tcpreplay/man/tcpprep.html

<!-- Creator     : groff version 1.18.1 -->
<!-- CreationDate: Wed Dec 22 15:16:41 2004 -->
<html>
<head>
<meta name="generator" content="groff -Thtml, see www.gnu.org">
<meta name="Content-Style" content="text/css">
<title>TCPPREP</title>
</head>
<body>

<h1 align=center>TCPPREP</h1>
<a href="#NAME">NAME</a><br>
<a href="#SYNOPSIS">SYNOPSIS</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#OPTIONS">OPTIONS</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>
<a href="#AUTHOR">AUTHOR</a><br>
<a href="#BUGS">BUGS</a><br>

<hr>
<a name="NAME"></a>
<h2>NAME</h2>
<!-- INDENTATION -->
<table width="100%" border=0 rules="none" frame="void"
       cols="2" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="10%"></td>
<td width="89%">
<p>tcpprep &minus; create a tcpreplay cache file from a
saved capture file</p>
</td>
</table>
<a name="SYNOPSIS"></a>
<h2>SYNOPSIS</h2>
<!-- INDENTATION -->
<table width="100%" border=0 rules="none" frame="void"
       cols="2" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="10%"></td>
<td width="89%">
<p><b>tcpprep</b> [ <b>&minus;a &minus;n</b> [ <i>bridge</i>
| <i>router</i> | <i>client</i> | <i>server</i> ] |
<b>&minus;c</b> <i>CIDR,...</i> | <b>&minus;r</b>
<i>regex</i> | <b>&minus;p</b> ] [ <b>&minus;h</b> |
<b>&minus;V</b> ] [ <b>&minus;i</b> <i>pcapfile</i> ] [
<b>&minus;v</b> ] [ <b>&minus;m</b> <i>minmask</i> ] [
<b>&minus;M</b> <i>maxmask</i> ] [ <b>&minus;N</b>
<i>client</i> | <i>server</i> ] [ <b>&minus;R</b>
<i>ratio</i> ] [ <b>&minus;x</b> <i>include</i> |
<b>&minus;X</b> <i>exclude</i> ] [ <b>&minus;C</b>
<i>comment</i> ] <b>&minus;o</b> | <b>&minus;P</b>
<i>cachefile</i></p>
</td>
</table>
<a name="DESCRIPTION"></a>
<h2>DESCRIPTION</h2>
<!-- INDENTATION -->
<table width="100%" border=0 rules="none" frame="void"
       cols="2" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="10%"></td>
<td width="89%">
<p><i>Tcpprep</i> is a program for creating a cache file for
later use with <i>tcpreplay(8)</i>. By using tcpprep to
pre-process a pcap, tcpreplay in dual-nic mode can match the
performance of the traditional tcpreplay single-nic
mode.</p>
<!-- INDENTATION -->
<p>The basic operation of <i>tcpprep</i> is to compare each
packet from it&rsquo;s <i>input file</i> and compare it to
either a <i>regular expression</i> or against a list of
<i>CIDR</i>&rsquo;s. It then writes the result of this
comparison to the <i>cache file</i> for later use with
<i>tcpreplay</i>. This <i>cache file</i> is a string of
characters, with each bit representing a single packet. This
provides an efficent and portable means of storing the
necessary data.</p>
</td>
</table>
<a name="OPTIONS"></a>
<h2>OPTIONS</h2>
<!-- TABS -->
<table width="100%" border=0 rules="none" frame="void"
       cols="4" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="7%">

<p><b>&minus;a</b></p>
</td>
<td width="2%"></td>
<td width="77%">

<p>Auto mode. Tcpprep will try to learn the roles of
systems on the network, and split traffic between the two
interfaces based upon whether a system is classified as a
&quot;server&quot; or &quot;client&quot;. Servers are sent
out the primary interface, clients out the secondary.
Requires the use of -n and excludes the use of -c, -p and
-r.</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="7%">

<p><b>&minus;c</b></p>
</td>
<td width="2%"></td>
<td width="77%">

<p>CIDR mode. Specify a list of CIDR&rsquo;s
(network1/masklen1,network2/masklen2,...) to match against
the source IP of each packet. Packets matching any of the
CIDR&rsquo;s are sent out the primary interface; remaining
packets are sent out the secondary interface. Can&rsquo;t be
used with -r or -a.</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="7%">

<p><b>&minus;C</b></p>
</td>
<td width="2%"></td>
<td width="77%">

<p>Imbed a comment in the tcpprep cache file which can be
later viewed via -P.</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="7%">

<p><b>&minus;h</b></p>
</td>
<td width="2%"></td>
<td width="77%">

<p>Help.</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="7%">

<p><b>&minus;i</b></p>
</td>
<td width="2%"></td>
<td width="77%">

<p>Input file (pcap format)</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="7%">

<p><b>&minus;m</b></p>
</td>
<td width="2%"></td>
<td width="77%">

<p>Minimum mask length. Used in auto/router mode to set the
minimum valid network size. Defaults to 30 (bits).</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="7%">

<p><b>&minus;M</b></p>
</td>
<td width="2%"></td>
<td width="77%">

<p>Maximum mask length. Used in auto/router mode to set the
maximum valid network size. Defaults to 8 (bits).</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="7%">

<p><b>&minus;n</b></p>
</td>
<td width="2%"></td>
<td width="77%">

<p>Network type. Used to specify the network type in auto
mode as either bridge, client, server or router. Required
with -a.</p>
</td>
</table>
<!-- INDENTATION -->
<table width="100%" border=0 rules="none" frame="void"
       cols="2" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="10%"></td>
<td width="89%">
<p>Bridge mode processes each packet to try to determine if
the sender is a client or server. Once all the packets are
processed, the results are weighed according to the
server/client ratio (-R) and systems are assigned an
interface. If tcpprep is unable to determine what role a
system plays, tcpprep will abort.</p>
<!-- INDENTATION -->
<p>Client mode works just like bridge mode, except that
unclassified systems are treated as clients.</p>
<!-- INDENTATION -->
<p>Server mode works just like bridge mode, except that
unclassified systems are treated as servers.</p>
<!-- INDENTATION -->
<p>Router mode works just like bridge mode, except that
after weighing is done, systems which are undetermined are
considered a server if they fall inside a network known to
contain other servers. Router mode will never abort on
systems which can&rsquo;t be determined.</p>
<!-- INDENTATION -->
<p>Router mode trys to build a list of networks containing
only servers and unknown IP&rsquo;s. It starts out with very
large networks (8 bit netmask by default, change with -M)
and works it&rsquo;s way down to the minimum mask len (-m).
If tcpprep is unable to determine one or more networks which
only contains servers and unknowns, tcpprep will abort.</p>
<!-- INDENTATION -->
<p>Port mode looks at the source/destination port of the TCP
or UDP packet. Client traffic goes out the primary
interface, and server traffic out the secondary interface.
Non-TCP and UDP traffic goes out the same interface as
non-IP traffic does. Note that this mode does not track IP
addresses; so an IP may appear to jump between interfaces
depending on if it is the client or server.</p>
<!-- INDENTATION -->
<p>In all cases, servers are sent out the primary interface,
and clients out the secondary.</p>
</td>
</table>
<!-- TABS -->
<table width="100%" border=0 rules="none" frame="void"
       cols="4" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="4%">

<p><b>&minus;N</b></p>
</td>
<td width="5%"></td>
<td width="77%">

<p>Non-IP packet classification. Non-IP datagrams (such as
arp) currently aren&rsquo;t handled by tcpprep. This option
allows you to define an interface to send them out. Default
is client.</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="4%">

<p><b>&minus;o</b></p>
</td>
<td width="5%"></td>
<td width="77%">

<p>Output file (tcpreplay cache file)</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="4%">

<p><b>&minus;p</b></p>
</td>
<td width="5%"></td>
<td width="77%">

<p>Port mode. Split TCP/UDP traffic based on the
destination port.</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="4%">

<p><b>-P</b></p>
</td>
<td width="5%"></td>
<td width="77%">

<p>Print the embeded tcpprep cache file comment.</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="4%">

<p><b>&minus;r</b></p>
</td>
<td width="5%"></td>
<td width="77%">

<p>Regex mode. Specifies a regular expression to match
against the source ip of each packet. Packets matching are
sent out the primary interface; remaining packets are sent
out the secondary interface. Can&rsquo;t be used with -a or
-c.</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="4%">

<p><b>&minus;R</b></p>
</td>
<td width="5%"></td>
<td width="77%">

<p>The ratio of server connections to client connections
necessary to be classified as a server in auto mode. A
system is classified as a server if [# server connections]
&gt;= ([# client connections] * [ratio]). Default is:
2.0</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="4%">

<p><b>&minus;x</b></p>
</td>
<td width="5%"></td>
<td width="77%">

<p>Specifies which packets from the capture file(s) to
send. Can be one of:</p>
</td>
</table>
<!-- INDENTATION -->
<table width="100%" border=0 rules="none" frame="void"
       cols="2" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="21%"></td>
<td width="77%">
<p>S:&lt;CIDR1&gt;,... - Src IP must match specified
CIDR(s)<br>
D:&lt;CIDR1&gt;,... - Dst IP must match specified
CIDR(s)<br>
B:&lt;CIDR1&gt;,... - Both src and dst addresses must
match<br>
E:&lt;CIDR1&gt;,... - Either src or dst address must
match<br>
P:&lt;list&gt; - Must be one of the listed packets where the
list corresponds to the packet number in the capture file.
Ex: -x P:1-5,9,15 would only send packets 1 through 5, 9 and
15.<br>
F:&quot;&lt;filter&gt;&quot; - BPF filter. See the
tcpdump(8) man page for syntax.</p>
</td>
</table>
<!-- TABS -->
<table width="100%" border=0 rules="none" frame="void"
       cols="4" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="2%">

<p><b>&minus;X</b></p>
</td>
<td width="7%"></td>
<td width="77%">

<p>Specifies which packets from the capture file(s) to NOT
send. Can be one of:</p>
</td>
</table>
<!-- INDENTATION -->
<table width="100%" border=0 rules="none" frame="void"
       cols="2" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="21%"></td>
<td width="77%">
<p>S:&lt;CIDR1&gt;,... - Src IP must match specified
CIDR(s)<br>
D:&lt;CIDR1&gt;,... - Dst IP must match specified
CIDR(s)<br>
B:&lt;CIDR1&gt;,... - Both src and dst addresses must
match<br>
E:&lt;CIDR1&gt;,... - Either src or dst address must
match<br>
P:&lt;list&gt; - Must be one of the listed packets where the
list corresponds to the packet number in the capture file.
Ex: -X P:1-5,9,15 would send all packets except 1 through 5,
9 and 15.</p>
</td>
</table>
<!-- TABS -->
<table width="100%" border=0 rules="none" frame="void"
       cols="4" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="2%">

<p><b>&minus;v</b></p>
</td>
<td width="7%"></td>
<td width="77%">

<p>Enable verbose status printing to stderr. (Probably only
interesting for large input files.)</p>
</td>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="2%">

<p><b>&minus;V</b></p>
</td>
<td width="7%"></td>
<td width="77%">

<p>Print version info and exit.</p>
</td>
</table>
<a name="SEE ALSO"></a>
<h2>SEE ALSO</h2>
<!-- INDENTATION -->
<table width="100%" border=0 rules="none" frame="void"
       cols="2" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="10%"></td>
<td width="89%">
<p>tcpdump(8), tcpreplay(8), capinfo(1), editcap(1)</p>
</td>
</table>
<a name="AUTHOR"></a>
<h2>AUTHOR</h2>
<!-- INDENTATION -->
<table width="100%" border=0 rules="none" frame="void"
       cols="2" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="10%"></td>
<td width="89%">
<p>Aaron Turner &lt;aturner@pobox.com&gt;</p>
<!-- INDENTATION -->
<p>The current version is packaged with tcpreplay which is
available via HTTP:</p>
</td>
</table>
<!-- INDENTATION -->
<table width="100%" border=0 rules="none" frame="void"
       cols="2" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="20%"></td>
<td width="79%">

<p><i>http://www.sourceforge.net/projects/tcpreplay/</i></p></td>
</table>
<a name="BUGS"></a>
<h2>BUGS</h2>
<!-- INDENTATION -->
<table width="100%" border=0 rules="none" frame="void"
       cols="2" cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="10%"></td>
<td width="89%">
<p>There may be a memory leak in the auto mode portion of
the code. I&rsquo;m seeing tcpprep growing to almost 15MB on
a 900MB input file.</p>
<!-- INDENTATION -->
<p>Accuracy in auto modes and handling of non-IP datagrams
could be improved by various means.</p>
<!-- INDENTATION -->
<p>It would be nice to support compressed files and other
file formats than just libpcap.</p>
<!-- INDENTATION -->
<p>Please send bug reports to aturner@pobox.com.</p>
</td>
</table>
<hr>
</body>
</html>