1
0

manual.lyx 62 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604
  1. #LyX 1.4.0 created this file. For more info see http://www.lyx.org/
  2. \lyxformat 245
  3. \begin_document
  4. \begin_header
  5. \textclass article
  6. \language english
  7. \inputencoding latin1
  8. \fontscheme times
  9. \graphics default
  10. \paperfontsize default
  11. \spacing single
  12. \papersize letterpaper
  13. \use_geometry true
  14. \use_amsmath 1
  15. \cite_engine basic
  16. \use_bibtopic false
  17. \paperorientation portrait
  18. \leftmargin 10mm
  19. \topmargin 10mm
  20. \rightmargin 10mm
  21. \bottommargin 15mm
  22. \secnumdepth 4
  23. \tocdepth 3
  24. \paragraph_separation skip
  25. \defskip medskip
  26. \quotes_language english
  27. \papercolumns 1
  28. \papersides 1
  29. \paperpagestyle default
  30. \tracking_changes false
  31. \output_changes true
  32. \end_header
  33. \begin_body
  34. \begin_layout Title
  35. Tcpreplay 3.x Manual (BETA)
  36. \end_layout
  37. \begin_layout Author
  38. Aaron Turner
  39. \newline
  40. http://tcpreplay.sourceforge.net/
  41. \end_layout
  42. \begin_layout Section*
  43. Notice
  44. \end_layout
  45. \begin_layout Standard
  46. This document is still in the process of being re-written due to the significant
  47. CLI and configuration file changes between versions 2.x and 3.x.
  48. For the definative source of configuration options, please see the tcpprep,
  49. tcprewrite, tcpreplay and tcpbridge man pages.
  50. \end_layout
  51. \begin_layout Section*
  52. Overview
  53. \end_layout
  54. \begin_layout Standard
  55. Tcpreplay is a suite of utilities for UNIX systems for editing and replaying
  56. network traffic which was previously captured by tools like tcpdump and
  57. ethereal.
  58. The goal of tcpreplay is to provide the means for providing reliable and
  59. repeatible means for testing a variety of network devices such as switches,
  60. router, firewalls, network intrusion detection and prevention systems (IDS
  61. and IPS).
  62. \end_layout
  63. \begin_layout Standard
  64. Tcpreplay provides the ability to classify traffic as client or server,
  65. edit packets at layers 2-4 and replay the traffic at arbitrary speeds onto
  66. a network for sniffing or through a device.
  67. \end_layout
  68. \begin_layout Standard
  69. Some of the advantages of using tcpreplay over using
  70. \begin_inset Quotes eld
  71. \end_inset
  72. exploit code
  73. \begin_inset Quotes erd
  74. \end_inset
  75. are:
  76. \end_layout
  77. \begin_layout Itemize
  78. Since tcpreplay emulates the victim and the attacker, you generally only
  79. need a tcpreplay box and the device under test (DUT)
  80. \end_layout
  81. \begin_layout Itemize
  82. Tests can include background traffic of entire networks without the cost
  83. and effort of setting up dozens of hosts or costly emulators
  84. \end_layout
  85. \begin_layout Itemize
  86. No need to have a
  87. \begin_inset Quotes eld
  88. \end_inset
  89. victim
  90. \begin_inset Quotes erd
  91. \end_inset
  92. host which needs to have the appropriate software installed, properly configure
  93. d and rebuilt after compromise
  94. \end_layout
  95. \begin_layout Itemize
  96. Less chance that a virus or trojan might escape your network and wreak havoc
  97. on your systems
  98. \end_layout
  99. \begin_layout Itemize
  100. Uses the open standard pcap file format for which dozens of command line
  101. and GUI utilities exist
  102. \end_layout
  103. \begin_layout Itemize
  104. Tests are fully repeatable without a complex test harnesses or network configura
  105. tion
  106. \end_layout
  107. \begin_layout Itemize
  108. Tests can be replayed at arbitrary speeds
  109. \end_layout
  110. \begin_layout Itemize
  111. Single command-line interface to learn and integrate into test harness
  112. \end_layout
  113. \begin_layout Itemize
  114. You only need to audit tcpreplay, rather then each and every exploit individuall
  115. y
  116. \end_layout
  117. \begin_layout Itemize
  118. Actively developed and supported by it's author
  119. \end_layout
  120. \begin_layout Subsection*
  121. Using this manual
  122. \end_layout
  123. \begin_layout Standard
  124. The goal of this manual is to provide an idea of what tcpreplay and it's
  125. utilities can do.
  126. It is not however intended to be a complete document which covers every
  127. possible use case or situation.
  128. It is also very much a work in progress and is far from complete and has
  129. numerous errors since a lot of things have changed since tcpreplay 2.x.
  130. It is expected that most of these issues will be ironed out before the
  131. offical 3.0 release is made.
  132. You should keep in mind the following conventions when reading this document:
  133. \end_layout
  134. \begin_layout Itemize
  135. Commands you should run from the command line
  136. \family typewriter
  137. are in monotype
  138. \family default
  139. .
  140. \end_layout
  141. \begin_layout Itemize
  142. Commands that should be run as root will have a '#' in front of them.
  143. \end_layout
  144. \begin_layout Itemize
  145. Commands that should be run as an unprivelged user will have a '$' in front
  146. of them.
  147. \end_layout
  148. \begin_layout Itemize
  149. Text that should be placed in a file
  150. \family typewriter
  151. is in monospace.
  152. \end_layout
  153. \begin_layout Standard
  154. All of the applications shipped with tcpreplay support both short (a single
  155. dash followed by a single character) and long (two dashes followed by multiple
  156. characters) arguments.
  157. For consistancy, this document uses the long option format.
  158. Please review the man pages for the short argument equivalents.
  159. \end_layout
  160. \begin_layout Subsection*
  161. Getting Help
  162. \end_layout
  163. \begin_layout Standard
  164. If you still have a question after reading the Tcpreplay manual, man pages
  165. and FAQ, please contact the Tcpreplay-Users <tcpreplay-users@lists.sourceforge.ne
  166. t> mailing list.
  167. Note that if you ask a question which has clearly been covered in either
  168. the manual or FAQ, you will most likely be told to RTFM.
  169. Also, please try to explain your problem in detail.
  170. It is very difficult and fustrating to get requests from people seeking
  171. help who only provide vague and incomplete information.
  172. \end_layout
  173. \begin_layout Subsection*
  174. Corrections and additions to the manual
  175. \end_layout
  176. \begin_layout Standard
  177. I've tried to keep this document up to date with the changes in tcpreplay,
  178. but occasionally I get too busy, make a mistake or just forget something.
  179. If you find anything in this document which could be improved upon, please
  180. let me know.
  181. \end_layout
  182. \begin_layout Section*
  183. Getting Tcpreplay working on your system
  184. \end_layout
  185. \begin_layout Subsection*
  186. Getting the source code
  187. \end_layout
  188. \begin_layout Standard
  189. The source code is available as a tarball on the tcpreplay homepage:
  190. \begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/}
  191. \end_inset
  192. I also encourage users familiar with Subversion to try checking out the
  193. latest code as it often has additional features and bugfixes not yet found
  194. in the offical releases.
  195. \end_layout
  196. \begin_layout LyX-Code
  197. $ svn checkout https://www.synfin.net/svn/tcpreplay/trunk tcpreplay
  198. \end_layout
  199. \begin_layout Subsection*
  200. Requirements
  201. \end_layout
  202. \begin_layout Enumerate
  203. Libnet
  204. \begin_inset Foot
  205. status collapsed
  206. \begin_layout Standard
  207. http://www.packetfactory.net/libnet/
  208. \end_layout
  209. \end_inset
  210. 1.1.x or better (1.1.3 fixes a checksum bug which effects tcprewrite)
  211. \end_layout
  212. \begin_layout Enumerate
  213. Libpcap
  214. \begin_inset Foot
  215. status collapsed
  216. \begin_layout Standard
  217. http://www.tcpdump.org/
  218. \end_layout
  219. \end_inset
  220. 0.6.x or better (0.8.3 or better recommended)
  221. \end_layout
  222. \begin_layout Enumerate
  223. To support the packet decoding feature you'll need tcpdump
  224. \begin_inset Foot
  225. status collapsed
  226. \begin_layout Standard
  227. http://www.tcpdump.org/
  228. \end_layout
  229. \end_inset
  230. binary installed.
  231. \end_layout
  232. \begin_layout Enumerate
  233. You'll also need a compatible operating system.
  234. Basically, any *NIX operating system should work.
  235. Linux, *BSD, Solaris, OS X and others should all work.
  236. If you find any compatibility issues with any *NIX OS, please let me know.
  237. \end_layout
  238. \begin_layout Subsection*
  239. Compiling Tcpreplay
  240. \end_layout
  241. \begin_layout Standard
  242. Two easy steps:
  243. \end_layout
  244. \begin_layout LyX-Code
  245. \emph on
  246. $
  247. \emph default
  248. ./configure && make
  249. \emph on
  250. \end_layout
  251. \begin_layout LyX-Code
  252. \emph on
  253. #
  254. \emph default
  255. make install
  256. \end_layout
  257. \begin_layout Standard
  258. There are some optional arguments which can be passed to the 'configure'
  259. script which may help in cases where your libnet, libpcap or tcpdump installati
  260. on is not standard or if it can't determine the correct network interface
  261. card to use for testing.
  262. I also recommend that for beta code you specify
  263. \series bold
  264. -\SpecialChar \textcompwordmark{}
  265. -enable-debug
  266. \series default
  267. to the configure script in case you find any bugs.
  268. If you find that configure isn't completing correctly, run:
  269. \emph on
  270. ./configure -\SpecialChar \textcompwordmark{}
  271. -help
  272. \emph default
  273. for more information.
  274. \end_layout
  275. \begin_layout Standard
  276. You may also choose to run:
  277. \end_layout
  278. \begin_layout LyX-Code
  279. #
  280. \emph on
  281. make test -i
  282. \end_layout
  283. \begin_layout Itemize
  284. make test is just a series of sanity checks which try to find serious bugs
  285. (crashes) in tcpprep and tcpreplay.
  286. \end_layout
  287. \begin_layout Itemize
  288. make test requires at least one properly configured network interface.
  289. If the configure script can't guess what a valid interface is you can specify
  290. it with the -\SpecialChar \textcompwordmark{}
  291. -with-testnic and -\SpecialChar \textcompwordmark{}
  292. -with-testnic2 arguments.
  293. \end_layout
  294. \begin_layout Itemize
  295. If make test fails, often you can find details in test/test.log.
  296. \end_layout
  297. \begin_layout Itemize
  298. OpenBSD's make has a bug where it ignores the MAKEFLAGS variable in the
  299. Makefile, hence you'll probably want to run:
  300. \emph on
  301. make -is test
  302. \emph default
  303. instead.
  304. \end_layout
  305. \begin_layout Section*
  306. Basic Tcpreplay Usage
  307. \end_layout
  308. \begin_layout Subsection*
  309. Replaying the traffic
  310. \end_layout
  311. \begin_layout Standard
  312. To replay a given pcap as it was captured all you need to do is specify
  313. the pcap file and the interface to send the traffic out interface 'eth0':
  314. \end_layout
  315. \begin_layout LyX-Code
  316. # tcpreplay --intf1=eth0 sample.pcap
  317. \end_layout
  318. \begin_layout Subsection*
  319. Replaying at different speeds
  320. \end_layout
  321. \begin_layout Standard
  322. You can also replay the traffic at different speeds then it was originally
  323. captured
  324. \begin_inset Foot
  325. status collapsed
  326. \begin_layout Standard
  327. Tcpreplay makes a "best" effort to replay traffic at the given rate, but
  328. due to limitations in hardware or the pcap file itself, it may not be possible.
  329. Capture files with only a few packets in them are especially susceptible
  330. to inaccurately timing packets.
  331. \end_layout
  332. \end_inset
  333. .
  334. \end_layout
  335. \begin_layout Standard
  336. Some examples:
  337. \end_layout
  338. \begin_layout Itemize
  339. To replay traffic as quickly as possible:
  340. \end_layout
  341. \begin_layout LyX-Code
  342. # tcpreplay --topspeed --intf1=eth0 sample.pcap
  343. \end_layout
  344. \begin_layout Itemize
  345. To replay traffic at a rate of 10Mbps:
  346. \end_layout
  347. \begin_layout LyX-Code
  348. # tcpreplay --mbps=10.0 --intf1=eth0 sample.pcap
  349. \end_layout
  350. \begin_layout Itemize
  351. To replay traffic 7.3 times as fast as it was captured:
  352. \end_layout
  353. \begin_layout LyX-Code
  354. # tcpreplay --multiplier=7.3 --intf1=eth0 sample.pcap
  355. \end_layout
  356. \begin_layout Itemize
  357. To replay traffic at half-speed:
  358. \end_layout
  359. \begin_layout LyX-Code
  360. # tcpreplay --multiplier=0.5 --intf1=eth0 sample.pcap
  361. \end_layout
  362. \begin_layout Itemize
  363. To replay at 25 packets per second:
  364. \end_layout
  365. \begin_layout LyX-Code
  366. # tcpreplay --pps=25 --intf1=eth0 sample.pcap
  367. \end_layout
  368. \begin_layout Subsection*
  369. Replaying files multiple times
  370. \end_layout
  371. \begin_layout Standard
  372. Using the loop flag you can specify that a pcap file will be sent two or
  373. more times
  374. \begin_inset Foot
  375. status collapsed
  376. \begin_layout Standard
  377. Looping files resets internal counters which control the speed that the
  378. file is replayed.
  379. Also because the file has to be closed and re-opened, an added delay between
  380. the last and first packet may occur.
  381. \end_layout
  382. \end_inset
  383. :
  384. \end_layout
  385. \begin_layout Standard
  386. To replay the sample.pcap file 10 times:
  387. \end_layout
  388. \begin_layout LyX-Code
  389. # tcpreplay --loop=10 --intf1=eth0 sample.pcap
  390. \end_layout
  391. \begin_layout Standard
  392. To replay the sample.pcap an infinitely or until CTRL-C is pressed:
  393. \end_layout
  394. \begin_layout LyX-Code
  395. # tcpreplay --loop=0 --intf1=eth0 sample.pcap
  396. \end_layout
  397. \begin_layout Section*
  398. Editing Packets
  399. \end_layout
  400. \begin_layout Standard
  401. There are a number of ways you can edit packets stored in a pcap file:
  402. \end_layout
  403. \begin_layout Enumerate
  404. Rewriting IP addresses so that they appear to be sent from and to different
  405. hosts
  406. \end_layout
  407. \begin_layout Enumerate
  408. Fixing corrupted packets which were truncated by tcpdump or had bad checksums
  409. \end_layout
  410. \begin_layout Enumerate
  411. Adding, removing or changing 802.1q VLAN tags on frames
  412. \end_layout
  413. \begin_layout Enumerate
  414. Rewriting traffic so that it no longer uses
  415. \begin_inset Quotes eld
  416. \end_inset
  417. standard
  418. \begin_inset Quotes erd
  419. \end_inset
  420. TCP or UDP ports for the given service
  421. \end_layout
  422. \begin_layout Enumerate
  423. Changing ethernet MAC addresses so that packets will be accepted by a switch,
  424. router or firewall
  425. \end_layout
  426. \begin_layout Section*
  427. Splitting Traffic
  428. \end_layout
  429. \begin_layout Standard
  430. Anything other then just replaying packets at different speeds requires
  431. additional work and CPU cycles.
  432. While older versions of tcpreplay allowed you to do many of these calculations
  433. while replaying traffic, it had a negative effect on the overall throughput
  434. and performance of tcpreplay.
  435. Hence, these secondary features have been placed in two utilities:
  436. \end_layout
  437. \begin_layout Itemize
  438. tcpprep - Used to categorize packets as originating from clients or servers
  439. \end_layout
  440. \begin_layout Itemize
  441. tcprewrite - Used to edit packets
  442. \end_layout
  443. \begin_layout Standard
  444. By using tcpprep and tcprewrite on a pcap file before sending it using tcpreplay
  445. , many possibilities open up.
  446. A few of these possibilities are:
  447. \end_layout
  448. \begin_layout Subsection*
  449. Classifying client and servers with tcpprep
  450. \end_layout
  451. \begin_layout Standard
  452. Both tcpreplay and tcprewrite process a single pcap file and generate output.
  453. Some features, such as rewriting IP or MAC addresses or sending traffic
  454. out two different interfaces, require tcpreplay and tcprewrite to have
  455. some basic knowledge about which packets were sent by
  456. \begin_inset Quotes eld
  457. \end_inset
  458. clients
  459. \begin_inset Quotes erd
  460. \end_inset
  461. and
  462. \begin_inset Quotes eld
  463. \end_inset
  464. servers
  465. \begin_inset Quotes erd
  466. \end_inset
  467. .
  468. Such classification is often rather arbitrary since for example a SMTP
  469. mail server both accepts inbound email (acts as a server) and forwards
  470. mail to other mail servers (acts as a client).
  471. A webserver might accept inbound HTTP requests, but make client connections
  472. to a SQL server.
  473. \end_layout
  474. \begin_layout Standard
  475. To deal with this problem, tcpreplay comes with tcpprep which provides a
  476. number of manual and automatic classification methods which cover a variety
  477. of situations.
  478. \end_layout
  479. \begin_layout Subsubsection*
  480. Seperating clients and servers automatically
  481. \end_layout
  482. \begin_layout Standard
  483. The easiest way to split clients and servers is to let tcpprep do the classifica
  484. tion for you.
  485. Tcpprep examines the pcap file for TCP three-way handshakes, DNS lookups
  486. and other types of traffic to figure out which IP's mostly act like clients
  487. and which mostly act like servers.
  488. There are four different automatic modes that you can choose between:
  489. \end_layout
  490. \begin_layout Enumerate
  491. Bridge - This is the simplest mode.
  492. Each IP is individually tracked and ranked as a client or server.
  493. However, if any of the hosts do not generate enough
  494. \begin_inset Quotes eld
  495. \end_inset
  496. client
  497. \begin_inset Quotes erd
  498. \end_inset
  499. or
  500. \begin_inset Quotes eld
  501. \end_inset
  502. server
  503. \begin_inset Quotes erd
  504. \end_inset
  505. traffic then tcpprep will abort complaining that it was unable to determine
  506. its classification.
  507. This works best when clients and servers are intermixed on the same subnet.
  508. \end_layout
  509. \begin_layout Enumerate
  510. Client - This works just like bridge mode, except that unknown hosts will
  511. be marked a client.
  512. \end_layout
  513. \begin_layout Enumerate
  514. Server - This works just like bridge mode, except that unknown hosts will
  515. be marked a server.
  516. \end_layout
  517. \begin_layout Enumerate
  518. Router - Hosts are first ranked as client or server.
  519. Then each host is placed in a subnet which is expanded until either all
  520. the unknown hosts are included or the --maxmask is reached.
  521. This works best when clients and servers are on diffierent networks.
  522. \end_layout
  523. \begin_layout Standard
  524. \align center
  525. \noun on
  526. \begin_inset Tabular
  527. <lyxtabular version="3" rows="3" columns="2">
  528. <features>
  529. <column alignment="center" valignment="top" rightline="true" width="0">
  530. <column alignment="center" valignment="top" width="0">
  531. <row>
  532. <cell multicolumn="1" alignment="center" valignment="top" usebox="none">
  533. \begin_inset Text
  534. \begin_layout Standard
  535. TCPPREP AUTOMATIC ROUTER MODE PROCESS
  536. \end_layout
  537. \end_inset
  538. </cell>
  539. <cell multicolumn="2" alignment="center" valignment="top" leftline="true" usebox="none">
  540. \begin_inset Text
  541. \begin_layout Standard
  542. \end_layout
  543. \end_inset
  544. </cell>
  545. </row>
  546. <row>
  547. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  548. \begin_inset Text
  549. \begin_layout Standard
  550. \noun on
  551. Step 1:
  552. \noun default
  553. Categorize Clients, Servers and Unknowns
  554. \end_layout
  555. \end_inset
  556. </cell>
  557. <cell alignment="center" valignment="top" topline="true" leftline="true" rightline="true" usebox="none">
  558. \begin_inset Text
  559. \begin_layout Standard
  560. \noun on
  561. Step 2:
  562. \noun default
  563. Clients and Servers Expand Their Subnets to Include Unknowns
  564. \end_layout
  565. \end_inset
  566. </cell>
  567. </row>
  568. <row>
  569. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  570. \begin_inset Text
  571. \begin_layout Standard
  572. \begin_inset Graphics
  573. filename router-mode1.eps
  574. lyxscale 60
  575. scale 60
  576. keepAspectRatio
  577. \end_inset
  578. \end_layout
  579. \end_inset
  580. </cell>
  581. <cell alignment="center" valignment="top" topline="true" leftline="true" rightline="true" usebox="none">
  582. \begin_inset Text
  583. \begin_layout Standard
  584. \begin_inset Graphics
  585. filename router-mode2.eps
  586. lyxscale 60
  587. scale 60
  588. keepAspectRatio
  589. \end_inset
  590. \end_layout
  591. \end_inset
  592. </cell>
  593. </row>
  594. </lyxtabular>
  595. \end_inset
  596. \end_layout
  597. \begin_layout Standard
  598. \InsetSpace ~
  599. \InsetSpace ~
  600. \InsetSpace ~
  601. \end_layout
  602. \begin_layout Standard
  603. \align center
  604. \begin_inset Tabular
  605. <lyxtabular version="3" rows="2" columns="1">
  606. <features>
  607. <column alignment="center" valignment="top" width="0">
  608. <row>
  609. <cell alignment="center" valignment="top" topline="true" leftline="true" rightline="true" usebox="none">
  610. \begin_inset Text
  611. \begin_layout Standard
  612. \noun on
  613. Step 3:
  614. \noun default
  615. Unknowns Now Marked as Clients and Servers
  616. \end_layout
  617. \end_inset
  618. </cell>
  619. </row>
  620. <row>
  621. <cell alignment="center" valignment="top" topline="true" leftline="true" rightline="true" usebox="none">
  622. \begin_inset Text
  623. \begin_layout Standard
  624. \noun on
  625. \begin_inset Graphics
  626. filename router-mode3.eps
  627. lyxscale 60
  628. scale 60
  629. keepAspectRatio
  630. \end_inset
  631. \end_layout
  632. \end_inset
  633. </cell>
  634. </row>
  635. </lyxtabular>
  636. \end_inset
  637. \end_layout
  638. \begin_layout Standard
  639. Classifying clients and servers in automatic mode is as easy as choosing
  640. a pcap file, an output
  641. \begin_inset Quotes eld
  642. \end_inset
  643. tcpprep cache file
  644. \begin_inset Quotes erd
  645. \end_inset
  646. and the mode to use:
  647. \end_layout
  648. \begin_layout LyX-Code
  649. \emph on
  650. $
  651. \emph default
  652. tcpprep --auto=bridge --pcap=input.pcap --cachefile=input.cache
  653. \end_layout
  654. \begin_layout Standard
  655. The above example would split traffic in bridge mode.
  656. Other modes are
  657. \begin_inset Quotes eld
  658. \end_inset
  659. router
  660. \begin_inset Quotes erd
  661. \end_inset
  662. ,
  663. \begin_inset Quotes eld
  664. \end_inset
  665. client
  666. \begin_inset Quotes erd
  667. \end_inset
  668. and
  669. \begin_inset Quotes eld
  670. \end_inset
  671. server
  672. \begin_inset Quotes erd
  673. \end_inset
  674. .
  675. If you wish, you can override the default 2:1 ratio of server vs.
  676. client traffic required to classify an IP as a server.
  677. If for example you wanted to require 3.5 times as much server to client
  678. traffic you would specify it like:
  679. \end_layout
  680. \begin_layout LyX-Code
  681. \emph on
  682. $
  683. \emph default
  684. tcpprep --auto=bridge --ratio=3.5 --pcap=input.pcap --cachefile=input.cache
  685. \end_layout
  686. \begin_layout Subsubsection*
  687. Seperating clients and servers manually by subnet
  688. \end_layout
  689. \begin_layout Standard
  690. Sometimes, you may not want to split traffic based on clients and servers.
  691. The alternative to using on of the automatic modes in this case, is to
  692. use one of the manual modes.
  693. One manual way of differentiating between clients and servers using tcpprep
  694. is by specifying a list of networks in CIDR notation which contain
  695. \begin_inset Quotes eld
  696. \end_inset
  697. servers
  698. \begin_inset Quotes erd
  699. \end_inset
  700. .
  701. Of course the specified CIDR netblocks don't have to contain
  702. \end_layout
  703. \begin_layout Subsection*
  704. Replaying on multiple interfaces
  705. \end_layout
  706. \begin_layout Standard
  707. Tcpreplay can also split traffic so that each side of a connection is sent
  708. out a different interface
  709. \begin_inset Foot
  710. status collapsed
  711. \begin_layout Standard
  712. Note that you can also use the following options to split traffic into two
  713. files using -w and -W which are described later on in this FAQ.
  714. \end_layout
  715. \end_inset
  716. .
  717. In order to do this, tcpreplay needs the name of the second interface (-j)
  718. and a way to split the traffic.
  719. Currently, there are two ways to split traffic:
  720. \end_layout
  721. \begin_layout Enumerate
  722. -C = split traffic by source IP address which is specified in CIDR notation
  723. \end_layout
  724. \begin_layout Enumerate
  725. -c = split traffic according to a tcpprep cachefile
  726. \begin_inset Foot
  727. status collapsed
  728. \begin_layout Standard
  729. For information on generating tcpprep cache files, see the section on tcpprep.
  730. \end_layout
  731. \end_inset
  732. \end_layout
  733. \begin_layout Standard
  734. When splitting traffic, it is important to remember that traffic that matches
  735. the filter is sent out the primary interface (--intf1).
  736. In this case, when splitting traffic by source IP address, you provide
  737. a list of networks in CIDR notation.
  738. For example:
  739. \end_layout
  740. \begin_layout Itemize
  741. To send traffic from 10.0.0.0/8 out eth0 and everything else out eth1:
  742. \end_layout
  743. \begin_layout LyX-Code
  744. tcpreplay -C 10.0.0.0/8 --intf1=eth0 --intf2=eth1 sample.pcap
  745. \end_layout
  746. \begin_layout Itemize
  747. To send traffic from 10.1.0.0/24 and 10.2.0.0/20 out eth0 and everything else
  748. out eth1:
  749. \end_layout
  750. \begin_layout LyX-Code
  751. tcpreplay -C 10.1.0.0/24,10.2.0.0/20 --intf1=eth0 --intf2=eth1 sample.pcap
  752. \end_layout
  753. \begin_layout Itemize
  754. After using tcpprep to generate a cache file, you can use it to split traffic
  755. between two interfaces like this:
  756. \end_layout
  757. \begin_layout LyX-Code
  758. tcpreplay -c sample.cache --intf1=eth0 --intf2=eth1 sample.pcap
  759. \end_layout
  760. \begin_layout Subsection*
  761. Selectively sending or dropping packets
  762. \end_layout
  763. \begin_layout Standard
  764. Sometimes, you want to do some post-capture filtering of packets.
  765. Tcpreplay let's you have some control over which packets get sent.
  766. \end_layout
  767. \begin_layout Enumerate
  768. -M = disables sending of martian packets.
  769. By definition, martian packets have a source IP of 0.x.x.x, 127.x.x.x, or 255.x.x.x
  770. \end_layout
  771. \begin_layout Enumerate
  772. -x = send packets which match a specific pattern
  773. \end_layout
  774. \begin_layout Enumerate
  775. -X = send packets which do not match a specific pattern
  776. \end_layout
  777. \begin_layout Standard
  778. Both -x and -X support a variety of pattern matching types.
  779. These types are specified by a single character, followed by a colon, followed
  780. by the pattern.
  781. The following pattern matching types are available:
  782. \end_layout
  783. \begin_layout Enumerate
  784. S - Source IP
  785. \newline
  786. Pattern is a comma delimited CIDR notation
  787. \end_layout
  788. \begin_layout Enumerate
  789. D - Destination IP
  790. \newline
  791. Pattern is a comma delimited CIDR notation
  792. \end_layout
  793. \begin_layout Enumerate
  794. B - Both source and destination IP must match
  795. \newline
  796. Pattern is a comma delimited
  797. CIDR notation
  798. \end_layout
  799. \begin_layout Enumerate
  800. E - Either source or destination IP must match
  801. \newline
  802. Pattern is a comma delimited
  803. CIDR notation
  804. \end_layout
  805. \begin_layout Enumerate
  806. P - A list of packet numbers from the pcap file.
  807. \newline
  808. Pattern is a series of numbers,
  809. separated by commas or dashes.
  810. \end_layout
  811. \begin_layout Enumerate
  812. F - BPF syntax (same as used in tcpdump).
  813. \newline
  814. Filter must be quoted and is only
  815. supported with -x
  816. \begin_inset Foot
  817. status collapsed
  818. \begin_layout Standard
  819. Note that if you want to send all the packets which do not match a bpf filter,
  820. all you have to do is negate the bpf filter.
  821. See the tcpdump(1) man page for more info.
  822. \end_layout
  823. \end_inset
  824. .
  825. \end_layout
  826. \begin_layout Standard
  827. Examples:
  828. \end_layout
  829. \begin_layout Itemize
  830. To only send traffic that is too and from a host in 10.0.0.0/8:
  831. \end_layout
  832. \begin_layout LyX-Code
  833. tcpreplay -x B:10.0.0.0/8 --intf1 eth0 sample.pcap
  834. \end_layout
  835. \begin_layout Itemize
  836. To not send traffic that is too or from a host in 10.0.0.0/8:
  837. \end_layout
  838. \begin_layout LyX-Code
  839. tcpreplay -X E:10.0.0.0/8 --intf1 eth0 sample.pcap
  840. \end_layout
  841. \begin_layout Itemize
  842. To send every packet except the first 10 packets:
  843. \end_layout
  844. \begin_layout LyX-Code
  845. tcpreplay -X P:1-10 --intf1 eth0 sample.pcap
  846. \end_layout
  847. \begin_layout Itemize
  848. To only send the first 50 packets followed by packets: 100, 150, 200 and
  849. 250:
  850. \end_layout
  851. \begin_layout LyX-Code
  852. tcpreplay -x P:1-50,100,150,200,250 --intf1 eth0 sample.pcap
  853. \end_layout
  854. \begin_layout Itemize
  855. To only send TCP packets from 10.0.0.1:
  856. \end_layout
  857. \begin_layout LyX-Code
  858. \emph on
  859. tcpreplay -x F:'tcp and host 10.0.0.1' --intf1 eth0 sample.pcap
  860. \end_layout
  861. \begin_layout Subsection*
  862. Replaying only a few packets
  863. \end_layout
  864. \begin_layout Standard
  865. Using the limit packets flag (-L) you can specify that tcpreplay will only
  866. send at most a specified number of packets.
  867. \end_layout
  868. \begin_layout Itemize
  869. To send at most 100 packets:
  870. \end_layout
  871. \begin_layout LyX-Code
  872. tcpreplay --intf1 eth0 -L 100 sample.pcap
  873. \end_layout
  874. \begin_layout Subsection*
  875. Skipping the first bytes in a pcap file
  876. \end_layout
  877. \begin_layout Standard
  878. If you want to skip the beginning of a pcap file, you can use the offset
  879. flag (-o) to skip a specified number of bytes and start sending on the
  880. next packet.
  881. \end_layout
  882. \begin_layout Itemize
  883. To skip 15Kb into the pcap file and start sending packets from there:
  884. \end_layout
  885. \begin_layout LyX-Code
  886. tcpreplay --intf1=eth0 -o 15000 sample.pcap
  887. \end_layout
  888. \begin_layout Subsection*
  889. Replaying packets which are bigger then the MTU
  890. \end_layout
  891. \begin_layout Standard
  892. Occasionally, you might find yourself trying to replay a pcap file which
  893. contains packets which are larger then the MTU for the sending interface.
  894. This might be due to the packets being captured on the loopback interface
  895. or on a 1000Mbps ethernet interface supporting
  896. \begin_inset Quotes eld
  897. \end_inset
  898. jumbo frames
  899. \begin_inset Quotes erd
  900. \end_inset
  901. .
  902. I've even seen packets which are 1500 bytes but contain both an ethernet
  903. header and trailer which bumps the total frame size to 1518 which is 4
  904. bytes too large.
  905. \end_layout
  906. \begin_layout Standard
  907. By default, tcpreplay will skip these packets and not send them.
  908. Alternatively, you can specify the -T flag to truncate these packets to
  909. the MTU and then send them.
  910. Of course this may invalidate your testing, but it has proven useful in
  911. certain situations.
  912. Also, when this feature is enabled, tcpreplay will automatically recalculate
  913. the IP and TCP, UDP or ICMP checksums as needed.
  914. Example:
  915. \end_layout
  916. \begin_layout LyX-Code
  917. tcpreplay --intf1 eth0 -T sample.pcap
  918. \end_layout
  919. \begin_layout Subsection*
  920. Writing packets to a file
  921. \end_layout
  922. \begin_layout Standard
  923. It's not always necessary to write packets to the network.
  924. Since tcpreplay has so many features which modify and select which packets
  925. are sent, it is occasionally useful to save these changes to another pcap
  926. file for comparison.
  927. Rather then running a separate tcpdump process to capture the packets,
  928. tcpreplay now supports output directly to a file.
  929. Example:
  930. \end_layout
  931. \begin_layout LyX-Code
  932. tcpreplay --intf1 eth0 -w output.pcap -F -u pad -x E:10.0.0.0/8 input1.pcap input2.pca
  933. p input3.pcap
  934. \end_layout
  935. \begin_layout Standard
  936. Notice that specifying an interface is still required (required for various
  937. internal functions), but all the packets will be written to
  938. \emph on
  939. output.pcap
  940. \emph default
  941. .
  942. \end_layout
  943. \begin_layout Standard
  944. You can also split traffic into two files by using -W <2nd output file>.
  945. \end_layout
  946. \begin_layout Subsection*
  947. Extracting Application Data (Layer 7)
  948. \end_layout
  949. \begin_layout Standard
  950. New to version 2.0 is the ability to extract the application layer data from
  951. the packets and write them to a file.
  952. In the man page, we call this
  953. \begin_inset Quotes eld
  954. \end_inset
  955. data dump mode
  956. \begin_inset Quotes erd
  957. \end_inset
  958. which is enabled with -D.
  959. It's important to specify -D before -w (and -W if you're splitting data
  960. into two files).
  961. Example:
  962. \end_layout
  963. \begin_layout LyX-Code
  964. tcpreplay -D --intf1 eth0 -j eth0 -w clientdata -W serverdata -C 10.0.0.0/24
  965. sample.pcap
  966. \end_layout
  967. \begin_layout Subsection*
  968. Replaying Live Traffic
  969. \end_layout
  970. \begin_layout Standard
  971. You can now replay live traffic sniffed on one network interface and replay
  972. it on another interface using the -S flag to indicate sniff mode and the
  973. appropriate snaplen in bytes (0 denotes the entire packet).
  974. You can also enabling bi-directional traffic using the bridge mode flag:
  975. -b.
  976. \end_layout
  977. \begin_layout Standard
  978. N
  979. \noun on
  980. ote:
  981. \noun default
  982. It is critical for your sanity (and to prevent your murder by your network
  983. administrators) that the input interface and the output interface be on
  984. separate networks and additionally that no other network devices (such
  985. as bridges, switches, routers, etc) be connecting the two networks, else
  986. you will surely get a networkstorm the likes that have not been seen for
  987. years.
  988. \end_layout
  989. \begin_layout Itemize
  990. Send packets sniffed on eth0 out eth1:
  991. \end_layout
  992. \begin_layout LyX-Code
  993. tcpreplay --intf1 eth1 -S 0 eth0
  994. \end_layout
  995. \begin_layout Itemize
  996. Bridge two subnets connected to eth0 and eth1:
  997. \end_layout
  998. \begin_layout LyX-Code
  999. tcpreplay --intf1 eth0 --intf2=eth1 -b -S 0
  1000. \end_layout
  1001. \begin_layout Standard
  1002. By default, tcpreplay listens in promiscuous mode on the specified interface,
  1003. however if you only want to send unicasts directed for the local system
  1004. and broadcasts, you can specify the
  1005. \begin_inset Quotes eld
  1006. \end_inset
  1007. not_nosy
  1008. \begin_inset Quotes erd
  1009. \end_inset
  1010. option in the configuration file or -n on the command line.
  1011. Note that if another program has already placed the interface in promiscuous
  1012. mode, the -n flag will have no effect, so you may want to use the -x or
  1013. -X argument to limit packets.
  1014. \end_layout
  1015. \begin_layout Subsection*
  1016. Replaying Packet Capture Formats Other Than Libpcap
  1017. \end_layout
  1018. \begin_layout Standard
  1019. There are about as many different capture file formats as there are sniffers.
  1020. In the interest of simplicity, tcpreplay only supports libpcap
  1021. \begin_inset Foot
  1022. status collapsed
  1023. \begin_layout Standard
  1024. Note that some versions of tcpreplay prior to 1.4 also supported the Solaris
  1025. snoop format.
  1026. \end_layout
  1027. \end_inset
  1028. .
  1029. If you would like to replay a file in one of these multitude of formats,
  1030. the excellent open source tool Ethereal easily allows you to convert it
  1031. to libpcap.
  1032. For instance, to convert a file in Sun's snoop format to libpcap, issue
  1033. the command:
  1034. \end_layout
  1035. \begin_layout LyX-Code
  1036. tethereal -r blah.snoop -w blah.pcap
  1037. \end_layout
  1038. \begin_layout Standard
  1039. and replay the resulting file.
  1040. \end_layout
  1041. \begin_layout Subsection*
  1042. Replaying Client Traffic to a Server
  1043. \end_layout
  1044. \begin_layout Standard
  1045. A common question on the tcpreplay-users list is how does one replay the
  1046. client side of a connection back to a server.
  1047. Unfortunately, tcpreplay doesn't support this right now.
  1048. The major problem concerns syncing up TCP Seq/Ack numbers which will be
  1049. different.
  1050. ICMP also often contains IP header information which would need to be adjusted.
  1051. About the only thing that could be easy to do is UDP, which isn't usually
  1052. requested.
  1053. \end_layout
  1054. \begin_layout Standard
  1055. This is however a feature that we're looking into implementing in the flowreplay
  1056. utility.
  1057. If you're interested in helping work on this feature, please contact us
  1058. and we'd be more then happy to work with you.
  1059. At this time however, we don't have an ETA when this will be implemented,
  1060. so don't bother asking.
  1061. \end_layout
  1062. \begin_layout Subsection*
  1063. Decoding Packets
  1064. \end_layout
  1065. \begin_layout Standard
  1066. If the tcpdump binary is installed on your system when tcpreplay is compiled,
  1067. it will allow you to decode packets as they are sent without running tcpdump
  1068. in a separate window or worrying about it capturing packets which weren't
  1069. sent by tcpreplay.
  1070. \end_layout
  1071. \begin_layout Itemize
  1072. Decode packets as they are sent:
  1073. \end_layout
  1074. \begin_layout LyX-Code
  1075. tcpreplay --intf1 eth0 -v sample.pcap
  1076. \end_layout
  1077. \begin_layout Itemize
  1078. Decode packets with the link level header:
  1079. \end_layout
  1080. \begin_layout LyX-Code
  1081. tcpreplay --intf1 eth0 -v -A
  1082. \begin_inset Quotes eld
  1083. \end_inset
  1084. -e
  1085. \begin_inset Quotes erd
  1086. \end_inset
  1087. sample.pcap
  1088. \end_layout
  1089. \begin_layout Itemize
  1090. Fully decode and send one packet at a time:
  1091. \end_layout
  1092. \begin_layout LyX-Code
  1093. tcpreplay --intf1 eth0 -v -1 -A
  1094. \begin_inset Quotes eld
  1095. \end_inset
  1096. -s0 -evvvxX
  1097. \begin_inset Quotes erd
  1098. \end_inset
  1099. sample.pcap
  1100. \end_layout
  1101. \begin_layout Standard
  1102. Note that tcpreplay automatically applies the -n flag to disable DNS lookups
  1103. which would slow down tcpdump too much to make it effective.
  1104. \end_layout
  1105. \begin_layout Section*
  1106. Packet Editing
  1107. \end_layout
  1108. \begin_layout Subsection*
  1109. Rewriting MAC addresses
  1110. \end_layout
  1111. \begin_layout Standard
  1112. If you ever want to send traffic to another device on a switched LAN, you
  1113. may need to change the destination MAC address of the packets.
  1114. Tcpreplay allows you to set the destination MAC for each interface independentl
  1115. y using the -I and -J switches.
  1116. As of version 2.1.0, you can also specify the source MAC via -k and -K.
  1117. Example:
  1118. \end_layout
  1119. \begin_layout Itemize
  1120. To send traffic out eth0 with a destination MAC of your router (00:00:01:02:03:0
  1121. 4) and the source MAC of the server (00:20:30:40:50:60):
  1122. \end_layout
  1123. \begin_layout LyX-Code
  1124. tcpreplay --intf1=eth0 -I 00:00:01:02:03:04 -k 00:20:30:40:50:60 sample.pcap
  1125. \end_layout
  1126. \begin_layout Itemize
  1127. To split traffic between internal (10.0.0.0/24) and external addresses and
  1128. to send that traffic to the two interfaces of a firewall:
  1129. \end_layout
  1130. \begin_layout LyX-Code
  1131. tcpreplay --intf1=eth0 --intf2=eth1 -I 00:01:00:00:AA:01 -J 00:01:00:00:AA:02
  1132. -C 10.0.0.0/24 sample.pcap
  1133. \end_layout
  1134. \begin_layout Subsection*
  1135. Randomizing IP addresses
  1136. \end_layout
  1137. \begin_layout Standard
  1138. Occasionally, it is necessary to have tcpreplay rewrite the source and destinati
  1139. on IP addresses, yet maintain the client/server relationship.
  1140. Such a case might be having multiple copies of tcpreplay running at the
  1141. same time using the same pcap file while trying to stress test firewall,
  1142. IDS or other stateful device.
  1143. If you didn't change the source and destination IP addresses, the device
  1144. under test would get confused since it would see multiple copies of the
  1145. same connection occurring at the same time.
  1146. In order to accomplish this, tcpreplay accepts a user specified seed which
  1147. is used to generate pseudo-random IP addresses.
  1148. Also, when this feature is enabled, tcpreplay will automatically recalculate
  1149. the IP and TCP, UDP or ICMP checksums as needed.
  1150. Example:
  1151. \end_layout
  1152. \begin_layout LyX-Code
  1153. \emph on
  1154. tcpreplay --intf1=eth0 -s 1239 sample.pcap &
  1155. \newline
  1156. tcpreplay --intf1=eth0 -s 76
  1157. sample.pcap &
  1158. \newline
  1159. tcpreplay --intf1=eth0 -s 239 sample.pcap &
  1160. \newline
  1161. tcpreplay --intf1=eth0
  1162. sample.pcap
  1163. \end_layout
  1164. \begin_layout Subsection*
  1165. Replaying (de)truncated packets
  1166. \end_layout
  1167. \begin_layout Standard
  1168. Occasionally, it is necessary to replay traffic which has been truncated
  1169. by tcpdump.
  1170. This occurs when the tcpdump snaplen is smaller then the actual packet
  1171. size.
  1172. Since this will create problems for devices which are expecting a full-sized
  1173. packet or attempting checksum calculations, tcpreplay allows you to either
  1174. pad the packet with zeros or reset the packet length in the headers to
  1175. the actual packet size.
  1176. In either case, the IP and TCP, UDP or ICMP checksums are recalculated.
  1177. Examples:
  1178. \end_layout
  1179. \begin_layout Itemize
  1180. Pad truncated packets:
  1181. \end_layout
  1182. \begin_layout LyX-Code
  1183. tcpreplay --intf1=eth0 -u pad sample.pcap
  1184. \end_layout
  1185. \begin_layout Itemize
  1186. Rewrite packet header lengths to the actual packet size:
  1187. \end_layout
  1188. \begin_layout LyX-Code
  1189. tcpreplay --intf1=eth0 -u trunc sample.pcap
  1190. \end_layout
  1191. \begin_layout Subsection*
  1192. Rewriting Layer 2 with -2
  1193. \end_layout
  1194. \begin_layout Standard
  1195. Starting in the 2.0.x branch, tcpreplay can replace the existing layer 2 header
  1196. with one of your choosing.
  1197. This is useful for when you want to change the layer 2 header type or add
  1198. a header for pcap files without one.
  1199. Each pcap file tells the type of frame.
  1200. Currently tcpreplay knows how to deal with the following pcap(3) frame
  1201. types:
  1202. \end_layout
  1203. \begin_layout Itemize
  1204. DLT_EN10MB
  1205. \newline
  1206. Replace existing 802.3/Ethernet II header
  1207. \end_layout
  1208. \begin_layout Itemize
  1209. DLT_RAW
  1210. \newline
  1211. Frame has no Layer 2 header, so we can add one.
  1212. \end_layout
  1213. \begin_layout Itemize
  1214. DLT_LINUX_SLL
  1215. \newline
  1216. Frame uses the Linux Cooked Socket header which is most commonly
  1217. created with
  1218. \emph on
  1219. tcpdump -i any
  1220. \emph default
  1221. on a Linux system.
  1222. \end_layout
  1223. \begin_layout Standard
  1224. Tcpreplay accepts the new Layer 2 header as a string of comma separated
  1225. hex values such as: 0xff,0xac,0x00,0x01,0xc0,0x64.
  1226. Note that the leading '0x' is
  1227. \emph on
  1228. not
  1229. \emph default
  1230. required.
  1231. \end_layout
  1232. \begin_layout Standard
  1233. Potential uses for this are to add a layer 2 header for DLT_RAW captures
  1234. or add/remove ethernet tags or QoS features.
  1235. \end_layout
  1236. \begin_layout Subsection*
  1237. Rewriting DLT_LINUX_SLL (Linux Cooked Socket) captures
  1238. \end_layout
  1239. \begin_layout Standard
  1240. Tcpdump uses a special frame type to store captures created with the
  1241. \begin_inset Quotes eld
  1242. \end_inset
  1243. -i any
  1244. \begin_inset Quotes erd
  1245. \end_inset
  1246. argument.
  1247. This frame type uses a custom 16 byte layer 2 header which tracks which
  1248. interface captured the packet and often the source MAC address of the original
  1249. ethernet frame.
  1250. Unfortunately, it never stores the destination MAC address and it doesn't
  1251. store a source MAC when the packet is captured on the loopback interface.
  1252. Normally, tcpreplay can't replay these pcap files because there isn't enough
  1253. information in the LINUX_SLL header to do so; however two options do exist:
  1254. \end_layout
  1255. \begin_layout Enumerate
  1256. You can send these packets with -2 which will replace the LINUX_SLL header
  1257. with an ethernet header of your choosing.
  1258. \end_layout
  1259. \begin_layout Enumerate
  1260. You can specify a destination MAC via -I and -J in which case tcpreplay
  1261. will use the stored source MAC and create a new 802.3 Ethernet header.
  1262. Note that if the pcap contains loopback packets, you will also need to
  1263. specify -k and/or -K to specify the source MAC as well or they will be
  1264. skipped.
  1265. \end_layout
  1266. \begin_layout Subsection*
  1267. Rewriting IP Addresses (pseudo-NAT)
  1268. \end_layout
  1269. \begin_layout Standard
  1270. Pseudo-NAT allows the mapping of IP addresses in IPv4 and ARP packets from
  1271. one subnet to another subnet of the same or different size.
  1272. This allows some or all the traffic sent to appear to come from a different
  1273. IP subnet then it actually was captured on.
  1274. \end_layout
  1275. \begin_layout Standard
  1276. The mapping is done through a user specified translation table comprised
  1277. of one or more source and destination network(s) in the format of <srcnet>/<mas
  1278. klen>:<dstnet>/<masklen> deliminated by a comma.
  1279. Mapping is done by matching IP addresses to the source subnet and rewriting
  1280. the most significant bits with the destination subnet.
  1281. For example:
  1282. \end_layout
  1283. \begin_layout Standard
  1284. \emph on
  1285. tcpreplay --intf1=eth0 -N 10.100.0.0/16:172.16.10.0/24 sample.pcap
  1286. \end_layout
  1287. \begin_layout Standard
  1288. would match any IP in the 10.100.0.0/16 subnet and rewrite it as if it came
  1289. from or sent to the 172.16.10.0/24 subnet.
  1290. Ie: 10.100.5.88 would become 172.16.10.88 and 10.100.99.45 would become 172.16.10.45.
  1291. But 10.150.7.44 would not be rewritten.
  1292. \end_layout
  1293. \begin_layout Standard
  1294. For any given IP address, the translation table is applied in order (so
  1295. if there are multiple mappings, earlier maps take precedence) and occurs
  1296. only once per IP (no risk of an address getting rewritten a second time).
  1297. \end_layout
  1298. \begin_layout Subsection*
  1299. Advanced pseudo-NAT
  1300. \end_layout
  1301. \begin_layout Standard
  1302. Pseudo-NAT also works with traffic splitting (using two interfaces or output
  1303. files) but with a few important differences.
  1304. First you have the option of specifying one or two pseudo-NAT tables.
  1305. Using a single pseudo-NAT table means that the source and destination IP
  1306. addresses of both interfaces are rewritten using the same rules.
  1307. Using two pseudo-NAT tables (specifying -N <Table1> -N <Table2>) will cause
  1308. the source and destination IP addresses to be rewritten differently for
  1309. each interface using the following matrix:
  1310. \end_layout
  1311. \begin_layout Standard
  1312. \align center
  1313. \begin_inset Tabular
  1314. <lyxtabular version="3" rows="3" columns="3">
  1315. <features>
  1316. <column alignment="center" valignment="top" width="0sp">
  1317. <column alignment="center" valignment="top" leftline="true" width="0sp">
  1318. <column alignment="center" valignment="top" leftline="true" rightline="true" width="0sp">
  1319. <row>
  1320. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1321. \begin_inset Text
  1322. \begin_layout Standard
  1323. \end_layout
  1324. \end_inset
  1325. </cell>
  1326. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1327. \begin_inset Text
  1328. \begin_layout Standard
  1329. Out Primary Interface
  1330. \end_layout
  1331. \end_inset
  1332. </cell>
  1333. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1334. \begin_inset Text
  1335. \begin_layout Standard
  1336. Out Secondary Interface
  1337. \end_layout
  1338. \end_inset
  1339. </cell>
  1340. </row>
  1341. <row topline="true">
  1342. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1343. \begin_inset Text
  1344. \begin_layout Standard
  1345. Src IP
  1346. \end_layout
  1347. \end_inset
  1348. </cell>
  1349. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1350. \begin_inset Text
  1351. \begin_layout Standard
  1352. Table 1
  1353. \end_layout
  1354. \end_inset
  1355. </cell>
  1356. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1357. \begin_inset Text
  1358. \begin_layout Standard
  1359. Table 2
  1360. \end_layout
  1361. \end_inset
  1362. </cell>
  1363. </row>
  1364. <row topline="true" bottomline="true">
  1365. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1366. \begin_inset Text
  1367. \begin_layout Standard
  1368. Dest IP
  1369. \end_layout
  1370. \end_inset
  1371. </cell>
  1372. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1373. \begin_inset Text
  1374. \begin_layout Standard
  1375. Table 2
  1376. \end_layout
  1377. \end_inset
  1378. </cell>
  1379. <cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
  1380. \begin_inset Text
  1381. \begin_layout Standard
  1382. Table 1
  1383. \end_layout
  1384. \end_inset
  1385. </cell>
  1386. </row>
  1387. </lyxtabular>
  1388. \end_inset
  1389. \end_layout
  1390. \begin_layout Standard
  1391. While seemingly a bit confusing, this feature provides a number of interesting
  1392. possibilities such as the ability to rewrite the IP headers of packets
  1393. in the case where traffic is captured on the loopback interface (and the
  1394. source and destination address is always 127.0.0.1) so that tcpreplay can
  1395. make it look like two different systems are talking to each other (you'll
  1396. probably also need to specify the source and destination MAC addresses
  1397. via -I, -J, -k and -K).
  1398. \end_layout
  1399. \begin_layout Subsection*
  1400. IP Endpoints
  1401. \end_layout
  1402. \begin_layout Standard
  1403. While pseudo-NAT provides a great deal of flexibility, it is often more
  1404. complicated then is necessary for testing of inline devices.
  1405. As a simplier alternative, tcpreplay supports the concept of rewriting
  1406. all traffic to so that it appears to be between two IP addresses:
  1407. \end_layout
  1408. \begin_layout LyX-Code
  1409. tcpreplay --intf1=eth0 --intf2=eth1 -c sample.cache -e 10.0.0.1:10.1.1.1 sample.pcap
  1410. \end_layout
  1411. \begin_layout Standard
  1412. Will rewrite all the traffic so that it is between 10.0.0.1 and 10.1.1.1.
  1413. The equivalent command using -N would be:
  1414. \end_layout
  1415. \begin_layout LyX-Code
  1416. tcpreplay --intf1=eth0 --intf2=eth1 -c sample.cache -N 0.0.0.0/0:10.0.0.1 -N 0.0.0.0/0:10.1.
  1417. 1.1 sample.pcap
  1418. \end_layout
  1419. \begin_layout Subsection*
  1420. Unifying Dual-Outputs
  1421. \end_layout
  1422. \begin_layout Standard
  1423. Since a number of tcpreplay's packet editing functions require splitting
  1424. traffic between client and servers, one problem that may arrise is needing
  1425. to edit packets but still output to a single interface or file.
  1426. The solution to this is to use the one output option -O which causes packets
  1427. to be processed as if they will be split between the interfaces/files,
  1428. but then always go out the primary interface or file.
  1429. Note that even though only one interface/file will be written to, both
  1430. -i and -j must be specified; although they can be the same physical interface.
  1431. \end_layout
  1432. \begin_layout LyX-Code
  1433. tcpreplay --intf1=eth0 -j eth0 -O -c sample.cache -e 10.0.0.1:10.1.1.1 sample.pcap
  1434. \end_layout
  1435. \begin_layout Standard
  1436. Merging the output to a single file:
  1437. \end_layout
  1438. \begin_layout LyX-Code
  1439. tcpreplay --intf1=eth0 -j eth0 -w rewrite.pcap -c sample.cache -e 10.0.0.1:10.1.1.1
  1440. sample.pcap
  1441. \end_layout
  1442. \begin_layout Section*
  1443. Tcpprep Usage
  1444. \end_layout
  1445. \begin_layout Subsection*
  1446. What is tcpprep?
  1447. \end_layout
  1448. \begin_layout Standard
  1449. Tcpreplay can send traffic out two network cards, however it requires the
  1450. calculations be done in real-time.
  1451. These calculations can be expensive and can significantly reduce the throughput
  1452. of tcpreplay.
  1453. \end_layout
  1454. \begin_layout Standard
  1455. Tcpprep is a libpcap pre-processor for tcpreplay which enables using two
  1456. network cards to send traffic without the performance hit of doing the
  1457. calculations in real-time.
  1458. \end_layout
  1459. \begin_layout Subsection*
  1460. What are these 'modes' tcpprep has?
  1461. \end_layout
  1462. \begin_layout Standard
  1463. Tcpprep has three basic modes which require the user to specify how to split
  1464. traffic.
  1465. \end_layout
  1466. \begin_layout Itemize
  1467. CIDR (-\SpecialChar \textcompwordmark{}
  1468. -cidr) mode requires the user to provide a list of networks.
  1469. Any packet with a source IP in one of these networks gets sent out the
  1470. primary interface.
  1471. \end_layout
  1472. \begin_layout Itemize
  1473. Regex (-\SpecialChar \textcompwordmark{}
  1474. -regex) mode requires the user to provide a regular expression.
  1475. Any packet with a source IP matching the regex gets sent out the primary
  1476. interface.
  1477. \end_layout
  1478. \begin_layout Itemize
  1479. Port (-\SpecialChar \textcompwordmark{}
  1480. -port) mode splits TCP/UDP traffic based on the destination port
  1481. in the header.
  1482. Normally, ports 0-1023 are considered
  1483. \begin_inset Quotes eld
  1484. \end_inset
  1485. server
  1486. \begin_inset Quotes erd
  1487. \end_inset
  1488. ports and everything else a client port.
  1489. You can create your own custom mapping file in the same format as /etc/services
  1490. (see the services(5) man page for details) by specifying -\SpecialChar \textcompwordmark{}
  1491. -services <file>.
  1492. \end_layout
  1493. \begin_layout Standard
  1494. And four auto modes in which tcpprep decides how to split traffic.
  1495. Auto modes are useful for when you don't know much about the contents of
  1496. the dump file in question and you want to split traffic up based upon servers
  1497. and clients.
  1498. \end_layout
  1499. \begin_layout Itemize
  1500. Auto/Router (-\SpecialChar \textcompwordmark{}
  1501. -auto router) mode trys to find the largest network(s) that
  1502. contain all the servers and no clients.
  1503. Any unknown system is automatically re-classified as servers if it's inside
  1504. the server network(s), otherwise it is classified as a client.
  1505. \end_layout
  1506. \begin_layout Itemize
  1507. Auto/Bridge (-\SpecialChar \textcompwordmark{}
  1508. -auto bridge) mode makes the assumption that the clients and
  1509. servers are horribly intermixed on the network and there's no way to subnet
  1510. them.
  1511. While this takes less processing time to create the cache file it is unable
  1512. to deal with unknown systems.
  1513. \end_layout
  1514. \begin_layout Itemize
  1515. Auto/Client (-\SpecialChar \textcompwordmark{}
  1516. -auto client) mode which works just like Auto/Bridge mode,
  1517. except that any system it can't figure out is treated like a client.
  1518. \end_layout
  1519. \begin_layout Itemize
  1520. Auto/Server (-\SpecialChar \textcompwordmark{}
  1521. -auto server) mode which works just like Auto/Bridge mode,
  1522. except that any system it can't figure out is treated like a server.
  1523. \end_layout
  1524. \begin_layout Subsection*
  1525. Splitting traffic based upon IP address
  1526. \end_layout
  1527. \begin_layout Standard
  1528. Tcpprep supports the same CIDR mode that tcpreplay supports using the -\SpecialChar \textcompwordmark{}
  1529. -cidr
  1530. flag.
  1531. Additionally, tcpprep also supports regex(7) regular expressions to match
  1532. source IP addresses using the -\SpecialChar \textcompwordmark{}
  1533. -regex flag.
  1534. \end_layout
  1535. \begin_layout Subsection*
  1536. Auto Mode
  1537. \end_layout
  1538. \begin_layout Subsubsection*
  1539. How does Auto/Bridge mode work?
  1540. \end_layout
  1541. \begin_layout Standard
  1542. Tcpprep does an initial pass over the libpcap file to build a binary tree
  1543. (one node per IP).
  1544. For each IP, it keeps track of how many times it was a client or server.
  1545. It then does a second pass of the file using the data in the tree and the
  1546. ratio to determine if an IP is a client or server.
  1547. If tcpprep is unable to determine the type (client or server) for each
  1548. and every packet, then auto/bridge mode will fail.
  1549. In these cases, it is best to use a different auto mode.
  1550. \end_layout
  1551. \begin_layout Subsubsection*
  1552. How does Auto/Router mode work?
  1553. \end_layout
  1554. \begin_layout Standard
  1555. Tcpprep does the same first pass as Auto/Bridge mode.
  1556. It then trys to convert the binary tree into a list of networks containing
  1557. the servers.
  1558. Finally it uses the CIDR mode with the list of server networks in a second
  1559. pass of the libpcap file.
  1560. Unlike auto/bridge mode, auto/router mode can always successfully split
  1561. IP addresses into clients and servers.
  1562. \end_layout
  1563. \begin_layout Subsubsection*
  1564. Determining Clients and Servers
  1565. \end_layout
  1566. \begin_layout Standard
  1567. Tcpprep uses the following methods in auto/router and auto/bridge mode to
  1568. determine if an IP address is a client or server:
  1569. \end_layout
  1570. \begin_layout Itemize
  1571. Client:
  1572. \end_layout
  1573. \begin_deeper
  1574. \begin_layout Itemize
  1575. TCP with Syn flag set
  1576. \end_layout
  1577. \begin_layout Itemize
  1578. UDP source/destination port 53 (DNS) without query flag set
  1579. \end_layout
  1580. \begin_layout Itemize
  1581. ICMP port unreachable (destination IP of packet)
  1582. \end_layout
  1583. \end_deeper
  1584. \begin_layout Itemize
  1585. Server:
  1586. \end_layout
  1587. \begin_deeper
  1588. \begin_layout Itemize
  1589. TCP with Syn/Ack flag set
  1590. \end_layout
  1591. \begin_layout Itemize
  1592. UDP source/destination port 53 (DNS) with query flag set
  1593. \end_layout
  1594. \begin_layout Itemize
  1595. ICMP port unreachable (source IP of packet)
  1596. \end_layout
  1597. \end_deeper
  1598. \begin_layout Subsubsection*
  1599. Client/Server ratio
  1600. \end_layout
  1601. \begin_layout Standard
  1602. Since a system may send traffic which would classify it as both a client
  1603. and server, it's necessary to be able to weigh the traffic.
  1604. This is done by specifying the client/server ratio (-R) which is by default
  1605. set to 2.0.
  1606. The ratio is the modifier to the number of client connections.
  1607. Hence, by default, client connections are valued twice as high as server
  1608. connections.
  1609. \end_layout
  1610. \begin_layout Subsection*
  1611. Selectively sending/dropping packets
  1612. \end_layout
  1613. \begin_layout Standard
  1614. Tcpprep supports the same -\SpecialChar \textcompwordmark{}
  1615. -include and -\SpecialChar \textcompwordmark{}
  1616. -exclude options to selectively
  1617. send or drop packets.
  1618. \end_layout
  1619. \begin_layout Subsection*
  1620. Using tcpprep cache files with tcpreplay
  1621. \end_layout
  1622. \begin_layout Standard
  1623. Just run:
  1624. \end_layout
  1625. \begin_layout LyX-Code
  1626. tcpreplay --cachefile sample.cache --intf1=eth0 --intf2=eth1 sample.pcap
  1627. \end_layout
  1628. \begin_layout Subsection*
  1629. Commenting tcpprep cache files
  1630. \end_layout
  1631. \begin_layout Standard
  1632. In versions of tcpprep >= 2.1.0, you can specify a comment to be embeded in
  1633. the tcpprep cache file.
  1634. Comments are user specified and automatically include the command line
  1635. arguments passed to tcpprep.
  1636. \end_layout
  1637. \begin_layout LyX-Code
  1638. tcpprep --comment
  1639. \begin_inset Quotes eld
  1640. \end_inset
  1641. this is my comment
  1642. \begin_inset Quotes erd
  1643. \end_inset
  1644. --pcap sample.pcap --cachefile sample.cache <other args>
  1645. \end_layout
  1646. \begin_layout Standard
  1647. Or for no user comment, but still embed the command arguments:
  1648. \end_layout
  1649. \begin_layout LyX-Code
  1650. tcpprep --comment
  1651. \begin_inset Quotes eld
  1652. \end_inset
  1653. \begin_inset Quotes erd
  1654. \end_inset
  1655. --pcap sample.pcap --cachefile sample.cache <other args>
  1656. \end_layout
  1657. \begin_layout Standard
  1658. You can then later on print out the comments by running:
  1659. \end_layout
  1660. \begin_layout LyX-Code
  1661. tcpprep --print-comment sample.cache
  1662. \end_layout
  1663. \begin_layout Section*
  1664. Using Configuration Files
  1665. \end_layout
  1666. \begin_layout Standard
  1667. Each of the applications in the tcpreplay suite offers the choice of specifying
  1668. configuration options in a config file in addition to the traditional command
  1669. line.
  1670. Each command line option has an equivalent config file option which is
  1671. listed in the man page.
  1672. To specify the configuration file you'd like to use, use the -\SpecialChar \textcompwordmark{}
  1673. -load-opts=<filen
  1674. ame> option.
  1675. \end_layout
  1676. \begin_layout Standard
  1677. Configuration files have one option per line, and lines beginning with the
  1678. pound sign (#) are considered comments and ignored.
  1679. An example config file follows:
  1680. \end_layout
  1681. \begin_layout Standard
  1682. ------------BEGIN CONFIG FILE--------------
  1683. \end_layout
  1684. \begin_layout Standard
  1685. \family typewriter
  1686. # send traffic out 'eth0'
  1687. \newline
  1688. intf1 eth0
  1689. \newline
  1690. \newline
  1691. # loop 5 times
  1692. \newline
  1693. loop 5
  1694. \newline
  1695. \newline
  1696. # send traffic 2x
  1697. as fast
  1698. \newline
  1699. multiplier 2
  1700. \family default
  1701. \newline
  1702. --------------END CONFIG FILE---------------
  1703. \end_layout
  1704. \begin_layout Standard
  1705. You would then execute:
  1706. \end_layout
  1707. \begin_layout LyX-Code
  1708. # tcpreplay --load-opts=myconfigfile sample.pcap
  1709. \end_layout
  1710. \begin_layout Standard
  1711. You can also group configuration options for tcpprep, tcprewrite and tcpreplay
  1712. in a single config file by placing section markers in the config file.
  1713. An example:
  1714. \end_layout
  1715. \begin_layout Standard
  1716. ------------BEGIN CONFIG FILE--------------
  1717. \end_layout
  1718. \begin_layout Standard
  1719. \family typewriter
  1720. cachefile=example.tcpprep
  1721. \newline
  1722. \newline
  1723. [TCPREPLAY]
  1724. \newline
  1725. intf1 eth0
  1726. \newline
  1727. intf2 eth1
  1728. \newline
  1729. topspeed
  1730. \newline
  1731. \newline
  1732. [TCPPREP]
  1733. \newline
  1734. auto=br
  1735. idge
  1736. \newline
  1737. comment='This cache file was created with a config file'
  1738. \newline
  1739. pcap=sample.pcap
  1740. \newline
  1741. \newline
  1742. [TCPR
  1743. EWRITE]
  1744. \newline
  1745. infile=sample.pcap
  1746. \newline
  1747. outfile=newsample.pcap
  1748. \newline
  1749. vlan=add
  1750. \newline
  1751. vlan-tag=44
  1752. \newline
  1753. endpoints=10.0.0.1:
  1754. 10.0.1.1
  1755. \end_layout
  1756. \begin_layout Standard
  1757. ------------END CONFIG FILE--------------
  1758. \end_layout
  1759. \begin_layout Section*
  1760. Flowreplay Usage
  1761. \end_layout
  1762. \begin_layout Standard
  1763. While tcpreplay is a great way to test NIDS and firewalls, it can't be used
  1764. to test servers or HIDS since tcpreplay can't connect to a service running
  1765. on a device.
  1766. The solution to this problem is flowreplay which instead of sending packets
  1767. at Layer 2 (ethernet header and up), it can actually connect via TCP or
  1768. UDP to server and then sends and receives data based upon a pcap capture
  1769. file created with a tool like Ethereal or tcpdump.
  1770. \end_layout
  1771. \begin_layout Standard
  1772. Please note that flowreplay is currently alpha quality and is missing a
  1773. number of key features.
  1774. \end_layout
  1775. \begin_layout Subsection*
  1776. How flowreplay works
  1777. \end_layout
  1778. \begin_layout Standard
  1779. Put simply, flowreplay opens a socket connection to a service on a target
  1780. system(s) and sends data over that socket based on the packet capture.
  1781. Flowreplay has no understanding of the application protocol (like HTTP
  1782. or FTP) so it is somewhat limited in how it can deal with complicated exchanges
  1783. between client and server.
  1784. \end_layout
  1785. \begin_layout Standard
  1786. Some of these limitations are:
  1787. \end_layout
  1788. \begin_layout Itemize
  1789. Flowreplay only plays the client side
  1790. \begin_inset Foot
  1791. status open
  1792. \begin_layout Standard
  1793. Flowreplay assumes the first UDP packet on a given 4-tuple is the client
  1794. \end_layout
  1795. \end_inset
  1796. of the connection.
  1797. \end_layout
  1798. \begin_layout Itemize
  1799. Flowreplay doesn't understand the application protocols.
  1800. Hence it can't always deal with the case when the server sends a different
  1801. response then what was originally captured in the pcap file.
  1802. \end_layout
  1803. \begin_layout Itemize
  1804. Flowreplay only sends TCP and UDP traffic.
  1805. \end_layout
  1806. \begin_layout Itemize
  1807. Flowreplay doesn't know about multi-flow protocols like FTP.
  1808. \end_layout
  1809. \begin_layout Itemize
  1810. Flowreplay can't listen on a port and wait for a client to connect to it.
  1811. \end_layout
  1812. \begin_layout Subsection*
  1813. Running flowreplay
  1814. \end_layout
  1815. \begin_layout Standard
  1816. See the flowreplay(8) man page for details.
  1817. \end_layout
  1818. \begin_layout Section*
  1819. Tuning OS's for high performance
  1820. \end_layout
  1821. \begin_layout Standard
  1822. Regardless of the size of physical memory, UNIX kernels will only allocate
  1823. a static amount for network buffers.
  1824. This includes packets sent via the "raw" interface, like with tcpreplay.
  1825. Most kernels will allow you to tweak the size of these buffers, drastically
  1826. increasing performance and accuracy.
  1827. \end_layout
  1828. \begin_layout Standard
  1829. N
  1830. \noun on
  1831. ote:
  1832. \noun default
  1833. The following information is provided based upon our own experiences or
  1834. the reported experiences of others.
  1835. Depending on your hardware and specific hardware, it may or may not work
  1836. for you.
  1837. It may even make your system horribly unstable, corrupt your harddrive,
  1838. or worse.
  1839. \end_layout
  1840. \begin_layout Standard
  1841. \noun on
  1842. Note
  1843. \noun default
  1844. : Different operating systems, network card drivers, and even hardware can
  1845. have an effect on the accuracy of packet timestamps that tcpdump or other
  1846. capture utilities generate.
  1847. And as you know: garbage in, garbage out.
  1848. \end_layout
  1849. \begin_layout Standard
  1850. \noun on
  1851. Note:
  1852. \noun default
  1853. If you have information on tuning the kernel of an operating system not
  1854. listed here, please send it to me so I can include it.
  1855. \end_layout
  1856. \begin_layout Subsection*
  1857. Linux 2.4.x
  1858. \end_layout
  1859. \begin_layout Standard
  1860. The following is known to apply to the 2.4.x series of kernels.
  1861. If anyone has any information regarding other kernel versions, please let
  1862. us know.
  1863. By default Linux's tcpreplay performance isn't all that stellar.
  1864. However, with a simple tweak, relatively decent performance can be had
  1865. on the right hardware.
  1866. By default, Linux specifies a 64K buffer for sending packets.
  1867. Increasing this buffer to about half a megabyte does a good job:
  1868. \end_layout
  1869. \begin_layout Standard
  1870. \emph on
  1871. echo 524287 >/proc/sys/net/core/wmem_default
  1872. \newline
  1873. echo 524287 >/proc/sys/net/core/wme
  1874. m_max
  1875. \newline
  1876. echo 524287 >/proc/sys/net/core/rmem_max
  1877. \newline
  1878. echo 524287 >/proc/sys/net/core/r
  1879. mem_default
  1880. \end_layout
  1881. \begin_layout Standard
  1882. On one system, we've seen a jump from 23.02 megabits/sec (5560 packets/sec)
  1883. to 220.30 megabits/sec (53212 packets/sec) which is nearly a 10x increase
  1884. in performance.
  1885. Depending on your system and capture file, different numbers may provide
  1886. different results.
  1887. \end_layout
  1888. \begin_layout Subsection*
  1889. *BSD
  1890. \end_layout
  1891. \begin_layout Standard
  1892. *BSD systems typically allow you to specify the size of network buffers
  1893. with the NMBCLUSTERS option in the kernel config file.
  1894. Experiment with different sizes to see which yields the best performance.
  1895. See the options(4) man page for more details.
  1896. \end_layout
  1897. \begin_layout Section*
  1898. Required Libraries and Tools
  1899. \end_layout
  1900. \begin_layout Subsection*
  1901. Libpcap
  1902. \end_layout
  1903. \begin_layout Standard
  1904. As of tcpreplay v1.4, you'll need to have libpcap installed on your system.
  1905. As of v2.0, you'll need at least version 0.6.0 or better, but I only test
  1906. our code with the latest version.
  1907. Libpcap can be obtained on the tcpdump homepage
  1908. \begin_inset Foot
  1909. status collapsed
  1910. \begin_layout Standard
  1911. \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/}
  1912. \end_inset
  1913. \end_layout
  1914. \end_inset
  1915. .
  1916. \end_layout
  1917. \begin_layout Subsection*
  1918. Libnet
  1919. \end_layout
  1920. \begin_layout Standard
  1921. Tcpreplay v1.3 is the last version to support the old libnet API (everything
  1922. before 1.1.x).
  1923. As of v1.4 you will need to use Libnet 1.1.0 or better which can be obtained
  1924. from the Libnet homepage
  1925. \begin_inset Foot
  1926. status collapsed
  1927. \begin_layout Standard
  1928. \begin_inset LatexCommand \htmlurl{http://www.packetfactory.net/Projects/Libnet/}
  1929. \end_inset
  1930. \end_layout
  1931. \end_inset
  1932. .
  1933. \end_layout
  1934. \begin_layout Subsection*
  1935. Tcpdump
  1936. \end_layout
  1937. \begin_layout Standard
  1938. As of 2.0, tcpreplay uses tcpdump (the binary, not code) to decode packets
  1939. to STDOUT in a human readable (with practice) format as it sends them.
  1940. If you would like this feature, tcpdump must be installed on your system.
  1941. \end_layout
  1942. \begin_layout Standard
  1943. \noun on
  1944. Note:
  1945. \noun default
  1946. The location of the tcpdump binary is hardcoded in tcpreplay at compile
  1947. time.
  1948. If tcpdump gets renamed or moved, the feature will become disabled.
  1949. \end_layout
  1950. \begin_layout Part*
  1951. Other Resources
  1952. \end_layout
  1953. \begin_layout Section*
  1954. Other pcap tools available
  1955. \end_layout
  1956. \begin_layout Subsection*
  1957. Tools to capture network traffic or decode pcap files
  1958. \end_layout
  1959. \begin_layout Itemize
  1960. tcpdump
  1961. \newline
  1962. \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/}
  1963. \end_inset
  1964. \end_layout
  1965. \begin_layout Itemize
  1966. ethereal
  1967. \newline
  1968. \begin_inset LatexCommand \htmlurl{http://www.ethereal.com/}
  1969. \end_inset
  1970. \end_layout
  1971. \begin_layout Itemize
  1972. ettercap
  1973. \newline
  1974. \begin_inset LatexCommand \htmlurl{http://ettercap.sourceforge.net/}
  1975. \end_inset
  1976. \end_layout
  1977. \begin_layout Subsection*
  1978. Tools to edit pcap files
  1979. \end_layout
  1980. \begin_layout Itemize
  1981. tcpslice
  1982. \newline
  1983. Splits pcap files into smaller files
  1984. \newline
  1985. \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/}
  1986. \end_inset
  1987. \end_layout
  1988. \begin_layout Itemize
  1989. mergecap
  1990. \newline
  1991. Merges two pcap capture files into one
  1992. \newline
  1993. \begin_inset LatexCommand \htmlurl{http://www.ethereal.com/}
  1994. \end_inset
  1995. \end_layout
  1996. \begin_layout Itemize
  1997. editcap
  1998. \newline
  1999. Converts capture file formats (pcap, snoop, etc)
  2000. \newline
  2001. \begin_inset LatexCommand \htmlurl{http://www.ethereal.com/}
  2002. \end_inset
  2003. \end_layout
  2004. \begin_layout Itemize
  2005. netdude
  2006. \newline
  2007. GTK based pcap capture file editor.
  2008. Allows editing most anything in the packet.
  2009. \newline
  2010. \begin_inset LatexCommand \htmlurl{http://netdude.sourceforge.net/}
  2011. \end_inset
  2012. \end_layout
  2013. \begin_layout Subsection*
  2014. Other useful tools
  2015. \end_layout
  2016. \begin_layout Itemize
  2017. capinfo
  2018. \newline
  2019. Prints statistics and basic information about a pcap file
  2020. \newline
  2021. \begin_inset LatexCommand \htmlurl{http://www.ethereal.com/}
  2022. \end_inset
  2023. \end_layout
  2024. \begin_layout Itemize
  2025. text2pcap
  2026. \newline
  2027. Generates a pcap capture file from a hex dump
  2028. \newline
  2029. \begin_inset LatexCommand \htmlurl{http://www.ethereal.com/}
  2030. \end_inset
  2031. \end_layout
  2032. \begin_layout Itemize
  2033. tcpflow
  2034. \newline
  2035. Extracts and reassembles the data portion on a per-flow basis on
  2036. live traffic or pcap capture files
  2037. \newline
  2038. \begin_inset LatexCommand \htmlurl{http://www.circlemud.org/~jelson/software/tcpflow/}
  2039. \end_inset
  2040. \end_layout
  2041. \begin_layout Itemize
  2042. airodump/aireplay:
  2043. \newline
  2044. Capture and replay 802.11 frames
  2045. \newline
  2046. \begin_inset LatexCommand \htmlurl{http://www.cr0.net:8040/code/network/aircrack/}
  2047. \end_inset
  2048. \end_layout
  2049. \end_body
  2050. \end_document