FAQ.lyx 32 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302
  1. #LyX 1.4.0 created this file. For more info see http://www.lyx.org/
  2. \lyxformat 245
  3. \begin_document
  4. \begin_header
  5. \textclass article
  6. \language english
  7. \inputencoding latin1
  8. \fontscheme times
  9. \graphics default
  10. \paperfontsize default
  11. \spacing single
  12. \papersize letterpaper
  13. \use_geometry true
  14. \use_amsmath 1
  15. \cite_engine basic
  16. \use_bibtopic false
  17. \paperorientation portrait
  18. \leftmargin 10mm
  19. \topmargin 10mm
  20. \rightmargin 10mm
  21. \bottommargin 15mm
  22. \secnumdepth 4
  23. \tocdepth 3
  24. \paragraph_separation skip
  25. \defskip medskip
  26. \quotes_language english
  27. \papercolumns 1
  28. \papersides 1
  29. \paperpagestyle default
  30. \tracking_changes false
  31. \output_changes true
  32. \end_header
  33. \begin_body
  34. \begin_layout Title
  35. Tcpreplay 3.x FAQ
  36. \end_layout
  37. \begin_layout Author
  38. Aaron Turner
  39. \newline
  40. http://tcpreplay.sourceforge.net/
  41. \end_layout
  42. \begin_layout Standard
  43. \newpage
  44. \begin_inset LatexCommand \tableofcontents{}
  45. \end_inset
  46. \newpage
  47. \end_layout
  48. \begin_layout Section
  49. General Info
  50. \end_layout
  51. \begin_layout Subsection
  52. What is this FAQ for?
  53. \end_layout
  54. \begin_layout Standard
  55. Tcpreplay is a suite of powerful tools, but with that power comes complexity.
  56. While I have done my best to write good man pages for tcpreplay and it's
  57. associated utilities, I understand that many people may want more information
  58. then I can provide in the man pages.
  59. Additionally, this FAQ attempts to cover material which I feel will be
  60. of use to people using tcpreplay, as well as common questions that occur
  61. on the Tcpreplay-Users <tcpreplay-users@lists.sourceforge.net> mailing list.
  62. \end_layout
  63. \begin_layout Subsection
  64. What tools come with tcpreplay?
  65. \end_layout
  66. \begin_layout Itemize
  67. tcpreplay - replay ethernet packets stored in a pcap file as they were captured
  68. \end_layout
  69. \begin_layout Itemize
  70. tcprewrite - edit packets stored in a pcap file
  71. \end_layout
  72. \begin_layout Itemize
  73. tcpprep - a pcap pre-processor for tcpreplay
  74. \end_layout
  75. \begin_layout Itemize
  76. flowreplay
  77. \begin_inset Foot
  78. status collapsed
  79. \begin_layout Standard
  80. Flowreplay is still
  81. \begin_inset Quotes eld
  82. \end_inset
  83. alpha
  84. \begin_inset Quotes erd
  85. \end_inset
  86. quality and is not usable for most situations.
  87. Anyone interested in helping me develop flowreplay is encouraged to contact
  88. me.
  89. \end_layout
  90. \end_inset
  91. - connects to a server(s) and replays the client side of the connection
  92. stored in a pcap file
  93. \end_layout
  94. \begin_layout Subsection
  95. What tools no longer come with Tcpreplay?
  96. \end_layout
  97. \begin_layout Standard
  98. Recently, other people and projects have developed better versions of two
  99. applications that shipped with tcpreplay 2.x:
  100. \end_layout
  101. \begin_layout Itemize
  102. pcapmerge - merges two or more pcap files into one.
  103. Ethereal now ships with a more powerful appliation called 'mergecap'.
  104. \end_layout
  105. \begin_layout Itemize
  106. capinfo - displays basic information about a pcap file.
  107. Ethereal now ships with a more powerful application of the same name.
  108. \end_layout
  109. \begin_layout Subsection
  110. How can I get tcpreplay's source?
  111. \end_layout
  112. \begin_layout Standard
  113. The source code is available in tarball format on the tcpreplay homepage:
  114. \begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/}
  115. \end_inset
  116. I also encourage users familiar with Subversion to try checking out the
  117. latest code as it often has additional features and bugfixes not found
  118. in the tarballs.
  119. \end_layout
  120. \begin_layout Standard
  121. svn checkout https://www.synfin.net/svn/tcpreplay/trunk tcpreplay
  122. \end_layout
  123. \begin_layout Subsection
  124. What requirements does tcpreplay have?
  125. \end_layout
  126. \begin_layout Enumerate
  127. You'll need recent versions of the libnet
  128. \begin_inset Foot
  129. status collapsed
  130. \begin_layout Standard
  131. http://www.packetfactory.net/libnet/
  132. \end_layout
  133. \end_inset
  134. and libpcap
  135. \begin_inset Foot
  136. status collapsed
  137. \begin_layout Standard
  138. http://www.tcpdump.org/
  139. \end_layout
  140. \end_inset
  141. libraries.
  142. \end_layout
  143. \begin_layout Enumerate
  144. To support the packet decoding feature you'll need tcpdump
  145. \begin_inset Foot
  146. status collapsed
  147. \begin_layout Standard
  148. http://www.tcpdump.org/
  149. \end_layout
  150. \end_inset
  151. installed.
  152. \end_layout
  153. \begin_layout Enumerate
  154. You'll also need a compatible operating system.
  155. Basically, any UNIX-like or UNIX-based operating system should work.
  156. Linux, *BSD, Solaris, OS X and others should all work.
  157. If you find any compatibility issues with any UNIX-like/based OS, please
  158. let me know.
  159. \end_layout
  160. \begin_layout Subsection
  161. Are there binaries available?
  162. \end_layout
  163. \begin_layout Standard
  164. The tcpreplay project does not maintain binaries for any platforms.
  165. However some operating systems such as Debian GNU/Linux (apt-get) and OS
  166. X (fink) have packages available.
  167. Try searching on Google.
  168. \end_layout
  169. \begin_layout Subsection
  170. Is there a Microsoft Windows port?
  171. \end_layout
  172. \begin_layout Standard
  173. Not really.
  174. We had one user port the code over for an old version of tcpreplay to Windows.
  175. Now we're looking for someone to help merge and maintain the code in to
  176. the main development tree.
  177. If you're interested in helping with this please contact Aaron Turner or
  178. the tcpreplay-users list.
  179. Other then that, you can download the tcpreplay-win32.zip file from the
  180. website and give it a go.
  181. Please understand that the Win32 port of tcpreplay comes with no support
  182. whatsoever, so if you run into a problem you're on your own.
  183. \end_layout
  184. \begin_layout Subsection
  185. How is tcpreplay licensed?
  186. \end_layout
  187. \begin_layout Standard
  188. Tcpreplay is licensed under a three clause BSD-style license.
  189. For details see the docs/LICENSE file included with the source code.
  190. \end_layout
  191. \begin_layout Subsection
  192. What is tcpreplay?
  193. \end_layout
  194. \begin_layout Standard
  195. In the simplest terms, tcpreplay is a tool to send network traffic stored
  196. in pcap format back onto the network; basically the exact opposite of tcpdump.
  197. Just to make things more confusing, tcpreplay is also a suite of tools:
  198. tcpreplay, tcpprep, tcprewrite and flowreplay.
  199. \end_layout
  200. \begin_layout Standard
  201. \begin_inset Note Comment
  202. status collapsed
  203. \begin_layout Standard
  204. What isn't tcpreplay?
  205. \end_layout
  206. \begin_layout Standard
  207. Tcpreplay is
  208. \emph on
  209. not
  210. \emph default
  211. a tool to replay captured traffic to a server or client.
  212. Specifically, tcpreplay does not have the ability to rewrite IP addresses
  213. to a user-specified value or synchronize TCP sequence and acknowledgment
  214. numbers.
  215. In other words, tcpreplay can't
  216. \begin_inset Quotes eld
  217. \end_inset
  218. connect
  219. \begin_inset Quotes erd
  220. \end_inset
  221. to a server or be used to emulate a server and have clients connect to
  222. it.
  223. If you're looking for that, check out flowreplay.
  224. \end_layout
  225. \end_inset
  226. \end_layout
  227. \begin_layout Subsection
  228. What are some uses for tcpreplay?
  229. \end_layout
  230. \begin_layout Standard
  231. Originally, tcpreplay was written to test network intrusion detection systems
  232. (NIDS), however tcpreplay has been used to test firewalls, routers, and
  233. other network devices.
  234. With the addition of flowreplay, most
  235. \begin_inset Foot
  236. status collapsed
  237. \begin_layout Standard
  238. Note the flowreplay does not support protocols such as ftp which use multiple
  239. connections.
  240. \end_layout
  241. \end_inset
  242. any udp or tcp service on a server can be tested as well.
  243. \end_layout
  244. \begin_layout Subsection
  245. What are some uses for flowreplay?
  246. \end_layout
  247. \begin_layout Standard
  248. A lot of people wanted a tool like tcpreplay, but wanted to be able to replay
  249. traffic
  250. \emph on
  251. to
  252. \emph default
  253. a server.
  254. Since tcpreplay was unable to do this, I developed flowreplay which replays
  255. the data portion of the flow, but recreates the connection to the specified
  256. server(s).
  257. This makes flowreplay an ideal tool to test host intrusion detection systems
  258. (HIDS) as well as captured exploits and security patches when the actual
  259. exploit code is not available.
  260. Please note that flowreplay is still alpha quality code which means it
  261. doesn't work very well (some would argue it doesn't work at all) and is
  262. currently missing some important features.
  263. Feel free to try flowreplay, but unless you're willing and able to contribute,
  264. don't bother complaining that it doesn't work.
  265. \end_layout
  266. \begin_layout Subsection
  267. What is the history of tcpreplay?
  268. \end_layout
  269. \begin_layout Standard
  270. Tcpreplay has had quite a few authors over the past five or so years.
  271. One of the advantages of the BSD and GPL licenses is that if someone becomes
  272. unable or unwilling to continue development, anyone else can take over.
  273. \end_layout
  274. \begin_layout Standard
  275. Originally, Matt Undy of Anzen Computing wrote tcpreplay.
  276. Matt released version 1.0.1 sometime in 1999.
  277. Sometime after that, Anzen Computing was (at least partially) purchased
  278. by NFR and development ceased.
  279. \end_layout
  280. \begin_layout Standard
  281. Then in 2001, two people independently started work on tcpreplay: Matt Bing
  282. of NFR and Aaron Turner of OneSecure.
  283. After developing a series of patches (the -adt branch), Aaron attempted
  284. to send the patches in to be included in the main development tree.
  285. \end_layout
  286. \begin_layout Standard
  287. After some discussion between Aaron and Matt Bing, they decided to continue
  288. development together.
  289. Since then, two major rewrites have occured, and more then thirty new features
  290. have been added, including the addition of a number of accessory tools.
  291. \end_layout
  292. \begin_layout Standard
  293. Today, Aaron continues active development of the code.
  294. \end_layout
  295. \begin_layout Section
  296. Bugs, Feature Requests, and Patches
  297. \end_layout
  298. \begin_layout Subsection
  299. Where can I get help, report bugs or contact the developers?
  300. \end_layout
  301. \begin_layout Standard
  302. The best place to get help or report a bug is the Tcpreplay-Users mailing
  303. list:
  304. \newline
  305. \begin_inset LatexCommand \htmlurl{http://lists.sourceforge.net/lists/listinfo/tcpreplay-users}
  306. \end_inset
  307. \end_layout
  308. \begin_layout Standard
  309. Please do not email the author directly as it prevents others from learning
  310. from your questions.
  311. \end_layout
  312. \begin_layout Subsection
  313. What information should I provide when I report a bug?
  314. \end_layout
  315. \begin_layout Standard
  316. One of the most frustrating things for any developer trying to help a user
  317. with a problem is not enough information.
  318. Please be sure to include
  319. \emph on
  320. at minimum
  321. \emph default
  322. the following information, however any additional information you feel
  323. may be helpful will be appreciated.
  324. \end_layout
  325. \begin_layout Itemize
  326. Version information (output of -V)
  327. \end_layout
  328. \begin_layout Itemize
  329. Command line used (options and arguments)
  330. \end_layout
  331. \begin_layout Itemize
  332. Platform (Red Hat Linux 9 on Intel, Solaris 7 on SPARC, etc)
  333. \end_layout
  334. \begin_layout Itemize
  335. Error message (if available) and/or description of problem
  336. \end_layout
  337. \begin_layout Itemize
  338. If possible, attach the pcap file used (compressed with bzip2 or gzip preferred)
  339. \end_layout
  340. \begin_layout Itemize
  341. The core dump or backtrace if available
  342. \end_layout
  343. \begin_layout Subsection
  344. I have a feature request, what should I do?
  345. \end_layout
  346. \begin_layout Standard
  347. Let us know! Many of the features exist today because users like you asked
  348. for them.
  349. To make a feature request, email the tcpreplay-users mailing list (see
  350. above).
  351. \end_layout
  352. \begin_layout Subsection
  353. I've written a patch for tcpreplay, how can I submit it?
  354. \end_layout
  355. \begin_layout Standard
  356. I'm always willing to include new features or bug fixes submitted by users.
  357. You may email me directly or the tcpreplay-users mailing list.
  358. Please
  359. \emph on
  360. do not
  361. \emph default
  362. use the Patch Tracker on the tcpreplay SourceForge web site.
  363. But before you start working on adding a feature or fixing a bug in tcpreplay,
  364. please make sure you checkout the latest source code from the Subversion
  365. repository.
  366. Patches against released versions are almost surely not going to apply
  367. cleanly if at all.
  368. \end_layout
  369. \begin_layout Subsection
  370. Patch requirements
  371. \end_layout
  372. \begin_layout Itemize
  373. Be aware that submitting a patch,
  374. \emph on
  375. you are assigning your copyright to me.
  376. \emph default
  377. If this is not acceptable to you, then
  378. \emph on
  379. do not
  380. \emph default
  381. send me the patch! I have people assign their copyright to me to help prevent
  382. licensing issues that may crop up in the future.
  383. \end_layout
  384. \begin_layout Itemize
  385. Please provide a description of what your patch does!
  386. \end_layout
  387. \begin_layout Itemize
  388. Comment your code! I won't use code I can't understand.
  389. \end_layout
  390. \begin_layout Itemize
  391. Make sure you are patching a branch that is still being maintained.
  392. Generally that means that most recent stable and development branches (2.0
  393. and 3.0 at the time of this writing).
  394. \end_layout
  395. \begin_layout Itemize
  396. Make sure you are patching against the most recent release for that branch.
  397. \end_layout
  398. \begin_layout Itemize
  399. Please submit your patch in the
  400. \emph on
  401. unified diff
  402. \emph default
  403. format so I can better understand what you're changing.
  404. \end_layout
  405. \begin_layout Itemize
  406. Please provide any relevant personal information you'd like listed in the
  407. CREDITS file.
  408. \end_layout
  409. \begin_layout Standard
  410. Please note that while I'm always interested in patches, I may rewrite some
  411. or all of your submission to maintain a consistent coding style.
  412. \end_layout
  413. \begin_layout Section
  414. Understanding tcpprep
  415. \end_layout
  416. \begin_layout Subsection
  417. What is tcpprep?
  418. \end_layout
  419. \begin_layout Standard
  420. Tcpreplay can send traffic out two network cards, however it requires the
  421. calculations be done in real-time.
  422. These calculations can be expensive and can significantly reduce the throughput
  423. of tcpreplay.
  424. \end_layout
  425. \begin_layout Standard
  426. Tcpprep is a libpcap pre-processor for tcpreplay which enables using two
  427. network cards to send traffic without the performance hit of doing the
  428. calculations in real-time.
  429. \end_layout
  430. \begin_layout Subsection
  431. How does tcpprep work?
  432. \end_layout
  433. \begin_layout Standard
  434. Tcpprep reads in a libpcap (tcpdump) formatted capture file and does some
  435. processing to generate a tcpreplay cache file.
  436. This cache file tells tcpreplay which interface a given packet should be
  437. sent out of.
  438. \end_layout
  439. \begin_layout Subsection
  440. Does tcpprep modify my libpcap file?
  441. \end_layout
  442. \begin_layout Standard
  443. No.
  444. \end_layout
  445. \begin_layout Subsection
  446. Why use tcpprep?
  447. \end_layout
  448. \begin_layout Standard
  449. There are three major reasons to use tcpprep:
  450. \end_layout
  451. \begin_layout Enumerate
  452. Tcpprep can split traffic based upon more methods and criteria then tcpreplay.
  453. \end_layout
  454. \begin_layout Enumerate
  455. By pre-processing the pcap, tcpreplay has a higher theoretical maximum throughpu
  456. t.
  457. \end_layout
  458. \begin_layout Enumerate
  459. By pre-processing the pcap, tcpreplay can be more accurate in timing when
  460. replaying traffic at normal speed.
  461. \end_layout
  462. \begin_layout Subsection
  463. Can a cache file be used for multiple (different) libpcap files?
  464. \end_layout
  465. \begin_layout Standard
  466. Cache files have nothing linking them to a given libpcap file, so there
  467. is nothing to stop you from doing this.
  468. However running tcpreplay with a cache file from a different libpcap source
  469. file is likely to cause a lot of problems and is not supported.
  470. \end_layout
  471. \begin_layout Subsection
  472. Why would I want to use tcpreplay with two network cards?
  473. \end_layout
  474. \begin_layout Standard
  475. Tcpreplay traditionally is good for putting traffic on a given network,
  476. often used to test a network intrusion detection system (NIDS).
  477. However, there are cases where putting traffic onto a subnet in this manner
  478. is not good enough- you have to be able to send traffic *through* a device
  479. such as a IPS, router, firewall, or bridge.
  480. \end_layout
  481. \begin_layout Standard
  482. In these cases, being able to use a single source file (libpcap) for both
  483. ends of the connection solves this problem.
  484. \end_layout
  485. \begin_layout Subsection
  486. How big are the cache files?
  487. \end_layout
  488. \begin_layout Standard
  489. Very small.
  490. Actual size depends on the number of packets in the dump file.
  491. Two bits of data is stored for each packet.
  492. On a test using a 900MB dump file containing over 500,000 packets, the
  493. cache file was only 150K.
  494. \end_layout
  495. \begin_layout Section
  496. Common Error and Warning Messages
  497. \end_layout
  498. \begin_layout Subsection
  499. Can't open eth0: libnet_select_device(): Can't find interface eth0
  500. \end_layout
  501. \begin_layout Standard
  502. Generally this occurs when the interface (eth0 in this example) is not up
  503. or doesn't have an IP address assigned to it.
  504. \end_layout
  505. \begin_layout Subsection
  506. Can't open lo: libnet_select_device(): Can't find interface lo
  507. \end_layout
  508. \begin_layout Standard
  509. Version 1.1.0 of Libnet is unable to send traffic on the loopback device.
  510. Upgrade to a later release of the Libnet library to solve this problem.
  511. \end_layout
  512. \begin_layout Subsection
  513. Can't open eth0: UID != 0
  514. \end_layout
  515. \begin_layout Standard
  516. Tcpreplay requires that you run it as root.
  517. \end_layout
  518. \begin_layout Subsection
  519. 100000 write attempts failed from full buffers and were repeated
  520. \end_layout
  521. \begin_layout Standard
  522. When tcpreplay displays a message like "100000 write attempts failed from
  523. full buffers and were repeated", this usually means the kernel buffers
  524. were full and it had to wait until memory was available.
  525. This is quite common when replaying files as fast as possible with the
  526. "-R" option.
  527. See the tuning OS section in this document for suggestions on solving this
  528. problem.
  529. \end_layout
  530. \begin_layout Subsection
  531. Unable to process test.cache: cache file version missmatch
  532. \end_layout
  533. \begin_layout Standard
  534. Cache files generated by tcpprep and read by tcpreplay are versioned to
  535. allow enhancements to the cache file format.
  536. Anytime the cache file format changes, the version is incremented.
  537. Since this occurs on a very rare basis, this is generally not an issue;
  538. however anytime there is a change, it breaks compatibility with previously
  539. created cache files.
  540. The solution for this problem is to use the same version of tcpreplay and
  541. tcpprep to read/write the cache files.
  542. Cache file versions match the following versions of tcpprep/tcpreplay:
  543. \end_layout
  544. \begin_layout Itemize
  545. Version 1:
  546. \newline
  547. Prior to 1.3.beta1
  548. \end_layout
  549. \begin_layout Itemize
  550. Version 2:
  551. \newline
  552. 1.3.beta2 to 1.3.1/1.4.beta1
  553. \end_layout
  554. \begin_layout Itemize
  555. Version 3:
  556. \newline
  557. 1.3.2/1.4.beta2 to 2.0.3
  558. \end_layout
  559. \begin_layout Itemize
  560. Version 4:
  561. \newline
  562. 2.1.0 and above.
  563. Note that prior to version 2.3.0, tcpprep had a bug which broke cache file
  564. compatibility between big and little endian systems.
  565. \end_layout
  566. \begin_layout Subsection
  567. Skipping SLL loopback packet.
  568. \end_layout
  569. \begin_layout Standard
  570. Your capture file was created on Linux with the 'any' parameter which then
  571. captured a packet on the loopback interface.
  572. However, tcpreplay doesn't have enough information to actual send the packet,
  573. so it skips it.
  574. Specifying a destination and source MAC address (-D and -S) will allow
  575. tcpreplay to send these packets.
  576. \end_layout
  577. \begin_layout Subsection
  578. Packet length (8892) is greater then MTU; skipping packet.
  579. \end_layout
  580. \begin_layout Standard
  581. The packet length (in this case 8892 bytes) is greater then the maximum
  582. transmition unit (MTU) on the outgoing interface.
  583. Tcpreplay must skip the packet.
  584. Alternatively, you can specify the -T option and tcpreplay will truncate
  585. the packet to the MTU size, fix the checksums and send it.
  586. This often occurs with pcaps captured over loopback interfaces which have
  587. much larger MTU's then ethernet.
  588. \end_layout
  589. \begin_layout Section
  590. Common Questions from Users
  591. \end_layout
  592. \begin_layout Subsection
  593. Why is tcpreplay not sending all the packets?
  594. \end_layout
  595. \begin_layout Standard
  596. Every now and then, someone emails the tcpreplay-users list, asking if there
  597. is a bug in tcpreplay which causes it not to send all the packets.
  598. This usually happens when the user uses the -t flag or is replaying a high-spee
  599. d pcap file (> 50Mbps, although this number is dependant on the hardware
  600. in use).
  601. \end_layout
  602. \begin_layout Standard
  603. The short version of the answer is: no, we are not aware of any bugs which
  604. might cause a few packets to not be sent.
  605. \end_layout
  606. \begin_layout Standard
  607. The longer version goes something like this:
  608. \end_layout
  609. \begin_layout Standard
  610. If you are running tcpreplay multiple times and are using tcpdump or other
  611. packet sniffer to count the number packets sent and are getting different
  612. numbers, it's not tcpreplay's fault.
  613. The problem lies in one of two places:
  614. \end_layout
  615. \begin_layout Enumerate
  616. It is well known that tcpdump and other sniffers have a problem keeping
  617. up with high-speed traffic.
  618. Furthermore, the OS in many cases
  619. \emph on
  620. lies
  621. \emph default
  622. about how many packets were dropped.
  623. Tcpdump will repeat this lie to you.
  624. In other words, tcpdump isn't seeing all the packets.
  625. Usually this is a problem with the network card, driver or OS kernel which
  626. may or may not be fixable.
  627. Try another network card/driver.
  628. \end_layout
  629. \begin_layout Enumerate
  630. When tcpreplay sends a packet, it actually gets copied to a send buffer
  631. in the kernel.
  632. If this buffer is full, the kernel is supposed to tell tcpreplay that it
  633. didn't copy the packet to this buffer.
  634. If the kernel has a bug which squelches this error, tcpreplay will not
  635. keep trying to send the packet and will move on to the next one.
  636. Currently I am not aware of any OS kernels with this bug, but it is possible
  637. that it exists.
  638. If you find out that your OS has this problem, please let me know so I
  639. can list it here.
  640. \end_layout
  641. \begin_layout Standard
  642. If for some reason, you still think its a bug in tcpreplay, by all means
  643. read the code and tell me how stupid I am.
  644. The do_packets() function in do_packets.c is where tcpreplay processes the
  645. pcap file and sends all of the packets.
  646. \end_layout
  647. \begin_layout Subsection
  648. Can tcpreplay read gzip/bzip2 compressed files?
  649. \end_layout
  650. \begin_layout Standard
  651. Yes, but not directly.
  652. Since tcpreplay can read data via STDIN, you can decompress the file on
  653. the fly like this:
  654. \end_layout
  655. \begin_layout Standard
  656. \emph on
  657. gzcat myfile.pcap.gz | tcpreplay -i eth0 -
  658. \end_layout
  659. \begin_layout Standard
  660. Note that decompressing on the fly will require additional CPU time and
  661. will likely reduce the overall performance of tcpreplay.
  662. \end_layout
  663. \begin_layout Subsection
  664. How fast can tcpreplay send packets?
  665. \end_layout
  666. \begin_layout Standard
  667. First, if performance is important to you, then upgrading to tcpreplay 3.x
  668. is worthwhile since it is more optimized then the 1.x or 2.x series.
  669. After that, there are a number of variables which effect performance, including
  670. on how you measure it (packets/sec or bytes/sec).
  671. 100Mbps and 120K pps are quite doable.
  672. Generally speaking here are some points to consider:
  673. \end_layout
  674. \begin_layout Itemize
  675. Profiling tcpreplay has shown that a significant amount of time is spent
  676. writing packets to the network.
  677. Hence, your OS kernel implimentation of writing to raw sockets is one of
  678. the most important aspects since that is where tcpreplay spends most of
  679. it's time.
  680. \end_layout
  681. \begin_layout Itemize
  682. Like most network based I/O, it is faster to send the same amount of data
  683. in a few large packets then many small packets.
  684. \end_layout
  685. \begin_layout Itemize
  686. Most operating systems will cache disk reads in RAM; hence making subsequent
  687. access to the file faster the second time.
  688. \end_layout
  689. \begin_layout Itemize
  690. Re-opening small files repeatly will reduce performance.
  691. Consider using mergecap to generate a single large file.
  692. \end_layout
  693. \begin_layout Itemize
  694. Network cards and drivers, disk speed (RPM is more important then seek),
  695. amount of RAM and system bus speed are all important.
  696. \end_layout
  697. \begin_layout Itemize
  698. In general servers with faster disks and bus speeds will be faster then
  699. desktops which will be faster then laptops.
  700. \end_layout
  701. \begin_layout Subsection
  702. Is tcpreplay stateful?
  703. \end_layout
  704. \begin_layout Standard
  705. No.
  706. Tcpreplay processes each packet in the order it is stored in the pcap file.
  707. The default is to send each packet based on the timestamp stored in the
  708. pcap file.
  709. If your pcap file has packets out of order, tcpreplay will send them out
  710. of order.
  711. In certain situations a packet may have an earlier timestamp then the packet
  712. before it, tcpreplay will then send the second packet as soon as possible.
  713. \end_layout
  714. \begin_layout Standard
  715. The basic point is that if your pcap file is well formed and has the packets
  716. in the correct order, then tcpreplay will create a
  717. \begin_inset Quotes eld
  718. \end_inset
  719. stateful
  720. \begin_inset Quotes erd
  721. \end_inset
  722. packet stream.
  723. If your pcap file has errors, then tcpreplay will repeat those errors.
  724. Garbage in, garbage out.
  725. \end_layout
  726. \begin_layout Section
  727. Testing Methodologies
  728. \end_layout
  729. \begin_layout Standard
  730. A topic which comes up regularly, is how to use tcpreplay to test products
  731. like intrusion detection/prevention devices (IDS/IPS) and deep inspection
  732. firewalls.
  733. Generally, I hear people suggest three things:
  734. \end_layout
  735. \begin_layout Enumerate
  736. Use security scanners like Nessus
  737. \end_layout
  738. \begin_layout Enumerate
  739. Use
  740. \begin_inset Quotes eld
  741. \end_inset
  742. real attacks
  743. \begin_inset Quotes erd
  744. \end_inset
  745. like those generated by Metasploit
  746. \end_layout
  747. \begin_layout Enumerate
  748. Use a replay tool like tcpreplay to generate attack traffic
  749. \end_layout
  750. \begin_layout Standard
  751. First, let me say that security scanners like Nessus do a really crappy
  752. job of testing the effectiveness of IDS/IPS and firewalls.
  753. The simple reason is that security scanners don't try to exploit vulnerabilitie
  754. s because it creates problems on the network.
  755. IT managers don't like it when their servers start rebooting or routers
  756. crash, so scanners use other non-agressive techniques like banner grabbing
  757. to find potentially vulnerable systems.
  758. Simply put, these non-agressive techniques often look nothing like a real
  759. attack.
  760. \end_layout
  761. \begin_layout Standard
  762. That leaves generating
  763. \begin_inset Quotes eld
  764. \end_inset
  765. real attacks
  766. \begin_inset Quotes erd
  767. \end_inset
  768. and replay tools.
  769. \end_layout
  770. \begin_layout Standard
  771. Advantages of real attacks:
  772. \end_layout
  773. \begin_layout Itemize
  774. It's clear when you have a valid test case because the target system is
  775. compromised
  776. \end_layout
  777. \begin_layout Itemize
  778. Exploit code and attack tools are widely available for many attacks
  779. \end_layout
  780. \begin_layout Standard
  781. Disadvantages of real attacks:
  782. \end_layout
  783. \begin_layout Itemize
  784. After the test case is run, the target system may be unstable or corrupted,
  785. requiring a reboot or re-install
  786. \end_layout
  787. \begin_layout Itemize
  788. Generally requires two systems: a target (often running VMWare) and an attacker
  789. system
  790. \end_layout
  791. \begin_layout Itemize
  792. Installing, configuring and managing various operating systems and applications
  793. to attack is a lot of work
  794. \end_layout
  795. \begin_layout Itemize
  796. Difficult to automate test cases since there is no standardized interface
  797. to these tools
  798. \end_layout
  799. \begin_layout Itemize
  800. You have to be careful about trojaned exploit code or worms which escape
  801. your lab
  802. \end_layout
  803. \begin_layout Standard
  804. Advantages of replay tools:
  805. \end_layout
  806. \begin_layout Itemize
  807. Since both the victim and attacker are virtual, there is no need to reboot/re-in
  808. stall systems after each test
  809. \end_layout
  810. \begin_layout Itemize
  811. A complete test bed requires only a single system with two NIC's
  812. \end_layout
  813. \begin_layout Itemize
  814. Once you have a library of pcap files, there is virtually zero management
  815. overhead
  816. \end_layout
  817. \begin_layout Itemize
  818. Replay tools provide a common interface to emulating any attack against
  819. any OS/application making automation simple
  820. \end_layout
  821. \begin_layout Itemize
  822. Pcap files are not executable, so trojans and escaping worms aren't an issue
  823. \end_layout
  824. \begin_layout Standard
  825. Disadvantages of replay tools;
  826. \end_layout
  827. \begin_layout Itemize
  828. There are trust issues regarding pcap files.
  829. Are you 100% sure that pcap file is correct (not corrupted, doesn't have
  830. truncated packets, actually contains the valid exploit)
  831. \end_layout
  832. \begin_layout Itemize
  833. There are few publicly available pcap's which contain attacks useful for
  834. testing so you must create your own
  835. \end_layout
  836. \begin_layout Section
  837. Required Libraries and Tools
  838. \end_layout
  839. \begin_layout Subsection
  840. Libpcap
  841. \end_layout
  842. \begin_layout Standard
  843. As of tcpreplay v1.4, you'll need to have libpcap installed on your system.
  844. As of v2.0, you'll need at least version 0.6.0 or better, but I only test
  845. our code with the latest version.
  846. Libpcap can be obtained on the tcpdump homepage
  847. \begin_inset Foot
  848. status collapsed
  849. \begin_layout Standard
  850. \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/}
  851. \end_inset
  852. \end_layout
  853. \end_inset
  854. .
  855. \end_layout
  856. \begin_layout Subsection
  857. Libnet
  858. \end_layout
  859. \begin_layout Standard
  860. Tcpreplay v1.3 is the last version to support the old libnet API (everything
  861. before 1.1.x).
  862. As of v1.4 you will need to use Libnet 1.1.0 or better which can be obtained
  863. from the Libnet homepage
  864. \begin_inset Foot
  865. status collapsed
  866. \begin_layout Standard
  867. \begin_inset LatexCommand \htmlurl{http://www.packetfactory.net/Projects/Libnet/}
  868. \end_inset
  869. \end_layout
  870. \end_inset
  871. .
  872. \end_layout
  873. \begin_layout Subsection
  874. Libpcapnav
  875. \end_layout
  876. \begin_layout Standard
  877. Starting with v2.0, tcpreplay can use libpcapnav to support the jump offset
  878. feature.
  879. If libpcapnav is not found on the system, that feature will be disabled.
  880. Libpcapnav can be found on the NetDude homepage
  881. \begin_inset Foot
  882. status collapsed
  883. \begin_layout Standard
  884. \begin_inset LatexCommand \htmlurl{http://netdude.sourceforge.net/}
  885. \end_inset
  886. \end_layout
  887. \end_inset
  888. .
  889. \end_layout
  890. \begin_layout Subsection
  891. Tcpdump
  892. \end_layout
  893. \begin_layout Standard
  894. As of 2.0, tcpreplay uses tcpdump (the binary, not code) to decode packets
  895. to STDOUT in a human readable (with practice) format as it sends them.
  896. If you would like this feature, tcpdump must be installed on your system.
  897. \end_layout
  898. \begin_layout Standard
  899. \noun on
  900. Note:
  901. \noun default
  902. The location of the tcpdump binary is hardcoded in tcpreplay at compile
  903. time.
  904. If tcpdump gets renamed or moved, the feature will become disabled.
  905. \end_layout
  906. \begin_layout Section
  907. Other pcap tools available
  908. \end_layout
  909. \begin_layout Subsection
  910. Tools to capture network traffic or decode pcap files
  911. \end_layout
  912. \begin_layout Itemize
  913. tcpdump
  914. \newline
  915. \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/}
  916. \end_inset
  917. \end_layout
  918. \begin_layout Itemize
  919. ethereal
  920. \newline
  921. \begin_inset LatexCommand \htmlurl{http://www.ethereal.com/}
  922. \end_inset
  923. \end_layout
  924. \begin_layout Itemize
  925. ettercap
  926. \newline
  927. \begin_inset LatexCommand \htmlurl{http://ettercap.sourceforge.net/}
  928. \end_inset
  929. \end_layout
  930. \begin_layout Subsection
  931. Tools to edit pcap files
  932. \end_layout
  933. \begin_layout Itemize
  934. tcpslice
  935. \newline
  936. Splits pcap files into smaller files
  937. \newline
  938. \begin_inset LatexCommand \htmlurl{http://www.tcpdump.org/}
  939. \end_inset
  940. \end_layout
  941. \begin_layout Itemize
  942. mergecap
  943. \newline
  944. Merges two pcap capture files into one
  945. \newline
  946. \begin_inset LatexCommand \htmlurl{http://www.ethreal.com/}
  947. \end_inset
  948. \end_layout
  949. \begin_layout Itemize
  950. pcapmerge
  951. \newline
  952. Merges two or more pcap capture files into one
  953. \newline
  954. \begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/}
  955. \end_inset
  956. \end_layout
  957. \begin_layout Itemize
  958. editcap
  959. \newline
  960. Converts capture file formats (pcap, snoop, etc)
  961. \newline
  962. \begin_inset LatexCommand \htmlurl{http://www.ethreal.com/}
  963. \end_inset
  964. \end_layout
  965. \begin_layout Itemize
  966. netdude
  967. \newline
  968. GTK based pcap capture file editor.
  969. Allows editing most anything in the packet.
  970. \newline
  971. \begin_inset LatexCommand \htmlurl{http://netdude.sourceforge.net/}
  972. \end_inset
  973. \end_layout
  974. \begin_layout Subsection
  975. Other useful tools
  976. \end_layout
  977. \begin_layout Itemize
  978. capinfo
  979. \newline
  980. Prints statistics and basic information about a pcap file
  981. \newline
  982. \begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/}
  983. \end_inset
  984. \end_layout
  985. \begin_layout Itemize
  986. text2pcap
  987. \newline
  988. Generates a pcap capture file from a hex dump
  989. \newline
  990. \begin_inset LatexCommand \htmlurl{http://www.ethreal.com/}
  991. \end_inset
  992. \end_layout
  993. \begin_layout Itemize
  994. tcpflow
  995. \newline
  996. Extracts and reassembles the data portion on a per-flow basis on
  997. live traffic or pcap capture files
  998. \newline
  999. \begin_inset LatexCommand \htmlurl{http://www.circlemud.org/~jelson/software/tcpflow/}
  1000. \end_inset
  1001. \end_layout
  1002. \end_body
  1003. \end_document