cbiedl
/
tcpreplay


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279
							.\" $Id: tcpreplay.8 1132 2005-02-09 01:30:59Z aturner $
.TH "TCPREPLAY" "8" "2.0.3" "Aaron Turner" "Replay Captured Network Traffic"
.SH "NAME"
.LP 
tcpreplay \- replay packets back out onto the network from pcap files
.SH "SYNTAX"
.LP 
\fBtcpreplay\fR
\fB\-i\fR \fIintf\fR
[ \fBoptions\fR ]
[ \fI<file1> <file2> ...\fR | \- ]
.SH "DESCRIPTION"
.LP 
\fBtcpreplay\fR is a tool for replaying network traffic from files saved with 
\fBtcpdump\fR or other tools which write \fBpcap(3)\fR files.
.LP 
The basic operation of \fBtcpreplay\fR is to resend all packets from the
input file(s) at the speed at which they were recorded, or a specified data 
rate, up to as fast as the hardware is capable.  
.LP 
Optionally, the traffic can be split between two interfaces, written to files,
filtered and edited in various ways, providing the means to test firewalls,
NIDS and other network devices.
.SH "OPTIONS"
.LP 
.TP 
.B \-A or "tcpdump_args"
When enabling verbose mode (\-v) you may also specify one or more 
additional arguments to pass to \fBtcpdump\fR to modify the way
packets are decoded.  By default, \-n and \-l are used.  Be sure to
quote the arguments like: \-A "\-axxx" so that they are not interpreted by
tcpreplay.  The following arguments are vaild:
.br 
 [ \-aAeNqRStuvxX ]
.br 
 [ \-E spi@ipaddr algo:secret,...]
.br  
 [ \-s snaplen ]
.TP 
.TP 
.B \-c or "cachefile"
Specify the \fItcpprep cache\fR to use to process packets.
.TP 
.B \-C or "cidr"
Given a list of CIDR networks, packets with a source address matching an 
entry in the list are sent out the primary interface. All other packets
are sent via the secondary interface. CIDR lists are comma\-separated 
and do not contain spaces, \fI192.168.0.0/28,10.0.0.0/16\fR and 
\fI10.1.1.0/29\fR, for example. Overrides the \-c option.
.TP 
.B \-D or "datadump_mode"
When used in conjunction with \-w and \-W, rather then dumping the entire
packets to the files, only the layer 7 data is dumped.
.TP 
.B \-e or "endpoints"
Specifies a pair of IP addresses seperated by a colon which are then used
to rewrite all IP traffic to appear to be between the two IP's.
.TP
.B \-f 
Specify a file that contains configuration options. 
Option tokens are listed next to the corresponding command\-line flag.
.TP 
.B \-F or "fixchecksums"
Fixes IP and TCP/UDP checksums in packets.  Auto\-forced with \-s, \-u, \-T \-N or \-4
.TP 
.B \-h
Prints help/usage
.TP 
.B \-i or "intf"
Specify the prmary interface in which to send packets.
.TP 
.B \-I or "primary_mac"
Specify the \fIdestination MAC\fR to use for packets being sent out the primary
interface.
.TP 
.B \-j or "second_intf"
Specify the \fIsecondary interface\fR in which to send packets.
.TP 
.B \-J or "second_mac"
Specify the \fIdestination MAC\fR to use for packets being sent out the 
secondary interface.
.TP 
.B \-k or "primary_smac"
Specify the \fIsource MAC\fR to use for packets being sent out the primary
interface.
.TP
.B \-K or "second_smac"
Specify the \fIsource MAC\fR to use for packets being sent out the 
secondary interface.
.TP 
.B \-l or "loop"
Resend the capture file(s) \fIloop count\fR times.  Setting this to 0 (zero)
will cause tcpreplay to loop infinitely.
.TP 
.B \-L or "limit_send"
Causes tcpreplay to exit after sending the specified number of packets
.TP 
.B \-m or "multiplier"
Resend the packets at a \fImultiple\fR of the speed at which they were
recorded, specified as a floating\-point number.
.TP 
.B \-M or "no_martians"
Disable sending martian packets (source networks: 0/8, 127/8, 255/8)
.TP 
.B \-n or "not_nosy"
Don't listen in promiscuous mode when sniffing with \-S
.TP 
.B \-N or "nat"
Specify the nat transation table(s) where a table is one or more pairs of
CIDR's seperated by a colon and each pair is sererated by a comma:
.br
<FROMCIDR1>:<TOCIDR1>,<FROMCIDR2>:<TOCIDR2>
.br
The first instance of this argument is used for the primary interface while
the second instance is used for the secondary interface.  If no second
instance of this argument exists, then the NAT table is used for both.
.TP 
.B \-o or "offset"
Jump to packet at the nearest specified byte offset and start replaying packets from there.
.TP 
.B \-O or "one_output"
Processes packets internally for dual interfaces/files for purposes of NAT and MAC
rewriting, but only write packets to a single interface or file.
.TP
.B \-p or "packetrate"
Specify the replay rate in packets per second.  Negates all other 
speed options.
.TP 
.B \-P
.br 
Print the PID of the tcpreplay process at startup.  Useful when wanting to
use SIGUSR1 and SIGCONT to pause/restart.
.TP 
.B \-r or "rate"
Resend the packets at \fIrate\fR megabits per\-second, specified as a 
floating\-point number.
.TP 
.B \-R or "topspeed"
Resend the packets as fast as possible. Negates all other speed options.
.TP 
.B \-s or "seed"
Specify a seed value to allow rewriting the source and destination IP
addresses (only in IP header) to pseudo\-random values.  Will also recalculate 
the IP header as necessary.
.TP 
.B \-S or "sniff_snaplen"
Instead of reading from a saved tcpdump file, perform live capture.
The argument is the number of bytes to capture off the wire.
The name of the capture interface will be the nominal filename.  Please 
read the FAQ for more details/warnings about this feature. 
.TP 
.B \-t or "mtu"
Specify the MTU in bytes of the interface(s) being used.  Default is 1500 which
is standard for 10/100 Ethernet.
.TP 
.B \-T or "truncate"
If a packet is larger then the MTU of the interface, the frame will be truncated
so that it can be sent.  With out this, these frames are skipped.  Not to be
confused with \-u which pads/truncates packets which are larger then the snaplen
used to capture the packet.
.TP 
.B \-u or "untruncate"
When a packet is truncated in the capture file because the snaplen was too small, 
this option will \fIpad\fR the end of the packet with zeros, or 
truncate (\fItrunc\fR) it by re\-adjusting the length in the IP header. 
The \fItrunc\fR option will only alter IPv4 packets, all others will be sent 
unmodified.
.TP 
.B \-v or "verbose"
.br 
Verbose mode, dump decoded packets via tcpdump to STDOUT.  
.TP 
.B \-V
Print version info and exit.
.TP 
.B \-w or "write"
Specify the output file to write the primary packets to instead of the network.
You still must specify the primary interface via \-i.  If \-D is set before it,
it will write only the layer 7 data.
.TP 
.B \-W or "secondary_write"
Specify the output file to write the secondary packets to instead of the 
network.  You still must specify the secondary interface via \-j.  If \-D is 
set before it, it will write only the layer 7 data.
.TP 
.B \-x or "include"
Specifies which packets from the capture file(s) to send.  Can be one of:
.br 
.br 
.TP 
.LP 
S:<CIDR1>,... Src IP must match specified CIDR(s)
.TP 
.LP 
D:<CIDR1>,... Dst IP must match specified CIDR(s)
.TP 
.LP 
B:<CIDR1>,... Both src and dst addresses must match
.TP 
.LP 
E:<CIDR1>,... Either src or dst address must match
.TP 
.LP 
P:<list>      Must be one of the listed packets where the list corresponds to the packet number in the capture file.  Ex: \-x P:1\-5,9,15 would only send packets 1 through 5, 9 and 15.
.TP 
.LP 
F:"<filter>"  BPF filter.  See the \fBtcpdump(1)\fR man page for syntax.
.TP 
.B \-X or "exclude"
Specifies which packets from the capture file(s) to NOT send.  Can be one of:
.TP 
.LP 
S:<CIDR1>,... Src IP must match specified CIDR(s)
.TP 
.LP 
D:<CIDR1>,... Dst IP must match specified CIDR(s)
.TP 
.LP 
B:<CIDR1>,... Both src and dst addresses must match
.TP 
.LP 
E:<CIDR1>,... Either src or dst address must match
.TP 
.LP 
P:<list>      Must be one of the listed packets where the list corresponds to the packet number in the capture file.  Ex: \-X P:1\-5,9,15 would send all packets except 1 through 5, 9 and 15.
.TP 
.B \-1 or one_at_a_time
Resend one packet at a time, once for each keypress.
.TP 
.B \-2 or l2data
Specifies a string of comma seperated numbers in hex to be used instead of the
Layer 2 header in the packet.  Useful for converting between 802.x types or
adding a header when the pcap file doesn't contain a header (as in the case of
DLT_RAW).  Currently this only supports the following pcap(3) types:
DLT_EN10MB, DLT_LINUX_SLL, DLT_CHDLC and DLT_RAW.
.TP
.B \-4 or "portmap"
Specify a port mapping, where the mapping looks like:
.br
<FROMPORT1>:<TOPORT1>,<FROMPORT2>:<TOPORT2>
.br
For example, if this mapping was specified:
.br
80:8080
.br
then any packets with a source or destination port of 80 would be changed to 8080.  This option can be specified multiple times to specify multiple mappings.  Mappings are not transitive: each source or destination port is mapped only once.
.SH "SIGNALS"
.LP 
.I Tcpreplay
understands the following signals:
.TP 
.B SIGUSR1
Suspend tcpreplay.
.TP 
.B SIGCONT
Restart tcpreplay after it has been suspended.
.SH "SEE ALSO"
.LP 
tcpdump(1), tcpprep(1), capinfo(1), editcap(1)
.SH "AUTHORS"
.LP 
Aaron Turner
.br 
Matt Undy, Anzen Computing.
.br 
Matt Bing
.br 
.SH "AVAILABILITY"
.LP 
The current version is available via HTTP:
.LP 
.RS
.I http://www.sourceforge.net/projects/tcpreplay/
.RE
.SH "LIMITATIONS"
.LP 
Please see the tcpreplay FAQ for a list of limitations and any possible
work\-arounds:
.I http://tcpreplay.sourceforge.net/