FAQ.lyx.svn-base 58 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277
  1. #LyX 1.3 created this file. For more info see http://www.lyx.org/
  2. \lyxformat 221
  3. \textclass article
  4. \language english
  5. \inputencoding latin1
  6. \fontscheme times
  7. \graphics default
  8. \paperfontsize default
  9. \spacing single
  10. \papersize letterpaper
  11. \paperpackage a4
  12. \use_geometry 1
  13. \use_amsmath 0
  14. \use_natbib 0
  15. \use_numerical_citations 0
  16. \paperorientation portrait
  17. \leftmargin 10mm
  18. \topmargin 10mm
  19. \rightmargin 10mm
  20. \bottommargin 15mm
  21. \secnumdepth 4
  22. \tocdepth 3
  23. \paragraph_separation skip
  24. \defskip medskip
  25. \quotes_language english
  26. \quotes_times 2
  27. \papercolumns 1
  28. \papersides 1
  29. \paperpagestyle default
  30. \layout Title
  31. Tcpreplay 2.x FAQ
  32. \layout Author
  33. Aaron Turner <aturner_AT_pobox.com>
  34. \newline
  35. http://tcpreplay.sourceforge.net/
  36. \layout Date
  37. Last Edited:
  38. \newline
  39. Sept 6, 2004
  40. \layout Standard
  41. \pagebreak_top \pagebreak_bottom
  42. \begin_inset LatexCommand \tableofcontents{}
  43. \end_inset
  44. \layout Part
  45. Before You Start
  46. \layout Section
  47. General Info
  48. \layout Subsection
  49. What is this FAQ for?
  50. \layout Standard
  51. Tcpreplay is a suite of powerful tools, but with that power comes complexity.
  52. While I have done my best to write good man pages for tcpreplay and it's
  53. associated utilities, I understand that many people may want more information
  54. then I can provide in the man pages.
  55. Additionally, this FAQ attempts to cover material which I feel will be
  56. of use to people using tcpreplay, as well as common questions that occur
  57. on the Tcpreplay-Users <tcpreplay-users@lists.sourceforge.net> mailing list.
  58. \layout Subsection
  59. What tools come with tcpreplay?
  60. \layout Itemize
  61. tcpreplay - replay ethernet packets stored in a pcap file as they were captured
  62. \layout Itemize
  63. tcpprep - a pcap pre-processor for tcpreplay
  64. \layout Itemize
  65. flowreplay
  66. \begin_inset Foot
  67. collapsed false
  68. \layout Standard
  69. Flowreplay is still
  70. \begin_inset Quotes eld
  71. \end_inset
  72. alpha
  73. \begin_inset Quotes erd
  74. \end_inset
  75. quality and is not usable for most situations.
  76. Anyone interested in helping me develop flowreplay is encouraged to contact
  77. me.
  78. \end_inset
  79. - connects to a server(s) and replays the client side of the connection
  80. stored in a pcap file
  81. \layout Itemize
  82. pcapmerge - merges two or more pcap files into one
  83. \layout Itemize
  84. capinfo - displays basic information about a pcap file
  85. \layout Subsection
  86. How can I get tcpreplay's source?
  87. \layout Standard
  88. The source code is available in tarball format on the tcpreplay homepage:
  89. \begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/}
  90. \end_inset
  91. I also encourage users familiar with CVS to try checking out the latest
  92. code as it often has additional features and bugfixes not found in the
  93. tarballs.
  94. \layout Standard
  95. cvs -d:pserver:anonymous@cvs.sf.net:/cvsroot/tcpreplay login
  96. \newline
  97. Pass:
  98. \emph on
  99. <Enter>
  100. \emph default
  101. \newline
  102. cvs -z3 -d:pserver:anonymous@cvs.sf.net:/cvsroot/tcpreplay co tcpreplay
  103. \layout Subsection
  104. What requirements does tcpreplay have?
  105. \layout Enumerate
  106. You'll need the libnet and libpcap libraries.
  107. \layout Enumerate
  108. To support the jump to offset feature, you'll need the libpcapnav
  109. \begin_inset Foot
  110. collapsed false
  111. \layout Standard
  112. http://netdude.sourceforge.net/
  113. \end_inset
  114. library.
  115. \layout Enumerate
  116. To support the packet decoding feature you'll need tcpdump
  117. \begin_inset Foot
  118. collapsed false
  119. \layout Standard
  120. http://www.tcpdump.org/
  121. \end_inset
  122. installed.
  123. \layout Enumerate
  124. You'll also need a compatible operating system.
  125. Basically, any UNIX-like or UNIX-based operating system should work.
  126. Linux, *BSD, Solaris, OS X and others should all work.
  127. If you find any compatibility issues with any UNIX-like/based OS, please
  128. let me know.
  129. \layout Subsection
  130. How do I compile tcpreplay?
  131. \layout Standard
  132. Two easy steps:
  133. \layout Enumerate
  134. As a normal user:
  135. \emph on
  136. ./configure && make
  137. \emph default
  138. \layout Enumerate
  139. As root:
  140. \emph on
  141. make test -i && make install
  142. \layout Standard
  143. There are some optional arguments which can be passed to the configure script
  144. which may help in cases where your libnet, libpcap, libpcapnav or tcpdump
  145. installation is not standard or if it can't determine the correct network
  146. interface card to use for testing.
  147. If you find that configure isn't completing correctly, run:
  148. \emph on
  149. ./configure --help
  150. \emph default
  151. for more information.
  152. \layout Standard
  153. A few comments about 'make test':
  154. \layout Itemize
  155. make test is just a series of sanity checks which try to find serious bugs
  156. (crashes) in tcpprep and tcpreplay.
  157. \layout Itemize
  158. make test requires at least one properly configured network interface.
  159. If the configure script can't guess what a valid interface is you can specify
  160. it with the --with-testnic and --with-testnic2 arguments.
  161. \layout Itemize
  162. If make test fails, often you can find details in test/test.log.
  163. \layout Itemize
  164. OpenBSD's make has a bug where it ignores the MAKEFLAGS variable in the
  165. Makefile, hence you'll probably want to run:
  166. \emph on
  167. make -is test
  168. \emph default
  169. instead.
  170. \layout Subsection
  171. Are there binaries available?
  172. \layout Standard
  173. Occasionally.
  174. And even when we do, generally only for one or two operating systems.
  175. Generally speaking, we assume people who want to use a tool like this can
  176. figure out how to compile it.
  177. \layout Subsection
  178. Is there a Microsoft Windows port?
  179. \layout Standard
  180. Not really.
  181. We had one user port the code over for a slightly old version of tcpreplay
  182. to Windows.
  183. Now we're looking for someone to help merge and maintain the code in to
  184. the main development tree.
  185. If you're interested in helping with this please contact Aaron Turner or
  186. the tcpreplay-users list.
  187. \layout Subsection
  188. How is tcpreplay licensed?
  189. \layout Standard
  190. Tcpreplay is licensed under a BSD-style license.
  191. For details, see Appendix A.
  192. \layout Subsection
  193. What is tcpreplay?
  194. \layout Standard
  195. In the simplest terms, tcpreplay is a tool to send network traffic stored
  196. in pcap format back onto the network; basically the exact opposite of tcpdump.
  197. Tcpreplay also has the ability to edit various packet headers as the packets
  198. are sent.
  199. Tcpreplay is also a suite of tools: tcpreplay, tcpprep, pcapmerge, capinfo
  200. and flowreplay.
  201. \layout Subsection
  202. What isn't tcpreplay?
  203. \layout Standard
  204. Tcpreplay is
  205. \emph on
  206. not
  207. \emph default
  208. a tool to replay captured traffic to a server or client.
  209. Specifically, tcpreplay does not have the ability to rewrite IP addresses
  210. to a user-specified value or synchronize TCP sequence and acknowledgment
  211. numbers.
  212. In other words, tcpreplay can't
  213. \begin_inset Quotes eld
  214. \end_inset
  215. connect
  216. \begin_inset Quotes erd
  217. \end_inset
  218. to a server or be used to emulate a server and have clients connect to
  219. it.
  220. If you're looking for that, check out flowreplay.
  221. \layout Subsection
  222. What are some uses for tcpreplay?
  223. \layout Standard
  224. Originally, tcpreplay was written to test network intrusion detection systems
  225. (NIDS), however tcpreplay has been used to test firewalls, routers, and
  226. other network devices.
  227. \layout Subsection
  228. What are some uses for flowreplay?
  229. \layout Standard
  230. A lot of people wanted a tool like tcpreplay, but wanted to be able to replay
  231. traffic
  232. \emph on
  233. to
  234. \emph default
  235. a server.
  236. Since tcpreplay was unable to do this, I developed flowreplay which replays
  237. the data portion of the flow, but recreates the connection to the specified
  238. server(s).
  239. This makes flowreplay an ideal tool to test host intrusion detection systems
  240. (HIDS) as well as captured exploits and security patches when the actual
  241. exploit code is not available.
  242. Please note that flowreplay is still alpha quality code and is currently
  243. missing some important features.
  244. \layout Subsection
  245. What happened to version 1.5?
  246. \layout Standard
  247. After looking at all the changes that have happened over the last year or
  248. so, I decided that it was finally time to graduate tcpreplay to 2.0 status.
  249. Hence the 1.5 branch was renamed 2.0.
  250. \layout Subsection
  251. What is the history of tcpreplay?
  252. \layout Standard
  253. Tcpreplay has had quite a few authors over the past five or so years.
  254. One of the advantages of the BSD and GPL licenses is that if someone becomes
  255. unable or unwilling to continue development, anyone else can take over.
  256. \layout Standard
  257. Originally, Matt Undy of Anzen Computing wrote tcpreplay.
  258. Matt released version 1.0.1 sometime in 1999.
  259. Sometime after that, Anzen Computing was (at least partially) purchased
  260. by NFR and development ceased.
  261. \layout Standard
  262. Then in 2001, two people independently started work on tcpreplay: Matt Bing
  263. of NFR and Aaron Turner.
  264. After developing a series of patches (the -adt branch), Aaron attempted
  265. to send the patches in to be included in the main development tree.
  266. \layout Standard
  267. After some discussion between Aaron and Matt Bing, they decided to continue
  268. development together.
  269. Since then, over a dozen stable releases have been made and more then twenty
  270. new features have been added, including the addition of a number of accessory
  271. tools.
  272. \layout Standard
  273. Today, Aaron continues active development of the code.
  274. \layout Section
  275. Bugs, Feature Requests, and Patches
  276. \layout Subsection
  277. Where can I get help, report bugs or contact the developers?
  278. \layout Standard
  279. The best place to get help or report a bug is the Tcpreplay-Users mailing
  280. list:
  281. \newline
  282. \begin_inset LatexCommand \htmlurl{http://lists.sourceforge.net/lists/listinfo/tcpreplay-users}
  283. \end_inset
  284. \layout Subsection
  285. What information should I provide when I report a bug?
  286. \layout Standard
  287. One of the most frustrating things for any developer trying to help a user
  288. with a problem is not enough information.
  289. Please be sure to include
  290. \emph on
  291. at minimum
  292. \emph default
  293. the following information, however any additional information you feel
  294. may be helpful will be appreciated.
  295. \layout Itemize
  296. Version information (output of -V)
  297. \layout Itemize
  298. Command line used (options and arguments)
  299. \layout Itemize
  300. Platform (Red Hat Linux 9 on Intel, Solaris 7 on SPARC, etc)
  301. \layout Itemize
  302. Error message (if available) and/or description of problem
  303. \layout Itemize
  304. If possible, attach the pcap file used (compressed with bzip2 or gzip preferred)
  305. \layout Subsection
  306. I have a feature request, what should I do?
  307. \layout Standard
  308. Let us know! Many of the features exist today because users like you asked
  309. for them.
  310. To make a feature request, you can either email the tcpreplay-users mailing
  311. list (see above) or fill out the feature request form on the tcpreplay
  312. SourceForge website.
  313. \layout Subsection
  314. I've written a patch for tcpreplay, how can I submit it?
  315. \layout Standard
  316. I'm always willing to include new features or bug fixes submitted by users.
  317. You may email me directly or the tcpreplay-users mailing list.
  318. Please
  319. \emph on
  320. do not
  321. \emph default
  322. use the Patch Tracker on the tcpreplay SourceForge web site.
  323. \layout Subsection
  324. Patch requirements
  325. \layout Itemize
  326. Be aware that submitting a patch,
  327. \emph on
  328. you are licensing it under the BSD License
  329. \emph default
  330. as written in Appendix A.
  331. If this is not acceptable to you, then
  332. \emph on
  333. do not
  334. \emph default
  335. send me the patch!
  336. \layout Itemize
  337. If you wish to maintain the copyright over your code, be sure that your
  338. patch contains the appropriate information.
  339. \layout Itemize
  340. Please provide a description of what your patch does!
  341. \layout Itemize
  342. Comment your code! I won't use code I can't understand.
  343. \layout Itemize
  344. Make sure you are patching a branch that is still being maintained.
  345. Generally that means that most recent stable and development branches (1.4
  346. and 2.0 at the time of this writing).
  347. \layout Itemize
  348. Make sure you are patching against the most recent release for that branch.
  349. \layout Itemize
  350. Please submit your patch in the unified diff format so I can better understand
  351. what you're changing.
  352. \layout Itemize
  353. Please provide any relevant personal information you'd like listed in the
  354. CREDITS file.
  355. \layout Standard
  356. Please note that while I'm always interested in patches, I may rewrite some
  357. or all of your submission to maintain a consistent coding style.
  358. \layout Part
  359. Basics
  360. \layout Section
  361. Basic Tcpreplay Usage
  362. \layout Subsection
  363. Replaying the traffic
  364. \layout Standard
  365. To replay a given pcap as it was captured all you need to do is specify
  366. the pcap file and the interface to send the traffic out of:
  367. \layout Standard
  368. \emph on
  369. tcpreplay -i eth0 sample.pcap
  370. \layout Subsection
  371. Replaying at different speeds
  372. \layout Standard
  373. You can also replay the traffic at different speeds then it was originally
  374. captured
  375. \begin_inset Foot
  376. collapsed false
  377. \layout Standard
  378. Tcpreplay makes a "best" effort to replay traffic at the given rate, but
  379. due to limitations in hardware or the pcap file itself, it may not be possible.
  380. Capture files with only a few packets in them are especially susceptible
  381. to this.
  382. \end_inset
  383. .
  384. To support this, tcpreplay supports four different flags: -R, -r, -m, and
  385. -p
  386. \layout Standard
  387. Some examples:
  388. \layout Itemize
  389. To replay traffic as fast as possible:
  390. \newline
  391. \emph on
  392. tcpreplay -R -i eth0 sample.pcap
  393. \layout Itemize
  394. To replay traffic at 10Mbps:
  395. \newline
  396. \emph on
  397. tcpreplay -r 10.0 -i eth0 sample.pcap
  398. \layout Itemize
  399. To replay traffic 7.3 times as fast as it was captured:
  400. \newline
  401. \emph on
  402. tcpreplay -m 7.3 -i eth0 sample.pcap
  403. \layout Itemize
  404. To replay traffic at half-speed:
  405. \newline
  406. \emph on
  407. tcpreplay -m 0.5 -i eth0 sample.pcap
  408. \layout Itemize
  409. To replay at 25.5 packets per second:
  410. \newline
  411. \emph on
  412. tcpreplay -p 25.5 -i eth0 sample.pcap
  413. \layout Subsection
  414. Replaying the same file over and over again
  415. \layout Standard
  416. Using the loop flag (-l) you can specify that a pcap file will be sent two
  417. or more times
  418. \begin_inset Foot
  419. collapsed false
  420. \layout Standard
  421. Looping files resets internal counters which control the speed that the
  422. file is replayed.
  423. Also because the file has to be closed and re-opened, an added delay between
  424. the last and first packet may occur.
  425. \end_inset
  426. :
  427. \layout Itemize
  428. To replay the sample.pcap file 10 times:
  429. \newline
  430. \emph on
  431. tcpreplay -l 10 -i eth0 sample.pcap
  432. \layout Itemize
  433. To replay the sample.pcap an infinitely or until CTRL-C is pressed:
  434. \newline
  435. \emph on
  436. tcpreplay -l 0 -i eth0 sample.pcap
  437. \layout Subsection
  438. Using Configuration Files
  439. \layout Standard
  440. Tcpreplay offers the options of specifying configuration options in a config
  441. file in addition to the traditional command line.
  442. Each configuration option has an equivalent config file option which is
  443. listed in the tcpreplay man page.
  444. To specify the configuration file you'd like to use, use the -f <filename>
  445. option.
  446. \layout Standard
  447. Configuration files have one option per line, and lines beginning with the
  448. pound sign (#) are considered comments and ignored.
  449. An example config file follows:
  450. \layout Standard
  451. # send traffic out 'eth0'
  452. \newline
  453. intf eth0
  454. \newline
  455. \newline
  456. # loop 5 times
  457. \newline
  458. loop 5
  459. \newline
  460. \newline
  461. # send traffic 2x as fast
  462. \newline
  463. multiplier 2
  464. \newline
  465. \newline
  466. # pad any packets out to their original size if they were truncated during
  467. capture
  468. \newline
  469. untruncate pad
  470. \newline
  471. \newline
  472. \newline
  473. \layout Standard
  474. You would then execute:
  475. \newline
  476. \emph on
  477. tcpreplay -f myconfigfile sample.pcap
  478. \layout Part
  479. Advanced Usage
  480. \layout Section
  481. Output: Interfaces, Packets & Files
  482. \layout Subsection
  483. Replaying on multiple interfaces
  484. \layout Standard
  485. Tcpreplay can also split traffic so that each side of a connection is sent
  486. out a different interface
  487. \begin_inset Foot
  488. collapsed false
  489. \layout Standard
  490. Note that you can also use the following options to split traffic into two
  491. files using -w and -W which are described later on in this FAQ.
  492. \end_inset
  493. .
  494. In order to do this, tcpreplay needs the name of the second interface (-j)
  495. and a way to split the traffic.
  496. Currently, there are two ways to split traffic:
  497. \layout Enumerate
  498. -C = split traffic by source IP address which is specified in CIDR notation
  499. \layout Enumerate
  500. -c = split traffic according to a tcpprep cachefile
  501. \begin_inset Foot
  502. collapsed false
  503. \layout Standard
  504. For information on generating tcpprep cache files, see the section on tcpprep.
  505. \end_inset
  506. \layout Standard
  507. When splitting traffic, it is important to remember that traffic that matches
  508. the filter is sent out the primary interface (-i).
  509. In this case, when splitting traffic by source IP address, you provide
  510. a list of networks in CIDR notation.
  511. For example:
  512. \layout Itemize
  513. To send traffic from 10.0.0.0/8 out eth0 and everything else out eth1:
  514. \newline
  515. \emph on
  516. tcpreplay -C 10.0.0.0/8 -i eth0 -j eth1 sample.pcap
  517. \layout Itemize
  518. To send traffic from 10.1.0.0/24 and 10.2.0.0/20 out eth0 and everything else
  519. out eth1:
  520. \newline
  521. \emph on
  522. tcpreplay -C 10.1.0.0/24,10.2.0.0/20 -i eth0 -j eth1 sample.pcap
  523. \layout Itemize
  524. After using tcpprep to generate a cache file, you can use it to split traffic
  525. between two interfaces like this:
  526. \newline
  527. \emph on
  528. tcpreplay -c sample.cache -i eth0 -j eth1 sample.pcap
  529. \layout Subsection
  530. Selectively sending or dropping packets
  531. \layout Standard
  532. Sometimes, you want to do some post-capture filtering of packets.
  533. Tcpreplay let's you have some control over which packets get sent.
  534. \layout Enumerate
  535. -M = disables sending of martian packets.
  536. By definition, martian packets have a source IP of 0.x.x.x, 127.x.x.x, or 255.x.x.x
  537. \layout Enumerate
  538. -x = send packets which match a specific pattern
  539. \layout Enumerate
  540. -X = send packets which do not match a specific pattern
  541. \layout Standard
  542. Both -x and -X support a variety of pattern matching types.
  543. These types are specified by a single character, followed by a colon, followed
  544. by the pattern.
  545. The following pattern matching types are available:
  546. \layout Enumerate
  547. S - Source IP
  548. \newline
  549. Pattern is a comma delimited CIDR notation
  550. \layout Enumerate
  551. D - Destination IP
  552. \newline
  553. Pattern is a comma delimited CIDR notation
  554. \layout Enumerate
  555. B - Both source and destination IP must match
  556. \newline
  557. Pattern is a comma delimited CIDR notation
  558. \layout Enumerate
  559. E - Either source or destination IP must match
  560. \newline
  561. Pattern is a comma delimited CIDR notation
  562. \layout Enumerate
  563. P - A list of packet numbers from the pcap file.
  564. \newline
  565. Pattern is a series of numbers, separated by commas or dashes.
  566. \layout Enumerate
  567. F - BPF syntax (same as used in tcpdump).
  568. \newline
  569. Filter must be quoted and is only supported with -x
  570. \begin_inset Foot
  571. collapsed false
  572. \layout Standard
  573. Note that if you want to send all the packets which do not match a bpf filter,
  574. all you have to do is negate the bpf filter.
  575. See the tcpdump(1) man page for more info.
  576. \end_inset
  577. .
  578. \layout Standard
  579. Examples:
  580. \layout Itemize
  581. To only send traffic that is too and from a host in 10.0.0.0/8:
  582. \newline
  583. \emph on
  584. tcpreplay -x B:10.0.0.0/8 -i eth0 sample.pcap
  585. \layout Itemize
  586. To not send traffic that is too or from a host in 10.0.0.0/8:
  587. \newline
  588. \emph on
  589. tcpreplay -X E:10.0.0.0/8 -i eth0 sample.pcap
  590. \layout Itemize
  591. To send every packet except the first 10 packets:
  592. \newline
  593. \emph on
  594. tcpreplay -X P:1-10 -i eth0 sample.pcap
  595. \layout Itemize
  596. To only send the first 50 packets followed by packets: 100, 150, 200 and
  597. 250:
  598. \newline
  599. \emph on
  600. tcpreplay -x P:1-50,100,150,200,250 -i eth0 sample.pcap
  601. \layout Itemize
  602. To only send TCP packets from 10.0.0.1:
  603. \newline
  604. tcpreplay -x F:'tcp and host 10.0.0.1' -i eth0 sample.pcap
  605. \layout Subsection
  606. Replaying only a few packets
  607. \layout Standard
  608. Using the limit packets flag (-L) you can specify that tcpreplay will only
  609. send at most a specified number of packets.
  610. \layout Itemize
  611. To send at most 100 packets:
  612. \newline
  613. \emph on
  614. tcpreplay -i eth0 -L 100 sample.pcap
  615. \layout Subsection
  616. Skipping the first bytes in a pcap file
  617. \layout Standard
  618. If you want to skip the beginning of a pcap file, you can use the offset
  619. flag (-o) to skip a specified number of bytes and start sending on the
  620. next packet.
  621. \layout Itemize
  622. To skip 15Kb into the pcap file and start sending packets from there:
  623. \newline
  624. \emph on
  625. tcpreplay -i eth0 -o 15000 sample.pcap
  626. \layout Subsection
  627. Replaying packets which are bigger then the MTU
  628. \layout Standard
  629. Occasionally, you might find yourself trying to replay a pcap file which
  630. contains packets which are larger then the MTU for the sending interface.
  631. This might be due to the packets being captured on the loopback interface
  632. or on a 1000Mbps ethernet interface supporting
  633. \begin_inset Quotes eld
  634. \end_inset
  635. jumbo frames
  636. \begin_inset Quotes erd
  637. \end_inset
  638. .
  639. I've even seen packets which are 1500 bytes but contain both an ethernet
  640. header and trailer which bumps the total frame size to 1518 which is 4
  641. bytes too large.
  642. \layout Standard
  643. By default, tcpreplay will skip these packets and not send them.
  644. Alternatively, you can specify the -T flag to truncate these packets to
  645. the MTU and then send them.
  646. Of course this may invalidate your testing, but it has proven useful in
  647. certain situations.
  648. Also, when this feature is enabled, tcpreplay will automatically recalculate
  649. the IP and TCP, UDP or ICMP checksums as needed.
  650. Example:
  651. \layout Standard
  652. \emph on
  653. tcpreplay -i eth0 -T sample.pcap
  654. \layout Subsection
  655. Writing packets to a file
  656. \layout Standard
  657. It's not always necessary to write packets to the network.
  658. Since tcpreplay has so many features which modify and select which packets
  659. are sent, it is occasionally useful to save these changes to another pcap
  660. file for comparison.
  661. Rather then running a separate tcpdump process to capture the packets,
  662. tcpreplay now supports output directly to a file.
  663. Example:
  664. \layout Standard
  665. \emph on
  666. tcpreplay -i eth0 -w output.pcap -F -u pad -x E:10.0.0.0/8 input1.pcap input2.pcap
  667. input3.pcap
  668. \layout Standard
  669. Notice that specifying an interface is still required (required for various
  670. internal functions), but all the packets will be written to
  671. \emph on
  672. output.pcap
  673. \emph default
  674. .
  675. \layout Standard
  676. You can also split traffic into two files by using -W <2nd output file>.
  677. \layout Subsection
  678. Extracting Application Data (Layer 7)
  679. \layout Standard
  680. New to version 2.0 is the ability to extract the application layer data from
  681. the packets and write them to a file.
  682. In the man page, we call this
  683. \begin_inset Quotes eld
  684. \end_inset
  685. data dump mode
  686. \begin_inset Quotes erd
  687. \end_inset
  688. which is enabled with -D.
  689. It's important to specify -D before -w (and -W if you're splitting data
  690. into two files).
  691. Example:
  692. \layout Standard
  693. \emph on
  694. tcpreplay -D -i eth0 -j eth0 -w clientdata -W serverdata -C 10.0.0.0/24 sample.pcap
  695. \layout Subsection
  696. Replaying Live Traffic
  697. \layout Standard
  698. You can now replay live traffic sniffed on one network interface and replay
  699. it on another interface using the -S flag to indicate sniff mode and the
  700. appropriate snaplen in bytes (0 denotes the entire packet).
  701. You can also enabling bi-directional traffic using the bridge mode flag:
  702. -b.
  703. \layout Standard
  704. N
  705. \noun on
  706. ote:
  707. \noun default
  708. It is critical for your sanity (and to prevent your murder by your network
  709. administrators) that the input interface and the output interface be on
  710. separate networks and additionally that no other network devices (such
  711. as bridges, switches, routers, etc) be connecting the two networks, else
  712. you will surely get a networkstorm the likes that have not been seen for
  713. years.
  714. \layout Itemize
  715. Send packets sniffed on eth0 out eth1:
  716. \newline
  717. \emph on
  718. tcpreplay -i eth1 -S 0 eth0
  719. \layout Itemize
  720. Bridge two subnets connected to eth0 and eth1:
  721. \newline
  722. \emph on
  723. tcpreplay -i eth0 -j eth1 -b -S 0
  724. \layout Standard
  725. By default, tcpreplay listens in promiscuous mode on the specified interface,
  726. however if you only want to send unicasts directed for the local system
  727. and broadcasts, you can specify the
  728. \begin_inset Quotes eld
  729. \end_inset
  730. not_nosy
  731. \begin_inset Quotes erd
  732. \end_inset
  733. option in the configuration file or -n on the command line.
  734. Note that if another program has already placed the interface in promiscuous
  735. mode, the -n flag will have no effect, so you may want to use the -x or
  736. -X argument to limit packets.
  737. \layout Subsection
  738. Replaying Packet Capture Formats Other Than Libpcap
  739. \layout Standard
  740. There are about as many different capture file formats as there are sniffers.
  741. In the interest of simplicity, tcpreplay only supports libpcap
  742. \begin_inset Foot
  743. collapsed false
  744. \layout Standard
  745. Note that some versions of tcpreplay prior to 1.4 also supported the Solaris
  746. snoop format.
  747. \end_inset
  748. .
  749. If you would like to replay a file in one of these multitude of formats,
  750. the excellent open source tool Ethereal easily allows you to convert it
  751. to libpcap.
  752. For instance, to convert a file in Sun's snoop format to libpcap, issue
  753. the command:
  754. \layout Standard
  755. \emph on
  756. tethereal -r blah.snoop -w blah.pcap
  757. \layout Standard
  758. and replay the resulting file.
  759. \layout Subsection
  760. Replaying Client Traffic to a Server
  761. \layout Standard
  762. A common question on the tcpreplay-users list is how does one replay the
  763. client side of a connection back to a server.
  764. Unfortunately, tcpreplay doesn't support this right now.
  765. The major problem concerns syncing up TCP Seq/Ack numbers which will be
  766. different.
  767. ICMP also often contains IP header information which would need to be adjusted.
  768. About the only thing that could be easy to do is UDP, which isn't usually
  769. requested.
  770. \layout Standard
  771. This is however a feature that we're looking into implementing in the flowreplay
  772. utility.
  773. If you're interested in helping work on this feature, please contact us
  774. and we'd be more then happy to work with you.
  775. At this time however, we don't have an ETA when this will be implemented,
  776. so don't bother asking.
  777. \layout Subsection
  778. Decoding Packets
  779. \layout Standard
  780. If the tcpdump binary is installed on your system when tcpreplay is compiled,
  781. it will allow you to decode packets as they are sent without running tcpdump
  782. in a separate window or worrying about it capturing packets which weren't
  783. sent by tcpreplay.
  784. \layout Itemize
  785. Decode packets as they are sent:
  786. \newline
  787. \emph on
  788. tcpreplay -i eth0 -v sample.pcap
  789. \layout Itemize
  790. Decode packets with the link level header:
  791. \newline
  792. \emph on
  793. tcpreplay -i eth0 -v -A
  794. \begin_inset Quotes eld
  795. \end_inset
  796. -e
  797. \begin_inset Quotes erd
  798. \end_inset
  799. sample.pcap
  800. \layout Itemize
  801. Fully decode and send one packet at a time:
  802. \newline
  803. \emph on
  804. tcpreplay -i eth0 -v -1 -A
  805. \begin_inset Quotes eld
  806. \end_inset
  807. -s0 -evvvxX
  808. \begin_inset Quotes erd
  809. \end_inset
  810. sample.pcap
  811. \layout Standard
  812. Note that tcpreplay automatically applies the -n flag to disable DNS lookups
  813. which would slow down tcpdump too much to make it effective.
  814. \layout Section
  815. Packet Editing
  816. \layout Subsection
  817. Rewriting MAC addresses
  818. \layout Standard
  819. If you ever want to send traffic to another device on a switched LAN, you
  820. may need to change the destination MAC address of the packets.
  821. Tcpreplay allows you to set the destination MAC for each interface independentl
  822. y using the -I and -J switches.
  823. As of version 2.1.0, you can also specify the source MAC via -k and -K.
  824. Example:
  825. \layout Itemize
  826. To send traffic out eth0 with a destination MAC of your router (00:00:01:02:03:0
  827. 4) and the source MAC of the server (00:20:30:40:50:60):
  828. \newline
  829. \emph on
  830. tcpreplay -i eth0 -I 00:00:01:02:03:04 -k 00:20:30:40:50:60 sample.pcap
  831. \layout Itemize
  832. To split traffic between internal (10.0.0.0/24) and external addresses and
  833. to send that traffic to the two interfaces of a firewall:
  834. \newline
  835. \emph on
  836. tcpreplay -i eth0 -j eth1 -I 00:01:00:00:AA:01 -J 00:01:00:00:AA:02 -C 10.0.0.0/24
  837. sample.pcap
  838. \layout Subsection
  839. Randomizing IP addresses
  840. \layout Standard
  841. Occasionally, it is necessary to have tcpreplay rewrite the source and destinati
  842. on IP addresses, yet maintain the client/server relationship.
  843. Such a case might be having multiple copies of tcpreplay running at the
  844. same time using the same pcap file while trying to stress test firewall,
  845. IDS or other stateful device.
  846. If you didn't change the source and destination IP addresses, the device
  847. under test would get confused since it would see multiple copies of the
  848. same connection occurring at the same time.
  849. In order to accomplish this, tcpreplay accepts a user specified seed which
  850. is used to generate pseudo-random IP addresses.
  851. Also, when this feature is enabled, tcpreplay will automatically recalculate
  852. the IP and TCP, UDP or ICMP checksums as needed.
  853. Example:
  854. \layout Standard
  855. \emph on
  856. tcpreplay -i eth0 -s 1239 sample.pcap &
  857. \newline
  858. tcpreplay -i eth0 -s 76 sample.pcap &
  859. \newline
  860. tcpreplay -i eth0 -s 239 sample.pcap &
  861. \newline
  862. tcpreplay -i eth0 sample.pcap
  863. \layout Subsection
  864. Replaying (de)truncated packets
  865. \layout Standard
  866. Occasionally, it is necessary to replay traffic which has been truncated
  867. by tcpdump.
  868. This occurs when the tcpdump snaplen is smaller then the actual packet
  869. size.
  870. Since this will create problems for devices which are expecting a full-sized
  871. packet or attempting checksum calculations, tcpreplay allows you to either
  872. pad the packet with zeros or reset the packet length in the headers to
  873. the actual packet size.
  874. In either case, the IP and TCP, UDP or ICMP checksums are recalculated.
  875. Examples:
  876. \layout Itemize
  877. Pad truncated packets:
  878. \newline
  879. \emph on
  880. tcpreplay -i eth0 -u pad sample.pcap
  881. \layout Itemize
  882. Rewrite packet header lengths to the actual packet size:
  883. \newline
  884. \emph on
  885. tcpreplay -i eth0 -u trunc sample.pcap
  886. \layout Subsection
  887. Rewriting Layer 2 with -2
  888. \layout Standard
  889. Starting in the 2.0.x branch, tcpreplay can replace the existing layer 2 header
  890. with one of your choosing.
  891. This is useful for when you want to change the layer 2 header type or add
  892. a header for pcap files without one.
  893. Each pcap file tells the type of frame.
  894. Currently tcpreplay knows how to deal with the following pcap(3) frame
  895. types:
  896. \layout Itemize
  897. DLT_EN10MB
  898. \newline
  899. Replace existing 802.3/Ethernet II header
  900. \layout Itemize
  901. DLT_RAW
  902. \newline
  903. Frame has no Layer 2 header, so we can add one.
  904. \layout Itemize
  905. DLT_LINUX_SLL
  906. \newline
  907. Frame uses the Linux Cooked Socket header which is most commonly created
  908. with
  909. \emph on
  910. tcpdump -i any
  911. \emph default
  912. on a Linux system.
  913. \layout Standard
  914. Tcpreplay accepts the new Layer 2 header as a string of comma separated
  915. hex values such as: 0xff,0xac,0x00,0x01,0xc0,0x64.
  916. Note that the leading '0x' is
  917. \emph on
  918. not
  919. \emph default
  920. required.
  921. \layout Standard
  922. Potential uses for this are to add a layer 2 header for DLT_RAW captures
  923. or add/remove ethernet tags or QoS features.
  924. \layout Subsection
  925. Rewriting DLT_LINUX_SLL (Linux Cooked Socket) captures
  926. \layout Standard
  927. Tcpdump uses a special frame type to store captures created with the
  928. \begin_inset Quotes eld
  929. \end_inset
  930. -i any
  931. \begin_inset Quotes erd
  932. \end_inset
  933. argument.
  934. This frame type uses a custom 16 byte layer 2 header which tracks which
  935. interface captured the packet and often the source MAC address of the original
  936. ethernet frame.
  937. Unfortunately, it never stores the destination MAC address and it doesn't
  938. store a source MAC when the packet is captured on the loopback interface.
  939. Normally, tcpreplay can't replay these pcap files because there isn't enough
  940. information in the LINUX_SLL header to do so; however two options do exist:
  941. \layout Enumerate
  942. You can send these packets with -2 which will replace the LINUX_SLL header
  943. with an ethernet header of your choosing.
  944. \layout Enumerate
  945. You can specify a destination MAC via -I and -J in which case tcpreplay
  946. will use the stored source MAC and create a new 802.3 Ethernet header.
  947. Note that if the pcap contains loopback packets, you will also need to
  948. specify -k and/or -K to specify the source MAC as well or they will be
  949. skipped.
  950. \layout Subsection
  951. Rewriting IP Addresses (pseudo-NAT)
  952. \layout Standard
  953. Pseudo-NAT allows the mapping of IP addresses in IPv4 and ARP packets from
  954. one subnet to another subnet of the same or different size.
  955. This allows some or all the traffic sent to appear to come from a different
  956. IP subnet then it actually was captured on.
  957. \layout Standard
  958. The mapping is done through a user specified translation table comprised
  959. of one or more source and destination network(s) in the format of <srcnet>/<mas
  960. klen>:<dstnet>/<masklen> deliminated by a comma.
  961. Mapping is done by matching IP addresses to the source subnet and rewriting
  962. the most significant bits with the destination subnet.
  963. For example:
  964. \layout Standard
  965. \emph on
  966. tcpreplay -i eth0 -N 10.100.0.0/16:172.16.10.0/24 sample.pcap
  967. \layout Standard
  968. would match any IP in the 10.100.0.0/16 subnet and rewrite it as if it came
  969. from or sent to the 172.16.10.0/24 subnet.
  970. Ie: 10.100.5.88 would become 172.16.10.88 and 10.100.99.45 would become 172.16.10.45.
  971. But 10.150.7.44 would not be rewritten.
  972. \layout Standard
  973. For any given IP address, the translation table is applied in order (so
  974. if there are multiple mappings, earlier maps take precedence) and occurs
  975. only once per IP (no risk of an address getting rewritten a second time).
  976. \layout Subsection
  977. Advanced pseudo-NAT
  978. \layout Standard
  979. Pseudo-NAT also works with traffic splitting (using two interfaces or output
  980. files) but with a few important differences.
  981. First you have the option of specifying one or two pseudo-NAT tables.
  982. Using a single pseudo-NAT table means that the source and destination IP
  983. addresses of both interfaces are rewritten using the same rules.
  984. Using two pseudo-NAT tables (specifying -N <Table1> -N <Table2>) will cause
  985. the source and destination IP addresses to be rewritten differently for
  986. each interface using the following matrix:
  987. \layout Standard
  988. \align center
  989. \begin_inset Tabular
  990. <lyxtabular version="3" rows="3" columns="3">
  991. <features>
  992. <column alignment="center" valignment="top" leftline="true" width="0">
  993. <column alignment="center" valignment="top" leftline="true" width="0">
  994. <column alignment="center" valignment="top" leftline="true" rightline="true" width="0">
  995. <row topline="true" bottomline="true">
  996. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  997. \begin_inset Text
  998. \layout Standard
  999. \end_inset
  1000. </cell>
  1001. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1002. \begin_inset Text
  1003. \layout Standard
  1004. Out Primary Interface
  1005. \end_inset
  1006. </cell>
  1007. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1008. \begin_inset Text
  1009. \layout Standard
  1010. Out Secondary Interface
  1011. \end_inset
  1012. </cell>
  1013. </row>
  1014. <row topline="true">
  1015. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1016. \begin_inset Text
  1017. \layout Standard
  1018. Src IP
  1019. \end_inset
  1020. </cell>
  1021. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1022. \begin_inset Text
  1023. \layout Standard
  1024. Table 1
  1025. \end_inset
  1026. </cell>
  1027. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1028. \begin_inset Text
  1029. \layout Standard
  1030. Table 2
  1031. \end_inset
  1032. </cell>
  1033. </row>
  1034. <row topline="true" bottomline="true">
  1035. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1036. \begin_inset Text
  1037. \layout Standard
  1038. Dest IP
  1039. \end_inset
  1040. </cell>
  1041. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1042. \begin_inset Text
  1043. \layout Standard
  1044. Table 2
  1045. \end_inset
  1046. </cell>
  1047. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1048. \begin_inset Text
  1049. \layout Standard
  1050. Table 1
  1051. \end_inset
  1052. </cell>
  1053. </row>
  1054. </lyxtabular>
  1055. \end_inset
  1056. \layout Standard
  1057. While seemingly a bit confusing, this feature provides a number of interesting
  1058. possibilities such as the ability to rewrite the IP headers of packets
  1059. in the case where traffic is captured on the loopback interface (and the
  1060. source and destination address is always 127.0.0.1) so that tcpreplay can
  1061. make it look like two different systems are talking to each other (you'll
  1062. probably also need to specify the source and destination MAC addresses
  1063. via -I, -J, -k and -K).
  1064. \layout Subsection
  1065. IP Endpoints
  1066. \layout Standard
  1067. While pseudo-NAT provides a great deal of flexibility, it is often more
  1068. complicated then is necessary for testing of inline devices.
  1069. As a simplier alternative, tcpreplay supports the concept of rewriting
  1070. all traffic to so that it appears to be between two IP addresses:
  1071. \layout Standard
  1072. \emph on
  1073. tcpreplay -i eth0 -j eth1 -c sample.cache -e 10.0.0.1:10.1.1.1 sample.pcap
  1074. \layout Standard
  1075. Will rewrite all the traffic so that it is between 10.0.0.1 and 10.1.1.1.
  1076. The equivalent command using -N would be:
  1077. \layout Standard
  1078. \emph on
  1079. tcpreplay -i eth0 -j eth1 -c sample.cache -N 0.0.0.0/0:10.0.0.1 -N 0.0.0.0/0:10.1.1.1
  1080. sample.pcap
  1081. \layout Subsection
  1082. Unifying Dual-Outputs
  1083. \layout Standard
  1084. Since a number of tcpreplay's packet editing functions require splitting
  1085. traffic between client and servers, one problem that may arrise is needing
  1086. to edit packets but still output to a single interface or file.
  1087. The solution to this is to use the one output option -O which causes packets
  1088. to be processed as if they will be split between the interfaces/files,
  1089. but then always go out the primary interface or file.
  1090. Note that even though only one interface/file will be written to, both
  1091. -i and -j must be specified; although they can be the same physical interface.
  1092. \layout Standard
  1093. \emph on
  1094. tcpreplay -i eth0 -j eth0 -O -c sample.cache -e 10.0.0.1:10.1.1.1 sample.pcap
  1095. \layout Standard
  1096. Merging the output to a single file:
  1097. \layout Standard
  1098. \emph on
  1099. tcpreplay -i eth0 -j eth0 -w rewrite.pcap -c sample.cache -e 10.0.0.1:10.1.1.1 sample.pca
  1100. p
  1101. \layout Section
  1102. Tcpprep Usage
  1103. \layout Subsection
  1104. What is tcpprep?
  1105. \layout Standard
  1106. Tcpreplay can send traffic out two network cards, however it requires the
  1107. calculations be done in real-time.
  1108. These calculations can be expensive and can significantly reduce the throughput
  1109. of tcpreplay.
  1110. \layout Standard
  1111. Tcpprep is a libpcap pre-processor for tcpreplay which enables using two
  1112. network cards to send traffic without the performance hit of doing the
  1113. calculations in real-time.
  1114. \layout Subsection
  1115. How does tcpprep work?
  1116. \layout Standard
  1117. Tcpprep reads in a libpcap (tcpdump) formatted capture file and does some
  1118. processing to generate a tcpreplay cache file.
  1119. This cache file tells tcpreplay which interface a given packet should be
  1120. sent out of.
  1121. \layout Subsection
  1122. Does tcpprep modify my libpcap file?
  1123. \layout Standard
  1124. No.
  1125. \layout Subsection
  1126. Why use tcpprep?
  1127. \layout Standard
  1128. There are three major reasons to use tcpprep:
  1129. \layout Enumerate
  1130. Tcpprep can split traffic based upon more methods and criteria then tcpreplay.
  1131. \layout Enumerate
  1132. By pre-processing the pcap, tcpreplay has a higher theoretical maximum throughpu
  1133. t.
  1134. \layout Enumerate
  1135. By pre-processing the pcap, tcpreplay can be more accurate in timing when
  1136. replaying traffic at normal speed.
  1137. \layout Subsection
  1138. Can a cache file be used for multiple (different) libpcap files?
  1139. \layout Standard
  1140. Cache files have nothing linking them to a given libpcap file, so there
  1141. is nothing to stop you from doing this.
  1142. However running tcpreplay with a cache file from a different libpcap source
  1143. file is likely to cause a lot of problems and is not supported.
  1144. \layout Subsection
  1145. Why would I want to use tcpreplay with two network cards?
  1146. \layout Standard
  1147. Tcpreplay traditionally is good for putting traffic on a given network,
  1148. often used to test a network intrusion detection system (NIDS).
  1149. However, there are cases where putting traffic onto a subnet in this manner
  1150. is not good enough- you have to be able to send traffic *through* a device
  1151. such as a router, firewall, or bridge.
  1152. \layout Standard
  1153. In these cases, being able to use a single source file (libpcap) for both
  1154. ends of the connection solves this problem.
  1155. \layout Subsection
  1156. How big are the cache files?
  1157. \layout Standard
  1158. Very small.
  1159. Actual size depends on the number of packets in the dump file.
  1160. Two bits of data is stored for each packet.
  1161. On a test using a 900MB dump file containing over 500,000 packets, the
  1162. cache file was only 150K.
  1163. \layout Subsection
  1164. What are these 'modes' tcpprep has?
  1165. \layout Standard
  1166. Tcpprep has three basic modes which require the user to specify how to split
  1167. traffic.
  1168. \layout Itemize
  1169. CIDR (-c) mode requires the user to provide a list of networks.
  1170. Any packet with a source IP in one of these networks gets sent out the
  1171. primary interface.
  1172. \layout Itemize
  1173. Regex (-r) mode requires the user to provide a regular expression.
  1174. Any packet with a source IP matching the regex gets sent out the primary
  1175. interface.
  1176. \layout Itemize
  1177. Port (-p) mode splits TCP/UDP traffic based on the destination port in the
  1178. header.
  1179. Normally, ports 0-1023 are considered
  1180. \begin_inset Quotes eld
  1181. \end_inset
  1182. server
  1183. \begin_inset Quotes erd
  1184. \end_inset
  1185. ports and everything else a client port.
  1186. You can create your own custom mapping file in the same format as /etc/services
  1187. (see the services(5) man page for details) by specifying -s <file>.
  1188. \layout Standard
  1189. And four auto modes in which tcpprep decides how to split traffic.
  1190. Auto modes are useful for when you don't know much about the contents of
  1191. the dump file in question and you want to split traffic up based upon servers
  1192. and clients.
  1193. \layout Itemize
  1194. Auto/Router (-a -n router) mode trys to find the largest network(s) that
  1195. contain all the servers and no clients.
  1196. Any unknown system is automatically re-classified as servers if it's inside
  1197. the server network(s), otherwise it is classified as a client.
  1198. \layout Itemize
  1199. Auto/Bridge (-a -n bridge) mode makes the assumption that the clients and
  1200. servers are horribly intermixed on the network and there's no way to subnet
  1201. them.
  1202. While this takes less processing time to create the cache file it is unable
  1203. to deal with unknown systems.
  1204. \layout Itemize
  1205. Auto/Client (-a -n client) mode which works just like Auto/Bridge mode,
  1206. except that any system it can't figure out is treated like a client.
  1207. \layout Itemize
  1208. Auto/Server (-a -n server) mode which works just like Auto/Bridge mode,
  1209. except that any system it can't figure out is treated like a server.
  1210. \layout Subsection
  1211. Splitting traffic based upon IP address
  1212. \layout Standard
  1213. Tcpprep supports the same CIDR mode that tcpreplay supports using the -c
  1214. flag (tcpreplay uses -C).
  1215. Additionally, tcpprep also supports regex(7) regular expressions to match
  1216. source IP addresses using the -r flag.
  1217. \layout Subsection
  1218. Auto Mode
  1219. \layout Subsubsection
  1220. How does Auto/Bridge mode work?
  1221. \layout Standard
  1222. Tcpprep does an initial pass over the libpcap file to build a binary tree
  1223. (one node per IP).
  1224. For each IP, it keeps track of how many times it was a client or server.
  1225. It then does a second pass of the file using the data in the tree and the
  1226. ratio to determine if an IP is a client or server.
  1227. If tcpprep is unable to determine the type (client or server) for each
  1228. and every packet, then auto/bridge mode will fail.
  1229. In these cases, it is best to use a different auto mode.
  1230. \layout Subsubsection
  1231. How does Auto/Router mode work?
  1232. \layout Standard
  1233. Tcpprep does the same first pass as Auto/Bridge mode.
  1234. It then trys to convert the binary tree into a list of networks containing
  1235. the servers.
  1236. Finally it uses the CIDR mode with the list of server networks in a second
  1237. pass of the libpcap file.
  1238. Unlike auto/bridge mode, auto/router mode can always successfully split
  1239. IP addresses into clients and servers.
  1240. \layout Subsubsection
  1241. Determining Clients and Servers
  1242. \layout Standard
  1243. Tcpprep uses the following methods in auto/router and auto/bridge mode to
  1244. determine if an IP address is a client or server:
  1245. \layout Itemize
  1246. Client:
  1247. \begin_deeper
  1248. \layout Itemize
  1249. TCP with Syn flag set
  1250. \layout Itemize
  1251. UDP source/destination port 53 (DNS) without query flag set
  1252. \layout Itemize
  1253. ICMP port unreachable (destination IP of packet)
  1254. \end_deeper
  1255. \layout Itemize
  1256. Server:
  1257. \begin_deeper
  1258. \layout Itemize
  1259. TCP with Syn/Ack flag set
  1260. \layout Itemize
  1261. UDP source/destination port 53 (DNS) with query flag set
  1262. \layout Itemize
  1263. ICMP port unreachable (source IP of packet)
  1264. \end_deeper
  1265. \layout Subsubsection
  1266. Client/Server ratio
  1267. \layout Standard
  1268. Since a system may send traffic which would classify it as both a client
  1269. and server, it's necessary to be able to weigh the traffic.
  1270. This is done by specifying the client/server ratio (-R) which is by default
  1271. set to 2.0.
  1272. The ratio is the modifier to the number of client connections.
  1273. Hence, by default, client connections are valued twice as high as server
  1274. connections.
  1275. \layout Subsection
  1276. Selectively sending/dropping packets
  1277. \layout Standard
  1278. Tcpprep supports the same -x and -X options to selectively send or drop
  1279. packets.
  1280. \layout Subsection
  1281. Using tcpprep cache files with tcpreplay
  1282. \layout Standard
  1283. Just run:
  1284. \layout Standard
  1285. \emph on
  1286. tcpreplay -c sample.cache -i eth0 -j eth1 sample.pcap
  1287. \layout Subsection
  1288. Commenting tcpprep cache files
  1289. \layout Standard
  1290. In versions of tcpprep >= 2.1.0, you can specify a comment to be embeded in
  1291. the tcpprep cache file.
  1292. Comments are user specified and automatically include the command line
  1293. arguments passed to tcpprep.
  1294. \layout Standard
  1295. \emph on
  1296. tcpprep -C
  1297. \begin_inset Quotes eld
  1298. \end_inset
  1299. this is my comment
  1300. \begin_inset Quotes erd
  1301. \end_inset
  1302. -i sample.pcap -o sample.cache <other args>
  1303. \layout Standard
  1304. Or for no user comment, but still embed the command arguments:
  1305. \layout Standard
  1306. \emph on
  1307. tcpprep -C
  1308. \begin_inset Quotes eld
  1309. \end_inset
  1310. \begin_inset Quotes erd
  1311. \end_inset
  1312. -i sample.pcap -o sample.cache <other args>
  1313. \layout Standard
  1314. You can then later on print out the comments by running:
  1315. \layout Standard
  1316. \emph on
  1317. tcpprep -P sample.cache
  1318. \layout Section
  1319. Flowreplay Usage
  1320. \layout Standard
  1321. While tcpreplay is a great way to test NIDS and firewalls, it can't be used
  1322. to test servers or HIDS since tcpreplay can't connect to a service running
  1323. on a device.
  1324. The solution to this problem is flowreplay which instead of sending packets
  1325. at Layer 2 (ethernet header and up), it can actually connect via TCP or
  1326. UDP to server and then sends and receives data based upon a pcap capture
  1327. file created with a tool like Ethereal or tcpdump.
  1328. \layout Standard
  1329. Please note that flowreplay is currently alpha quality and is missing a
  1330. number of key features.
  1331. \layout Subsection
  1332. How flowreplay works
  1333. \layout Standard
  1334. Put simply, flowreplay opens a socket connection to a service on a target
  1335. system(s) and sends data over that socket based on the packet capture.
  1336. Flowreplay has no understanding of the application protocol (like HTTP
  1337. or FTP) so it is somewhat limited in how it can deal with complicated exchanges
  1338. between client and server.
  1339. \layout Standard
  1340. Some of these limitations are:
  1341. \layout Itemize
  1342. Flowreplay only plays the client side
  1343. \begin_inset Foot
  1344. collapsed false
  1345. \layout Standard
  1346. Flowreplay assumes the first UDP packet on a given 4-tuple is the client
  1347. \end_inset
  1348. of the connection.
  1349. \layout Itemize
  1350. Flowreplay doesn't understand the application protocols.
  1351. Hence it can't always deal with the case when the server sends a different
  1352. response then what was originally captured in the pcap file.
  1353. \layout Itemize
  1354. Flowreplay only sends TCP and UDP traffic.
  1355. \layout Itemize
  1356. Flowreplay doesn't know about multi-flow protocols like FTP.
  1357. \layout Itemize
  1358. Flowreplay can't listen on a port and wait for a client to connect to it.
  1359. \layout Subsection
  1360. Running flowreplay
  1361. \layout Standard
  1362. See the flowreplay(8) man page for details.
  1363. \layout Section
  1364. Tuning OS's for high performance
  1365. \layout Standard
  1366. Regardless of the size of physical memory, UNIX kernels will only allocate
  1367. a static amount for network buffers.
  1368. This includes packets sent via the "raw" interface, like with tcpreplay.
  1369. Most kernels will allow you to tweak the size of these buffers, drastically
  1370. increasing performance and accuracy.
  1371. \layout Standard
  1372. N
  1373. \noun on
  1374. ote:
  1375. \noun default
  1376. The following information is provided based upon our own experiences or
  1377. the reported experiences of others.
  1378. Depending on your hardware and specific hardware, it may or may not work
  1379. for you.
  1380. It may even make your system horribly unstable, corrupt your harddrive,
  1381. or worse.
  1382. \layout Standard
  1383. \noun on
  1384. Note
  1385. \noun default
  1386. : Different operating systems, network card drivers, and even hardware can
  1387. have an effect on the accuracy of packet timestamps that tcpdump or other
  1388. capture utilities generate.
  1389. And as you know: garbage in, garbage out.
  1390. \layout Standard
  1391. \noun on
  1392. Note:
  1393. \noun default
  1394. If you have information on tuning the kernel of an operating system not
  1395. listed here, please send it to me so I can include it.
  1396. \layout Subsection
  1397. Linux 2.4.x
  1398. \layout Standard
  1399. The following is known to apply to the 2.4.x series of kernels.
  1400. If anyone has any information regarding other kernel versions, please let
  1401. us know.
  1402. By default Linux's tcpreplay performance isn't all that stellar.
  1403. However, with a simple tweak, relatively decent performance can be had
  1404. on the right hardware.
  1405. By default, Linux specifies a 64K buffer for sending packets.
  1406. Increasing this buffer to about half a megabyte does a good job:
  1407. \layout Standard
  1408. \emph on
  1409. echo 524287 >/proc/sys/net/core/wmem_default
  1410. \newline
  1411. echo 524287 >/proc/sys/net/core/wmem_max
  1412. \newline
  1413. echo 524287 >/proc/sys/net/core/rmem_max
  1414. \newline
  1415. echo 524287 >/proc/sys/net/core/rmem_default
  1416. \layout Standard
  1417. On one system, we've seen a jump from 23.02 megabits/sec (5560 packets/sec)
  1418. to 220.30 megabits/sec (53212 packets/sec) which is nearly a 10x increase
  1419. in performance.
  1420. Depending on your system and capture file, different numbers may provide
  1421. different results.
  1422. \layout Subsection
  1423. *BSD
  1424. \layout Standard
  1425. *BSD systems typically allow you to specify the size of network buffers
  1426. with the NMBCLUSTERS option in the kernel config file.
  1427. Experiment with different sizes to see which yields the best performance.
  1428. See the options(4) man page for more details.
  1429. \layout Section
  1430. Understanding Common Error and Warning Messages
  1431. \layout Subsection
  1432. Can't open eth0: libnet_select_device(): Can't find interface eth0
  1433. \layout Standard
  1434. Generally this occurs when the interface (eth0 in this example) is not up
  1435. or doesn't have an IP address assigned to it.
  1436. \layout Subsection
  1437. Can't open lo: libnet_select_device(): Can't find interface lo
  1438. \layout Standard
  1439. Version 1.1.0 of Libnet is unable to send traffic on the loopback device.
  1440. Upgrade to a later release of the Libnet library to solve this problem.
  1441. \layout Subsection
  1442. Can't open eth0: UID != 0
  1443. \layout Standard
  1444. Tcpreplay requires that you run it as root.
  1445. \layout Subsection
  1446. 100000 write attempts failed from full buffers and were repeated
  1447. \layout Standard
  1448. When tcpreplay displays a message like "100000 write attempts failed from
  1449. full buffers and were repeated", this usually means the kernel buffers
  1450. were full and it had to wait until memory was available.
  1451. This is quite common when replaying files as fast as possible with the
  1452. "-R" option.
  1453. See the tuning OS section in this document for suggestions on solving this
  1454. problem.
  1455. \layout Subsection
  1456. Invalid mac address: 00:00:00:00:00:00
  1457. \layout Standard
  1458. Currently tcpreplay reserves the MAC address of 00:00:00:00:00:00 as reserved
  1459. for internal use.
  1460. Hence you can't rewrite the MAC address of packets to be all zeros.
  1461. While we intend to fix this someday it's not currently high on our priority
  1462. list, so let us know if we should re-prioritize things.
  1463. \layout Subsection
  1464. Unable to process test.cache: cache file version missmatch
  1465. \layout Standard
  1466. Cache files generated by tcpprep and read by tcpreplay are versioned to
  1467. allow enhancements to the cache file format.
  1468. Anytime the cache file format changes, the version is incremented.
  1469. Since this occurs on a very rare basis, this is generally not an issue;
  1470. however anytime there is a change, it breaks compatibility with previously
  1471. created cache files.
  1472. The solution for this problem is to use the same version of tcpreplay and
  1473. tcpprep to read/write the cache files.
  1474. Cache file versions match the following versions of tcpprep/tcpreplay:
  1475. \layout Itemize
  1476. Version 1:
  1477. \newline
  1478. Prior to 1.3.beta1
  1479. \layout Itemize
  1480. Version 2:
  1481. \newline
  1482. 1.3.beta2 to 1.3.1/1.4.beta1
  1483. \layout Itemize
  1484. Version 3:
  1485. \newline
  1486. 1.3.2/1.4.beta2 to 2.0.3
  1487. \layout Itemize
  1488. Version 4:
  1489. \newline
  1490. 2.1.0 and above.
  1491. Note that prior to version 2.3.0, tcpprep had a bug which broke cache file
  1492. compatibility between big and little endian systems.
  1493. \layout Subsection
  1494. Skipping SLL loopback packet.
  1495. \layout Standard
  1496. Your capture file was created on Linux with the 'any' parameter which then
  1497. captured a packet on the loopback interface.
  1498. However, tcpreplay doesn't have enough information to actual send the packet,
  1499. so it skips it.
  1500. Specifying a source and destination MAC address (-I, -k, -J, -K) will allow
  1501. tcpreplay to send these packets.
  1502. \layout Subsection
  1503. Packet length (8892) is greater then MTU; skipping packet.
  1504. \layout Standard
  1505. The packet length (in this case 8892 bytes) is greater then the maximum
  1506. transmition unit (MTU) on the outgoing interface.
  1507. Tcpreplay must skip the packet.
  1508. Alternatively, you can specify the -T option and tcpreplay will truncate
  1509. the packet to the MTU size, fix the checksums and send it.
  1510. \layout Subsection
  1511. Why is tcpreplay not sending all the packets?
  1512. \layout Standard
  1513. Every now and then, someone emails the tcpreplay-users list, asking if there
  1514. is a bug in tcpreplay which causes it not to send all the packets.
  1515. This usually happens when the user uses the -R flag or is replaying a high-spee
  1516. d pcap file (> 50Mbps, although this number is dependant on the hardware
  1517. in use).
  1518. \layout Standard
  1519. The short version of the answer is: no, we are not aware of any bugs which
  1520. might cause a few packets to not be sent.
  1521. \layout Standard
  1522. The longer version goes something like this:
  1523. \layout Standard
  1524. If you are running tcpreplay multiple times and are using tcpdump or other
  1525. packet sniffer to count the number packets sent and are getting different
  1526. numbers, it's not tcpreplay's fault.
  1527. The problem lies in one of two places:
  1528. \layout Enumerate
  1529. It is well known that tcpdump and other sniffers have a problem keeping
  1530. up with high-speed traffic.
  1531. Furthermore, the OS in many cases
  1532. \emph on
  1533. lies
  1534. \emph default
  1535. about how many packets were dropped.
  1536. Tcpdump will repeat this lie to you.
  1537. In other words, tcpdump isn't seeing all the packets.
  1538. Usually this is a problem with the network card or driver which may or
  1539. may not be fixable.
  1540. Try another network card/driver.
  1541. \layout Enumerate
  1542. When tcpreplay sends a packet, it actually gets copied to a send buffer
  1543. in the kernel.
  1544. If this buffer is full, the kernel is supposed to tell tcpreplay that it
  1545. didn't copy the packet to this buffer.
  1546. If the kernel has a bug which squelches this error, tcpreplay will not
  1547. keep trying to send the packet and will move on to the next one.
  1548. Currently I am not aware of any OS kernels with this bug, but it is possible
  1549. that it exists.
  1550. If you find out that your OS has this problem, please let me know so I
  1551. can list it here.
  1552. \layout Standard
  1553. If for some reason, you still think its a bug in tcpreplay, by all means
  1554. read the code and tell me how stupid I am.
  1555. The do_packets() function in do_packets.c is where tcpreplay processes the
  1556. pcap file and sends all of the packets.
  1557. \layout Section
  1558. Required Libraries and Tools
  1559. \layout Subsection
  1560. Libpcap
  1561. \layout Standard
  1562. As of tcpreplay v1.4, you'll need to have libpcap installed on your system.
  1563. As of v2.0, you'll need at least version 0.6.0 or better, but I only test
  1564. our code with the latest version.
  1565. Libpcap can be obtained on the tcpdump homepage
  1566. \begin_inset Foot
  1567. collapsed true
  1568. \layout Standard
  1569. \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/}
  1570. \end_inset
  1571. \end_inset
  1572. .
  1573. \layout Subsection
  1574. Libnet
  1575. \layout Standard
  1576. Tcpreplay v1.3 is the last version to support the old libnet API (everything
  1577. before 1.1.x).
  1578. As of v1.4 you will need to use Libnet 1.1.0 or better which can be obtained
  1579. from the Libnet homepage
  1580. \begin_inset Foot
  1581. collapsed true
  1582. \layout Standard
  1583. \begin_inset LatexCommand \htmlurl{http://www.packetfactory.net/Projects/Libnet/}
  1584. \end_inset
  1585. \end_inset
  1586. .
  1587. \layout Subsection
  1588. Libpcapnav
  1589. \layout Standard
  1590. Starting with v2.0, tcpreplay can use libpcapnav to support the jump offset
  1591. feature.
  1592. If libpcapnav is not found on the system, that feature will be disabled.
  1593. Libpcapnav can be found on the NetDude homepage
  1594. \begin_inset Foot
  1595. collapsed true
  1596. \layout Standard
  1597. \begin_inset LatexCommand \htmlurl{http://netdude.sourceforge.net/}
  1598. \end_inset
  1599. \end_inset
  1600. .
  1601. \layout Subsection
  1602. Tcpdump
  1603. \layout Standard
  1604. As of 2.0, tcpreplay uses tcpdump (the binary, not code) to decode packets
  1605. to STDOUT in a human readable (with practice) format as it sends them.
  1606. If you would like this feature, tcpdump must be installed on your system.
  1607. \layout Standard
  1608. \noun on
  1609. Note:
  1610. \noun default
  1611. The location of the tcpdump binary is hardcoded in tcpreplay at compile
  1612. time.
  1613. If tcpdump gets renamed or moved, the feature will become disabled.
  1614. \layout Part
  1615. Other Resources
  1616. \layout Section
  1617. Other pcap tools available
  1618. \layout Subsection
  1619. Tools to capture network traffic or decode pcap files
  1620. \layout Itemize
  1621. tcpdump
  1622. \newline
  1623. \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/}
  1624. \end_inset
  1625. \layout Itemize
  1626. ethereal
  1627. \newline
  1628. \begin_inset LatexCommand \htmlurl{http://www.ethereal.com/}
  1629. \end_inset
  1630. \layout Itemize
  1631. ettercap
  1632. \newline
  1633. \begin_inset LatexCommand \htmlurl{http://ettercap.sourceforge.net/}
  1634. \end_inset
  1635. \layout Subsection
  1636. Tools to edit pcap files
  1637. \layout Itemize
  1638. tcpslice
  1639. \newline
  1640. Splits pcap files into smaller files
  1641. \newline
  1642. \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/}
  1643. \end_inset
  1644. \layout Itemize
  1645. mergecap
  1646. \newline
  1647. Merges two pcap capture files into one
  1648. \newline
  1649. \begin_inset LatexCommand \htmlurl{http://www.ethreal.com/}
  1650. \end_inset
  1651. \layout Itemize
  1652. pcapmerge
  1653. \newline
  1654. Merges two or more pcap capture files into one
  1655. \newline
  1656. \begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/}
  1657. \end_inset
  1658. \layout Itemize
  1659. editcap
  1660. \newline
  1661. Converts capture file formats (pcap, snoop, etc)
  1662. \newline
  1663. \begin_inset LatexCommand \htmlurl{http://www.ethreal.com/}
  1664. \end_inset
  1665. \layout Itemize
  1666. netdude
  1667. \newline
  1668. GTK based pcap capture file editor.
  1669. Allows editing most anything in the packet.
  1670. \newline
  1671. \begin_inset LatexCommand \htmlurl{http://netdude.sourceforge.net/}
  1672. \end_inset
  1673. \layout Subsection
  1674. Other useful tools
  1675. \layout Itemize
  1676. capinfo
  1677. \newline
  1678. Prints statistics and basic information about a pcap file
  1679. \newline
  1680. \begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/}
  1681. \end_inset
  1682. \layout Itemize
  1683. text2pcap
  1684. \newline
  1685. Generates a pcap capture file from a hex dump
  1686. \newline
  1687. \begin_inset LatexCommand \htmlurl{http://www.ethreal.com/}
  1688. \end_inset
  1689. \layout Itemize
  1690. tcpflow
  1691. \newline
  1692. Extracts and reassembles the data portion on a per-flow basis on live traffic
  1693. or pcap capture files
  1694. \newline
  1695. \begin_inset LatexCommand \htmlurl{http://www.circlemud.org/~jelson/software/tcpflow/}
  1696. \end_inset
  1697. \layout Part*
  1698. \pagebreak_top \start_of_appendix
  1699. Appendix
  1700. \layout Section
  1701. BSD License
  1702. \layout Standard
  1703. \begin_inset Include \verbatiminput{LICENSE}
  1704. preview false
  1705. \end_inset
  1706. \the_end