  189. flag-code = <<- EOPort
  190. options.mode = PORT_MODE;
  191. EOPort;
  192. doc = <<- EOText
  193. Specifies that TCP and UDP traffic should be classified as client
  194. or server based upon the destination port of the header.
  195. EOText;
  196. };
  197. flag = {
  198. name = mac;
  199. value = e;
  200. arg-type = string;
  201. max = 1;
  202. descrip = "Source MAC split mode";
  203. flags-cant = auto;
  204. flags-cant = regex;
  205. flags-cant = cidr;
  206. flags-cant = port;
  207. flag-code = <<- EOMac
  208. options.mode = MAC_MODE;
  209. options.maclist = safe_strdup(OPT_ARG(MAC));
  210. EOMac;
  211. doc = <<- EOText
  212. Specify a list of MAC addresses to match against the source MAC
  213. of each packet. Packets matching one of the values are classified
  214. as servers.
  215. EOText;
  216. };
  217. flag = {
  218. name = reverse;
  219. max = 1;
  220. descrip = "Matches to be client instead of server";
  221. doc = <<- EOText
  222. Normally the @samp{--mac}, @samp{--regex} and @samp{--cidr} flags specify are used to specify
  223. the servers and non-IP packets are classified as clients. By using @samp{--reverse}, these
  224. features are reversed so that the flags specify clients and non-IP packets are classified as
  225. servers.
  226. EOText;
  227. };
  228. flag = {
  229. name = comment;
  230. value = C;
  231. arg-type = string;
  232. max = 1;
  233. descrip = "Embeded cache file comment";
  234. flag-code = <<- EOComment
  235. /* our comment_len is only 16bit - myargs[] */
  236. if (strlen(OPT_ARG(COMMENT)) > ((1 << 16) - 1 - MYARGS_LEN))
  237. errx(-1, "Comment length %zu is longer then max allowed (%d)",
  238. strlen(OPT_ARG(COMMENT)), (1 << 16) - 1 - MYARGS_LEN);
  239. /* save the comment */
  240. options.comment = (char *)safe_malloc(strlen(OPT_ARG(COMMENT)) + 1);
  241. strcpy(options.comment, OPT_ARG(COMMENT));
  242. EOComment;
  243. doc = <<- EOText
  244. Specify a comment to be imbedded within the output cache file and later
  245. viewed.
  246. EOText;
  247. };
  248. flag = {
  249. name = no-arg-comment;
  250. max = 1;
  251. descrip = "Do not embed any cache file comment";
  252. flag-code = <<- EOCode
  253. options.nocomment = 1;
  254. EOCode;
  255. doc = <<- EOText
  256. By default, tcpprep includes the arguments passed on the command line
  257. in the cache file comment (in addition to any user specified --comment).
  258. If for some reason you do not wish to include this, specify this option.
  259. EOText;
  260. };
  261. /* Include/Exclude */
  262. flag = {
  263. name = include;
  264. value = x;
  265. arg-type = string;
  266. max = 1;
  267. descrip = "Include only packets matching rule";
  268. flags-cant = exclude;
  269. flag-code = <<- EOInclude
  270. char *include;
  271. include = safe_strdup(OPT_ARG(INCLUDE));
  272. options.xX.mode = xX_MODE_INCLUDE;
  273. if ((options.xX.mode = parse_xX_str(&options.xX, include, &options.bpf)) == xXError)
  274. errx(-1, "Unable to parse include/exclude rule: %s", OPT_ARG(INCLUDE));
  275. free(include);
  276. EOInclude;
  277. doc = <<- EOText
  278. Override default of processing all packets stored in the capture file and only
  279. send/edit packets which match the provided rule. Rules can be one of:
  280. @table @bullet
  281. @item S:<CIDR1>,...
  282. - Source IP must match specified CIDR(s)
  283. @item D:<CIDR1>,...
  284. - Destination IP must match specified CIDR(s)
  285. @item B:<CIDR1>,...
  286. - Both source and destination IP must match specified CIDR(s)
  287. @item E:<CIDR1>,...
  288. - Either IP must match specified CIDR(s)
  289. @item P:<LIST>
  290. - Must be one of the listed packets where the list
  291. corresponds to the packet number in the capture file.
  292. @example
  293. -x P:1-5,9,15,72-
  294. @end example
  295. would process packets 1 thru 5, the 9th and 15th packet, and packets 72 until the
  296. end of the file
  297. @item F:'<bpf>'
  298. - BPF filter. See the @file{tcpdump(8)} man page for syntax.
  299. @end table
  300. EOText;
  301. };
  302. flag = {
  303. name = exclude;
  304. value = X;
  305. arg-type = string;
  306. max = 1;
  307. descrip = "Exclude any packet matching this rule";
  308. flags-cant = include;
  309. flag-code = <<- EOExclude
  310. char *exclude;
  311. exclude = safe_strdup(OPT_ARG(EXCLUDE));
  312. options.xX.mode = xX_MODE_EXCLUDE;
  313. if ((options.xX.mode = parse_xX_str(&options.xX, exclude, &options.bpf)) == xXError)
  314. errx(-1, "Unable to parse include/exclude rule: %s", OPT_ARG(EXCLUDE));
  315. free(exclude);
  316. EOExclude;
  317. doc = <<- EOText
  318. Override default of processing all packets stored in the capture file and only
  319. send/edit packets which do NOT match the provided rule. Rules can be one of:
  320. @table @bullet
  321. @item S:<CIDR1>,...
  322. - Source IP must not match specified CIDR(s)
  323. @item D:<CIDR1>,...
  324. - Destination IP must not match specified CIDR(s)
  325. @item B:<CIDR1>,...
  326. - Both source and destination IP must not match specified CIDR(s)
  327. @item E:<CIDR1>,...
  328. - Either IP must not match specified CIDR(s)
  329. @item P:<LIST>
  330. - Must not be one of the listed packets where the list
  331. corresponds to the packet number in the capture file.
  332. @example
  333. -x P:1-5,9,15,72-
  334. @end example
  335. would skip packets 1 thru 5, the 9th and 15th packet, and packets 72 until the
  336. end of the file
  337. @end table
  338. EOText;
  339. };
  340. flag = {
  341. name = cachefile;
  342. value = o;
  343. arg-type = string;
  344. max = 1;
  345. descrip = "Output cache file";
  346. doc = "";
  347. };
  348. flag = {
  349. name = pcap;
  350. value = i;
  351. descrip = "Input pcap file to process";
  352. arg-type = string;
  353. max = 1;
  354. doc = "";
  355. };
  356. flag = {
  357. name = print-comment;
  358. value = P;
  359. arg-type = string;
  360. descrip = "Print embedded comment in the specified cache file";
  361. max = 1;
  362. doc = "";
  363. };
  364. flag = {
  365. name = print-info;
  366. value = I;
  367. arg-type = string;
  368. descrip = "Print basic info from the specified cache file";
  369. max = 1;
  370. doc = "";
  371. };
  372. flag = {
  373. name = print-stats;
  374. value = S;
  375. arg-type = string;
  376. descrip = "Print statistical information about the specified cache file";
  377. max = 1;
  378. doc = "";
  379. };
  380. flag = {
  381. name = services;
  382. value = s;
  383. descrip = "Load services file for server ports";
  384. flags-must = port;
  385. max = 1;
  386. arg-type = string;
  387. doc = <<- EOText
  388. Uses a list of ports used by servers in the same format as of /etc/services:
  389. <service_name> <port>/<protocol> # comment
  390. Example:
  391. http 80/tcp
  392. EOText;
  393. flag-code = <<- EOServices
  394. parse_services(OPT_ARG(SERVICES), &options.services);
  395. EOServices;
  396. };
  397. flag = {
  398. name = nonip;
  399. value = N;
  400. descrip = "Send non-IP traffic out server interface";
  401. max = 1;
  402. flag-code = <<- EONonip
  403. options.nonip = DIR_SERVER;
  404. EONonip;
  405. doc = <<- EOText
  406. By default, non-IP traffic which can not be classified as client
  407. or server is classified as "client". Specifiying @samp{--nonip}
  408. will reclassify non-IP traffic as "server". Note that the meaning
  409. of this flag is reversed if @samp{--reverse} is used.
  410. EOText;
  411. };
  412. flag = {
  413. name = ratio;
  414. value = R;
  415. arg-type = string;
  416. max = 1;
  417. flags-must = auto;
  418. arg_default = "2.0";
  419. descrip = "Ratio of client to server packets";
  420. doc = <<- EOText
  421. Since a given host may have both client and server traffic being sent
  422. to/from it, tcpprep uses a ratio to weigh these packets. If you would
  423. like to override the default of 2:1 server to client packets required for
  424. a host to be classified as a server, specify it as a floating point value.
  425. EOText;
  426. };
  427. flag = {
  428. name = minmask;
  429. value = m;
  430. descrip = "Minimum network mask length in auto mode";
  431. flags-must = auto;
  432. max = 1;
  433. arg-type = number;
  434. arg-range = "0->32";
  435. arg_default = 30;
  436. doc = <<- EOText
  437. By default, auto modes use a minimum network mask length of 30 bits
  438. to build networks containing clients and servers. This allows you
  439. to override this value. Larger values will increase performance but
  440. may provide inaccurate results.
  441. EOText;
  442. };
  443. flag = {
  444. name = maxmask;
  445. value = M;
  446. descrip = "Maximum network mask length in auto mode";
  447. flags-must = auto;
  448. max = 1;
  449. arg-type = number;
  450. arg-range = "0->32";
  451. arg_default = 8;
  452. doc = <<- EOText
  453. By default, auto modes use a maximum network mask length of 8 bits
  454. to build networks containing clients and servers. This allows you
  455. to override this value. Larger values will decrease performance
  456. and accuracy but will provide greater chance of success.
  457. EOText;
  458. };
  459. flag = {
  460. ifdef = ENABLE_VERBOSE;
  461. name = verbose;
  462. value = v;
  463. max = 1;
  464. immediate;
  465. descrip = "Print decoded packets via tcpdump to STDOUT";
  466. settable;
  467. doc = "";
  468. };
  469. flag = {
  470. ifdef = ENABLE_VERBOSE;
  471. name = decode;
  472. flags-must = verbose;
  473. value = A;
  474. arg-type = string;
  475. max = 1;
  476. descrip = "Arguments passed to tcpdump decoder";
  477. doc = <<- EOText
  478. When enabling verbose mode (@samp{-v}) you may also specify one or
  479. more additional arguments to pass to @code{tcpdump} to modify
  480. the way packets are decoded. By default, -n and -l are used.
  481. Be sure to quote the arguments so that they are not interpreted
  482. by tcprewrite. The following arguments are valid:
  483. [ -aAeNqRStuvxX ]
  484. [ -E spi@ipaddr algo:secret,... ]
  485. [ -s snaplen ]
  486. EOText;
  487. };
  488. flag = {
  489. name = version;
  490. value = V;
  491. descrip = "Print version information";
  492. flag-code = <<- EOVersion
  493. fprintf(stderr, "tcpprep version: %s (build %s)", VERSION, svn_version());
  494. #ifdef DEBUG
  495. fprintf(stderr, " (debug)");
  496. #endif
  497. fprintf(stderr, "\n");
  498. fprintf(stderr, "Copyright 2001-2009 by Aaron Turner <aturner at synfin dot net>\n");
  499. fprintf(stderr, "Cache file supported: %s\n", CACHEVERSION);
  500. #ifdef HAVE_LIBDNET
  501. fprintf(stderr, "Compiled against libdnet: %s\n", LIBDNET_VERSION);
  502. #else
  503. fprintf(stderr, "Not compiled with libdnet.\n");
  504. #endif
  505. #ifdef HAVE_WINPCAP
  506. fprintf(stderr, "Compiled against winpcap: %s\n", get_pcap_version());
  507. #else
  508. fprintf(stderr, "Compiled against libpcap: %s\n", get_pcap_version());
  509. #endif
  510. #ifdef ENABLE_64BITS
  511. fprintf(stderr, "64 bit packet counters: enabled\n");
  512. #else
  513. fprintf(stderr, "64 bit packet counters: disabled\n");
  514. #endif
  515. #ifdef ENABLE_VERBOSE
  516. fprintf(stderr, "Verbose printing via tcpdump: enabled\n");
  517. #else
  518. fprintf(stderr, "Verbose printing via tcpdump: disabled\n");
  519. #endif
  520. exit(0);
  521. EOVersion;
  522. doc = "";
  523. };
  524. flag = {
  525. name = less-help;
  526. value = "h";
  527. immediate;
  528. descrip = "Display less usage information and exit";
  529. flag-code = <<- EOHelp
  530. USAGE(EXIT_FAILURE);
  531. EOHelp;
  532. };