12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066 |
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
- <!--Converted with LaTeX2HTML 2002-2 (1.70)
- original version by: Nikos Drakos, CBLU, University of Leeds
- * revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
- * with significant contributions from:
- Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
- <HTML>
- <HEAD>
- <TITLE>Tcpreplay 3.x Manual (BETA)</TITLE>
- <META NAME="description" CONTENT="Tcpreplay 3.x Manual (BETA)">
- <META NAME="keywords" CONTENT="manual">
- <META NAME="resource-type" CONTENT="document">
- <META NAME="distribution" CONTENT="global">
- <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
- <META NAME="Generator" CONTENT="LaTeX2HTML v2002-2">
- <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
- <LINK REL="STYLESHEET" HREF="manual.css">
- <LINK REL="next" HREF="node1.html">
- </HEAD>
- <BODY >
- <DIV CLASS="navigation"><!--Navigation Panel-->
- <A NAME="tex2html13"
- HREF="node1.html">
- <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
- <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up_g.png">
- <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev_g.png">
- <BR>
- <B> Next:</B> <A NAME="tex2html14"
- HREF="node1.html">Other Resources</A>
- <BR>
- <BR></DIV>
- <!--End of Navigation Panel-->
- <P>
- <P>
- <P>
- <H1 ALIGN="CENTER">Tcpreplay 3.x Manual (BETA)</H1>
- <DIV CLASS="author_info">
- <P ALIGN="CENTER"><STRONG>Aaron Turner</STRONG></P>
- <P ALIGN="CENTER"><I>http://tcpreplay.sourceforge.net/</I></P>
- </DIV>
- <P>
- <H1><A NAME="SECTION00010000000000000000">
- Notice</A>
- </H1>
- <P>
- This document is still in the process of being re-written due to the
- significant CLI and configuration file changes between versions 2.x
- and 3.x. For the definative source of configuration options, please
- see the tcpprep, tcprewrite, tcpreplay and tcpbridge man pages.
- <P>
- <H1><A NAME="SECTION00020000000000000000">
- Overview</A>
- </H1>
- <P>
- Tcpreplay is a suite of utilities for UNIX systems for editing and
- replaying network traffic which was previously captured by tools like
- tcpdump and ethereal. The goal of tcpreplay is to provide the means
- for providing reliable and repeatible means for testing a variety
- of network devices such as switches, router, firewalls, network intrusion
- detection and prevention systems (IDS and IPS).
- <P>
- Tcpreplay provides the ability to classify traffic as client or server,
- edit packets at layers 2-4 and replay the traffic at arbitrary speeds
- onto a network for sniffing or through a device.
- <P>
- Some of the advantages of using tcpreplay over using ``exploit
- code'' are:
- <P>
- <UL>
- <LI>Since tcpreplay emulates the victim and the attacker, you generally
- only need a tcpreplay box and the device under test (DUT)
- </LI>
- <LI>Tests can include background traffic of entire networks without the
- cost and effort of setting up dozens of hosts or costly emulators
- </LI>
- <LI>No need to have a ``victim'' host which needs to have the appropriate
- software installed, properly configured and rebuilt after compromise
- </LI>
- <LI>Less chance that a virus or trojan might escape your network and wreak
- havoc on your systems
- </LI>
- <LI>Uses the open standard pcap file format for which dozens of command
- line and GUI utilities exist
- </LI>
- <LI>Tests are fully repeatable without a complex test harnesses or network
- configuration
- </LI>
- <LI>Tests can be replayed at arbitrary speeds
- </LI>
- <LI>Single command-line interface to learn and integrate into test harness
- </LI>
- <LI>You only need to audit tcpreplay, rather then each and every exploit
- individually
- </LI>
- <LI>Actively developed and supported by it's author
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION00021000000000000000">
- Using this manual</A>
- </H2>
- <P>
- The goal of this manual is to provide an idea of what tcpreplay and
- it's utilities can do. It is not however intended to be a complete
- document which covers every possible use case or situation. It is
- also very much a work in progress and is far from complete and has
- numerous errors since a lot of things have changed since tcpreplay
- 2.x. It is expected that most of these issues will be ironed out before
- the offical 3.0 release is made. You should keep in mind the following
- conventions when reading this document:
- <P>
- <UL>
- <LI>Commands you should run from the command line <TT>are in monotype</TT>.
- </LI>
- <LI>Commands that should be run as root will have a '#' in front of them.
- </LI>
- <LI>Commands that should be run as an unprivelged user will have a '$'
- in front of them.
- </LI>
- <LI>Text that should be placed in a file <TT>is in monospace.</TT>
- </LI>
- </UL>
- All of the applications shipped with tcpreplay support both short
- (a single dash followed by a single character) and long (two dashes
- followed by multiple characters) arguments. For consistancy, this
- document uses the long option format. Please review the man pages
- for the short argument equivalents.
- <P>
- <H2><A NAME="SECTION00022000000000000000">
- Getting Help</A>
- </H2>
- <P>
- If you still have a question after reading the Tcpreplay manual, man
- pages and FAQ, please contact the Tcpreplay-Users <tcpreplay-users@lists.sourceforge.net>
- mailing list. Note that if you ask a question which has clearly been
- covered in either the manual or FAQ, you will most likely be told
- to RTFM. Also, please try to explain your problem in detail. It is
- very difficult and fustrating to get requests from people seeking
- help who only provide vague and incomplete information.
- <P>
- <H2><A NAME="SECTION00023000000000000000">
- Corrections and additions to the manual</A>
- </H2>
- <P>
- I've tried to keep this document up to date with the changes in tcpreplay,
- but occasionally I get too busy, make a mistake or just forget something.
- If you find anything in this document which could be improved upon,
- please let me know.
- <P>
- <H1><A NAME="SECTION00030000000000000000">
- Getting Tcpreplay working on your system</A>
- </H1>
- <P>
- <H2><A NAME="SECTION00031000000000000000">
- Getting the source code</A>
- </H2>
- <P>
- The source code is available as a tarball on the tcpreplay homepage:
- http://tcpreplay.sourceforge.net/ I also encourage users familiar
- with Subversion to try checking out the latest code as it often has
- additional features and bugfixes not yet found in the offical releases.
- <P>
- <DL COMPACT>
- <DT>
- <DD>$ svn checkout https://www.synfin.net/svn/tcpreplay/trunk tcpreplay
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00032000000000000000">
- Requirements</A>
- </H2>
- <P>
- <OL>
- <LI>Libnet<A NAME="tex2html1"
- HREF="#foot56"><SUP><SPAN CLASS="arabic">1</SPAN></SUP></A> 1.1.x or better (1.1.3 fixes a checksum bug which effects tcprewrite)
- </LI>
- <LI>Libpcap<A NAME="tex2html2"
- HREF="#foot57"><SUP><SPAN CLASS="arabic">2</SPAN></SUP></A> 0.6.x or better (0.8.3 or better recommended)
- </LI>
- <LI>To support the packet decoding feature you'll need tcpdump<A NAME="tex2html3"
- HREF="#foot58"><SUP><SPAN CLASS="arabic">3</SPAN></SUP></A> binary installed.
- </LI>
- <LI>You'll also need a compatible operating system. Basically, any *NIX
- operating system should work. Linux, *BSD, Solaris, OS X and others
- should all work. If you find any compatibility issues with any *NIX
- OS, please let me know.
- </LI>
- </OL>
- <P>
- <H2><A NAME="SECTION00033000000000000000">
- Compiling Tcpreplay</A>
- </H2>
- <P>
- Two easy steps:
- <P>
- <DL COMPACT>
- <DT>
- <DD><SPAN CLASS="textit">$</SPAN> ./configure && make <SPAN CLASS="textit"></SPAN>
- <P>
- <SPAN CLASS="textit">#</SPAN> make install
- </DD>
- </DL>There are some optional arguments which can be passed to the 'configure'
- script which may help in cases where your libnet, libpcap or tcpdump
- installation is not standard or if it can't determine the correct
- network interface card to use for testing. I also recommend that for
- beta code you specify <SPAN CLASS="textbf">-enable-debug</SPAN>
- to the configure script in case you find any bugs. If you find that
- configure isn't completing correctly, run: <SPAN CLASS="textit">./configure -help</SPAN>
- for more information.
- <P>
- You may also choose to run:
- <P>
- <DL COMPACT>
- <DT>
- <DD># <SPAN CLASS="textit">make test -i</SPAN>
- </DD>
- </DL>
- <UL>
- <LI>make test is just a series of sanity checks which try to find serious
- bugs (crashes) in tcpprep and tcpreplay.
- </LI>
- <LI>make test requires at least one properly configured network interface.
- If the configure script can't guess what a valid interface is you
- can specify it with the -with-testnic and -with-testnic2
- arguments.
- </LI>
- <LI>If make test fails, often you can find details in test/test.log.
- </LI>
- <LI>OpenBSD's make has a bug where it ignores the MAKEFLAGS variable in
- the Makefile, hence you'll probably want to run: <SPAN CLASS="textit">make -is test</SPAN>
- instead.
- </LI>
- </UL>
- <P>
- <H1><A NAME="SECTION00040000000000000000">
- Basic Tcpreplay Usage</A>
- </H1>
- <P>
- <H2><A NAME="SECTION00041000000000000000">
- Replaying the traffic</A>
- </H2>
- <P>
- To replay a given pcap as it was captured all you need to do is specify
- the pcap file and the interface to send the traffic out interface
- 'eth0':
- <P>
- <DL COMPACT>
- <DT>
- <DD># tcpreplay -intf1=eth0 sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00042000000000000000">
- Replaying at different speeds</A>
- </H2>
- <P>
- You can also replay the traffic at different speeds then it was originally
- captured<A NAME="tex2html4"
- HREF="#foot505"><SUP><SPAN CLASS="arabic">4</SPAN></SUP></A>.
- <P>
- Some examples:
- <P>
- <UL>
- <LI>To replay traffic as quickly as possible:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD># tcpreplay -topspeed -intf1=eth0 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>To replay traffic at a rate of 10Mbps:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD># tcpreplay -mbps=10.0 -intf1=eth0 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>To replay traffic 7.3 times as fast as it was captured:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD># tcpreplay -multiplier=7.3 -intf1=eth0 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>To replay traffic at half-speed:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD># tcpreplay -multiplier=0.5 -intf1=eth0 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>To replay at 25 packets per second:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD># tcpreplay -pps=25 -intf1=eth0 sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00043000000000000000">
- Replaying files multiple times</A>
- </H2>
- <P>
- Using the loop flag you can specify that a pcap file will be sent
- two or more times<A NAME="tex2html5"
- HREF="#foot118"><SUP><SPAN CLASS="arabic">5</SPAN></SUP></A>:
- <P>
- To replay the sample.pcap file 10 times:
- <P>
- <DL COMPACT>
- <DT>
- <DD># tcpreplay -loop=10 -intf1=eth0 sample.pcap
- </DD>
- </DL>To replay the sample.pcap an infinitely or until CTRL-C is pressed:
- <P>
- <DL COMPACT>
- <DT>
- <DD># tcpreplay -loop=0 -intf1=eth0 sample.pcap
- </DD>
- </DL>
- <P>
- <H1><A NAME="SECTION00050000000000000000">
- Editing Packets</A>
- </H1>
- <P>
- There are a number of ways you can edit packets stored in a pcap file:
- <P>
- <OL>
- <LI>Rewriting IP addresses so that they appear to be sent from and to
- different hosts
- </LI>
- <LI>Fixing corrupted packets which were truncated by tcpdump or had bad
- checksums
- </LI>
- <LI>Adding, removing or changing 802.1q VLAN tags on frames
- </LI>
- <LI>Rewriting traffic so that it no longer uses ``standard'' TCP or
- UDP ports for the given service
- </LI>
- <LI>Changing ethernet MAC addresses so that packets will be accepted by
- a switch, router or firewall
- </LI>
- </OL>
- <P>
- <H1><A NAME="SECTION00060000000000000000">
- Splitting Traffic</A>
- </H1>
- <P>
- Anything other then just replaying packets at different speeds requires
- additional work and CPU cycles. While older versions of tcpreplay
- allowed you to do many of these calculations while replaying traffic,
- it had a negative effect on the overall throughput and performance
- of tcpreplay. Hence, these secondary features have been placed in
- two utilities:
- <P>
- <UL>
- <LI>tcpprep - Used to categorize packets as originating from clients or
- servers
- </LI>
- <LI>tcprewrite - Used to edit packets
- </LI>
- </UL>
- By using tcpprep and tcprewrite on a pcap file before sending it using
- tcpreplay, many possibilities open up. A few of these possibilities
- are:
- <P>
- <H2><A NAME="SECTION00061000000000000000">
- Classifying client and servers with tcpprep</A>
- </H2>
- <P>
- Both tcpreplay and tcprewrite process a single pcap file and generate
- output. Some features, such as rewriting IP or MAC addresses or sending
- traffic out two different interfaces, require tcpreplay and tcprewrite
- to have some basic knowledge about which packets were sent by ``clients''
- and ``servers''. Such classification is often rather arbitrary
- since for example a SMTP mail server both accepts inbound email (acts
- as a server) and forwards mail to other mail servers (acts as a client).
- A webserver might accept inbound HTTP requests, but make client connections
- to a SQL server.
- <P>
- To deal with this problem, tcpreplay comes with tcpprep which provides
- a number of manual and automatic classification methods which cover
- a variety of situations.
- <P>
- <H3><A NAME="SECTION00061100000000000000">
- Seperating clients and servers automatically</A>
- </H3>
- <P>
- The easiest way to split clients and servers is to let tcpprep do
- the classification for you. Tcpprep examines the pcap file for TCP
- three-way handshakes, DNS lookups and other types of traffic to figure
- out which IP's mostly act like clients and which mostly act like servers.
- There are four different automatic modes that you can choose between:
- <P>
- <OL>
- <LI>Bridge - This is the simplest mode. Each IP is individually tracked
- and ranked as a client or server. However, if any of the hosts do
- not generate enough ``client'' or ``server'' traffic then
- tcpprep will abort complaining that it was unable to determine its
- classification. This works best when clients and servers are intermixed
- on the same subnet.
- </LI>
- <LI>Client - This works just like bridge mode, except that unknown hosts
- will be marked a client.
- </LI>
- <LI>Server - This works just like bridge mode, except that unknown hosts
- will be marked a server.
- </LI>
- <LI>Router - Hosts are first ranked as client or server. Then each host
- is placed in a subnet which is expanded until either all the unknown
- hosts are included or the -maxmask is reached. This works best when
- clients and servers are on diffierent networks.
- </LI>
- </OL>
- <DIV ALIGN="CENTER">
- <TABLE CELLPADDING=3 BORDER="1">
- <TR><TD ALIGN="CENTER" COLSPAN=2><SPAN>TCPPREP AUTOMATIC ROUTER MODE PROCESS</SPAN>
- <BR>
- S<SMALL>TEP 1:</SMALL> Categorize Clients, Servers and Unknowns</TD>
- </TR>
- </TABLE></DIV>
- <P>
- <DIV ALIGN="CENTER">
- </DIV>
- <P>
-
- <P>
- <DIV ALIGN="CENTER">
- <TABLE CELLPADDING=3>
- <TR><TD ALIGN="CENTER">S<SMALL>TEP 3:</SMALL> Unknowns Now Marked as Clients and Servers
- <BR></SMALL>
- <BR></TD>
- </TR>
- </TABLE></DIV>
- <P>
- <DIV ALIGN="CENTER">
- </DIV>
- <P>
- Classifying clients and servers in automatic mode is as easy as choosing
- a pcap file, an output ``tcpprep cache file'' and the mode to
- use:
- <P>
- <DL COMPACT>
- <DT>
- <DD><SPAN CLASS="textit">$</SPAN> tcpprep -auto=bridge -pcap=input.pcap -cachefile=input.cache
- </DD>
- </DL>The above example would split traffic in bridge mode. Other modes
- are ``router'', ``client'' and ``server''. If you wish,
- you can override the default 2:1 ratio of server vs. client traffic
- required to classify an IP as a server. If for example you wanted
- to require 3.5 times as much server to client traffic you would specify
- it like:
- <P>
- <DL COMPACT>
- <DT>
- <DD><SPAN CLASS="textit">$</SPAN> tcpprep -auto=bridge -ratio=3.5 -pcap=input.pcap -cachefile=input.cache
- </DD>
- </DL>
- <P>
- <H3><A NAME="SECTION00061200000000000000">
- Seperating clients and servers manually by subnet</A>
- </H3>
- <P>
- Sometimes, you may not want to split traffic based on clients and
- servers. The alternative to using on of the automatic modes in this
- case, is to use one of the manual modes. One manual way of differentiating
- between clients and servers using tcpprep is by specifying a list
- of networks in CIDR notation which contain ``servers''. Of course
- the specified CIDR netblocks don't have to contain
- <P>
- <H2><A NAME="SECTION00062000000000000000">
- Replaying on multiple interfaces</A>
- </H2>
- <P>
- Tcpreplay can also split traffic so that each side of a connection
- is sent out a different interface<A NAME="tex2html6"
- HREF="#foot182"><SUP><SPAN CLASS="arabic">6</SPAN></SUP></A>. In order to do this, tcpreplay needs the name of the second interface
- (-j) and a way to split the traffic. Currently, there are two ways
- to split traffic:
- <P>
- <OL>
- <LI>-C = split traffic by source IP address which is specified in CIDR
- notation
- </LI>
- <LI>-c = split traffic according to a tcpprep cachefile<A NAME="tex2html7"
- HREF="#foot184"><SUP><SPAN CLASS="arabic">7</SPAN></SUP></A>
- </LI>
- </OL>
- When splitting traffic, it is important to remember that traffic that
- matches the filter is sent out the primary interface (-intf1). In
- this case, when splitting traffic by source IP address, you provide
- a list of networks in CIDR notation. For example:
- <P>
- <UL>
- <LI>To send traffic from 10.0.0.0/8 out eth0 and everything else out eth1:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -C 10.0.0.0/8 -intf1=eth0 -intf2=eth1 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>To send traffic from 10.1.0.0/24 and 10.2.0.0/20 out eth0 and everything
- else out eth1:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -C 10.1.0.0/24,10.2.0.0/20 -intf1=eth0 -intf2=eth1 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>After using tcpprep to generate a cache file, you can use it to split
- traffic between two interfaces like this:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -c sample.cache -intf1=eth0 -intf2=eth1 sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00063000000000000000">
- Selectively sending or dropping packets</A>
- </H2>
- <P>
- Sometimes, you want to do some post-capture filtering of packets.
- Tcpreplay let's you have some control over which packets get sent.
- <P>
- <OL>
- <LI>-M = disables sending of martian packets. By definition, martian packets
- have a source IP of 0.x.x.x, 127.x.x.x, or 255.x.x.x
- </LI>
- <LI>-x = send packets which match a specific pattern
- </LI>
- <LI>-X = send packets which do not match a specific pattern
- </LI>
- </OL>
- Both -x and -X support a variety of pattern matching types. These
- types are specified by a single character, followed by a colon, followed
- by the pattern. The following pattern matching types are available:
- <P>
- <OL>
- <LI>S - Source IP
- <BR>
- Pattern is a comma delimited CIDR notation
- </LI>
- <LI>D - Destination IP
- <BR>
- Pattern is a comma delimited CIDR notation
- </LI>
- <LI>B - Both source and destination IP must match
- <BR>
- Pattern is a comma delimited CIDR notation
- </LI>
- <LI>E - Either source or destination IP must match
- <BR>
- Pattern is a comma delimited CIDR notation
- </LI>
- <LI>P - A list of packet numbers from the pcap file.
- <BR>
- Pattern is a series of numbers, separated by commas or dashes.
- </LI>
- <LI>F - BPF syntax (same as used in tcpdump).
- <BR>
- Filter must be quoted and is only supported with -x<A NAME="tex2html8"
- HREF="#foot208"><SUP><SPAN CLASS="arabic">8</SPAN></SUP></A>.
- </LI>
- </OL>
- Examples:
- <P>
- <UL>
- <LI>To only send traffic that is too and from a host in 10.0.0.0/8:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -x B:10.0.0.0/8 -intf1 eth0 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>To not send traffic that is too or from a host in 10.0.0.0/8:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -X E:10.0.0.0/8 -intf1 eth0 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>To send every packet except the first 10 packets:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -X P:1-10 -intf1 eth0 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>To only send the first 50 packets followed by packets: 100, 150, 200
- and 250:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -x P:1-50,100,150,200,250 -intf1 eth0 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>To only send TCP packets from 10.0.0.1:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD><SPAN CLASS="textit">tcpreplay -x F:'tcp and host 10.0.0.1' -intf1 eth0 sample.pcap</SPAN>
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00064000000000000000">
- Replaying only a few packets</A>
- </H2>
- <P>
- Using the limit packets flag (-L) you can specify that tcpreplay will
- only send at most a specified number of packets.
- <P>
- <UL>
- <LI>To send at most 100 packets:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1 eth0 -L 100 sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00065000000000000000">
- Skipping the first bytes in a pcap file</A>
- </H2>
- <P>
- If you want to skip the beginning of a pcap file, you can use the
- offset flag (-o) to skip a specified number of bytes and start sending
- on the next packet.
- <P>
- <UL>
- <LI>To skip 15Kb into the pcap file and start sending packets from there:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1=eth0 -o 15000 sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00066000000000000000">
- Replaying packets which are bigger then the MTU</A>
- </H2>
- <P>
- Occasionally, you might find yourself trying to replay a pcap file
- which contains packets which are larger then the MTU for the sending
- interface. This might be due to the packets being captured on the
- loopback interface or on a 1000Mbps ethernet interface supporting
- ``jumbo frames''. I've even seen packets which are 1500 bytes
- but contain both an ethernet header and trailer which bumps the total
- frame size to 1518 which is 4 bytes too large.
- <P>
- By default, tcpreplay will skip these packets and not send them. Alternatively,
- you can specify the -T flag to truncate these packets to the MTU and
- then send them. Of course this may invalidate your testing, but it
- has proven useful in certain situations. Also, when this feature is
- enabled, tcpreplay will automatically recalculate the IP and TCP,
- UDP or ICMP checksums as needed. Example:
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1 eth0 -T sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00067000000000000000">
- Writing packets to a file</A>
- </H2>
- <P>
- It's not always necessary to write packets to the network. Since tcpreplay
- has so many features which modify and select which packets are sent,
- it is occasionally useful to save these changes to another pcap file
- for comparison. Rather then running a separate tcpdump process to
- capture the packets, tcpreplay now supports output directly to a file.
- Example:
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1 eth0 -w output.pcap -F -u pad -x E:10.0.0.0/8 input1.pcap input2.pcap input3.pcap
- </DD>
- </DL>Notice that specifying an interface is still required (required for
- various internal functions), but all the packets will be written to
- <SPAN CLASS="textit">output.pcap</SPAN>.
- <P>
- You can also split traffic into two files by using -W <2nd output
- file>.
- <P>
- <H2><A NAME="SECTION00068000000000000000">
- Extracting Application Data (Layer 7)</A>
- </H2>
- <P>
- New to version 2.0 is the ability to extract the application layer
- data from the packets and write them to a file. In the man page, we
- call this ``data dump mode'' which is enabled with -D. It's important
- to specify -D before -w (and -W if you're splitting data into two
- files). Example:
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -D -intf1 eth0 -j eth0 -w clientdata -W serverdata -C 10.0.0.0/24 sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00069000000000000000">
- Replaying Live Traffic</A>
- </H2>
- <P>
- You can now replay live traffic sniffed on one network interface and
- replay it on another interface using the -S flag to indicate sniff
- mode and the appropriate snaplen in bytes (0 denotes the entire packet).
- You can also enabling bi-directional traffic using the bridge mode
- flag: -b.
- <P>
- N<SMALL>OTE:</SMALL> It is critical for your sanity (and to prevent your murder
- by your network administrators) that the input interface and the output
- interface be on separate networks and additionally that no other network
- devices (such as bridges, switches, routers, etc) be connecting the
- two networks, else you will surely get a networkstorm the likes that
- have not been seen for years.
- <P>
- <UL>
- <LI>Send packets sniffed on eth0 out eth1:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1 eth1 -S 0 eth0
- </DD>
- </DL>
- <UL>
- <LI>Bridge two subnets connected to eth0 and eth1:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1 eth0 -intf2=eth1 -b -S 0
- </DD>
- </DL>By default, tcpreplay listens in promiscuous mode on the specified
- interface, however if you only want to send unicasts directed for
- the local system and broadcasts, you can specify the ``not_nosy''
- option in the configuration file or -n on the command line. Note that
- if another program has already placed the interface in promiscuous
- mode, the -n flag will have no effect, so you may want to use the
- -x or -X argument to limit packets.
- <P>
- <H2><A NAME="SECTION000610000000000000000">
- Replaying Packet Capture Formats Other Than Libpcap</A>
- </H2>
- <P>
- There are about as many different capture file formats as there are
- sniffers. In the interest of simplicity, tcpreplay only supports libpcap<A NAME="tex2html9"
- HREF="#foot277"><SUP><SPAN CLASS="arabic">9</SPAN></SUP></A>. If you would like to replay a file in one of these multitude of
- formats, the excellent open source tool Ethereal easily allows you
- to convert it to libpcap. For instance, to convert a file in Sun's
- snoop format to libpcap, issue the command:
- <P>
- <DL COMPACT>
- <DT>
- <DD>tethereal -r blah.snoop -w blah.pcap
- </DD>
- </DL>and replay the resulting file.
- <P>
- <H2><A NAME="SECTION000611000000000000000">
- Replaying Client Traffic to a Server</A>
- </H2>
- <P>
- A common question on the tcpreplay-users list is how does one replay
- the client side of a connection back to a server. Unfortunately, tcpreplay
- doesn't support this right now. The major problem concerns syncing
- up TCP Seq/Ack numbers which will be different. ICMP also often contains
- IP header information which would need to be adjusted. About the only
- thing that could be easy to do is UDP, which isn't usually requested.
- <P>
- This is however a feature that we're looking into implementing in
- the flowreplay utility. If you're interested in helping work on this
- feature, please contact us and we'd be more then happy to work with
- you. At this time however, we don't have an ETA when this will be
- implemented, so don't bother asking.
- <P>
- <H2><A NAME="SECTION000612000000000000000">
- Decoding Packets</A>
- </H2>
- <P>
- If the tcpdump binary is installed on your system when tcpreplay is
- compiled, it will allow you to decode packets as they are sent without
- running tcpdump in a separate window or worrying about it capturing
- packets which weren't sent by tcpreplay.
- <P>
- <UL>
- <LI>Decode packets as they are sent:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1 eth0 -v sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>Decode packets with the link level header:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1 eth0 -v -A ``-e'' sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>Fully decode and send one packet at a time:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1 eth0 -v -1 -A ``-s0 -evvvxX'' sample.pcap
- </DD>
- </DL>Note that tcpreplay automatically applies the -n flag to disable DNS
- lookups which would slow down tcpdump too much to make it effective.
- <P>
- <H1><A NAME="SECTION00070000000000000000">
- Packet Editing</A>
- </H1>
- <P>
- <H2><A NAME="SECTION00071000000000000000">
- Rewriting MAC addresses</A>
- </H2>
- <P>
- If you ever want to send traffic to another device on a switched LAN,
- you may need to change the destination MAC address of the packets.
- Tcpreplay allows you to set the destination MAC for each interface
- independently using the -I and -J switches. As of version 2.1.0, you
- can also specify the source MAC via -k and -K. Example:
- <P>
- <UL>
- <LI>To send traffic out eth0 with a destination MAC of your router (00:00:01:02:03:04)
- and the source MAC of the server (00:20:30:40:50:60):
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1=eth0 -I 00:00:01:02:03:04 -k 00:20:30:40:50:60 sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>To split traffic between internal (10.0.0.0/24) and external addresses
- and to send that traffic to the two interfaces of a firewall:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1=eth0 -intf2=eth1 -I 00:01:00:00:AA:01 -J 00:01:00:00:AA:02 -C 10.0.0.0/24 sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00072000000000000000">
- Randomizing IP addresses</A>
- </H2>
- <P>
- Occasionally, it is necessary to have tcpreplay rewrite the source
- and destination IP addresses, yet maintain the client/server relationship.
- Such a case might be having multiple copies of tcpreplay running at
- the same time using the same pcap file while trying to stress test
- firewall, IDS or other stateful device. If you didn't change the source
- and destination IP addresses, the device under test would get confused
- since it would see multiple copies of the same connection occurring
- at the same time. In order to accomplish this, tcpreplay accepts a
- user specified seed which is used to generate pseudo-random IP addresses.
- Also, when this feature is enabled, tcpreplay will automatically recalculate
- the IP and TCP, UDP or ICMP checksums as needed. Example:
- <P>
- <DL COMPACT>
- <DT>
- <DD><SPAN CLASS="textit">tcpreplay -intf1=eth0 -s 1239 sample.pcap &</SPAN>
- <BR><SPAN CLASS="textit">tcpreplay -intf1=eth0 -s 76 sample.pcap &</SPAN>
- <BR><SPAN CLASS="textit">tcpreplay -intf1=eth0 -s 239 sample.pcap &</SPAN>
- <BR><SPAN CLASS="textit">tcpreplay -intf1=eth0 sample.pcap</SPAN>
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00073000000000000000">
- Replaying (de)truncated packets</A>
- </H2>
- <P>
- Occasionally, it is necessary to replay traffic which has been truncated
- by tcpdump. This occurs when the tcpdump snaplen is smaller then the
- actual packet size. Since this will create problems for devices which
- are expecting a full-sized packet or attempting checksum calculations,
- tcpreplay allows you to either pad the packet with zeros or reset
- the packet length in the headers to the actual packet size. In either
- case, the IP and TCP, UDP or ICMP checksums are recalculated. Examples:
- <P>
- <UL>
- <LI>Pad truncated packets:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1=eth0 -u pad sample.pcap
- </DD>
- </DL>
- <UL>
- <LI>Rewrite packet header lengths to the actual packet size:
- </LI>
- </UL>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1=eth0 -u trunc sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00074000000000000000">
- Rewriting Layer 2 with -2</A>
- </H2>
- <P>
- Starting in the 2.0.x branch, tcpreplay can replace the existing layer
- 2 header with one of your choosing. This is useful for when you want
- to change the layer 2 header type or add a header for pcap files without
- one. Each pcap file tells the type of frame. Currently tcpreplay knows
- how to deal with the following pcap(3) frame types:
- <P>
- <UL>
- <LI>DLT_EN10MB
- <BR>
- Replace existing 802.3/Ethernet II header
- </LI>
- <LI>DLT_RAW
- <BR>
- Frame has no Layer 2 header, so we can add one.
- </LI>
- <LI>DLT_LINUX_SLL
- <BR>
- Frame uses the Linux Cooked Socket header which is most commonly created
- with <SPAN CLASS="textit">tcpdump -i any</SPAN> on a Linux system.
- </LI>
- </UL>
- Tcpreplay accepts the new Layer 2 header as a string of comma separated
- hex values such as: 0xff,0xac,0x00,0x01,0xc0,0x64. Note that the leading
- '0x' is <SPAN CLASS="textit">not</SPAN> required.
- <P>
- Potential uses for this are to add a layer 2 header for DLT_RAW captures
- or add/remove ethernet tags or QoS features.
- <P>
- <H2><A NAME="SECTION00075000000000000000">
- Rewriting DLT_LINUX_SLL (Linux Cooked Socket) captures</A>
- </H2>
- <P>
- Tcpdump uses a special frame type to store captures created with the
- ``-i any'' argument. This frame type uses a custom 16 byte layer
- 2 header which tracks which interface captured the packet and often
- the source MAC address of the original ethernet frame. Unfortunately,
- it never stores the destination MAC address and it doesn't store a
- source MAC when the packet is captured on the loopback interface.
- Normally, tcpreplay can't replay these pcap files because there isn't
- enough information in the LINUX_SLL header to do so; however two
- options do exist:
- <P>
- <OL>
- <LI>You can send these packets with -2 which will replace the LINUX_SLL
- header with an ethernet header of your choosing.
- </LI>
- <LI>You can specify a destination MAC via -I and -J in which case tcpreplay
- will use the stored source MAC and create a new 802.3 Ethernet header.
- Note that if the pcap contains loopback packets, you will also need
- to specify -k and/or -K to specify the source MAC as well or they
- will be skipped.
- </LI>
- </OL>
- <P>
- <H2><A NAME="SECTION00076000000000000000">
- Rewriting IP Addresses (pseudo-NAT)</A>
- </H2>
- <P>
- Pseudo-NAT allows the mapping of IP addresses in IPv4 and ARP packets
- from one subnet to another subnet of the same or different size. This
- allows some or all the traffic sent to appear to come from a different
- IP subnet then it actually was captured on.
- <P>
- The mapping is done through a user specified translation table comprised
- of one or more source and destination network(s) in the format of
- <srcnet>/<masklen>:<dstnet>/<masklen> deliminated by a comma. Mapping
- is done by matching IP addresses to the source subnet and rewriting
- the most significant bits with the destination subnet. For example:
- <P>
- <SPAN CLASS="textit">tcpreplay -intf1=eth0 -N 10.100.0.0/16:172.16.10.0/24 sample.pcap</SPAN>
- <P>
- would match any IP in the 10.100.0.0/16 subnet and rewrite it as if
- it came from or sent to the 172.16.10.0/24 subnet. Ie: 10.100.5.88
- would become 172.16.10.88 and 10.100.99.45 would become 172.16.10.45.
- But 10.150.7.44 would not be rewritten.
- <P>
- For any given IP address, the translation table is applied in order
- (so if there are multiple mappings, earlier maps take precedence)
- and occurs only once per IP (no risk of an address getting rewritten
- a second time).
- <P>
- <H2><A NAME="SECTION00077000000000000000">
- Advanced pseudo-NAT</A>
- </H2>
- <P>
- Pseudo-NAT also works with traffic splitting (using two interfaces
- or output files) but with a few important differences. First you have
- the option of specifying one or two pseudo-NAT tables. Using a single
- pseudo-NAT table means that the source and destination IP addresses
- of both interfaces are rewritten using the same rules. Using two pseudo-NAT
- tables (specifying -N <Table1> -N <Table2>) will cause the source
- and destination IP addresses to be rewritten differently for each
- interface using the following matrix:
- <P>
- <DIV ALIGN="CENTER">
- <TABLE CELLPADDING=3 BORDER="1">
- <TR><TD ALIGN="CENTER"> </TD>
- <TD ALIGN="CENTER">Out Primary Interface</TD>
- <TD ALIGN="CENTER">Out Secondary Interface
- <BR>
- Src IP</TD>
- </TR>
- </TABLE></DIV>
- <P>
- <DIV ALIGN="CENTER">
- </DIV>
- <P>
- While seemingly a bit confusing, this feature provides a number of
- interesting possibilities such as the ability to rewrite the IP headers
- of packets in the case where traffic is captured on the loopback interface
- (and the source and destination address is always 127.0.0.1) so that
- tcpreplay can make it look like two different systems are talking
- to each other (you'll probably also need to specify the source and
- destination MAC addresses via -I, -J, -k and -K).
- <P>
- <H2><A NAME="SECTION00078000000000000000">
- IP Endpoints</A>
- </H2>
- <P>
- While pseudo-NAT provides a great deal of flexibility, it is often
- more complicated then is necessary for testing of inline devices.
- As a simplier alternative, tcpreplay supports the concept of rewriting
- all traffic to so that it appears to be between two IP addresses:
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1=eth0 -intf2=eth1 -c sample.cache -e 10.0.0.1:10.1.1.1 sample.pcap
- </DD>
- </DL>Will rewrite all the traffic so that it is between 10.0.0.1 and 10.1.1.1.
- The equivalent command using -N would be:
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1=eth0 -intf2=eth1 -c sample.cache -N 0.0.0.0/0:10.0.0.1 -N 0.0.0.0/0:10.1.1.1 sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00079000000000000000">
- Unifying Dual-Outputs</A>
- </H2>
- <P>
- Since a number of tcpreplay's packet editing functions require splitting
- traffic between client and servers, one problem that may arrise is
- needing to edit packets but still output to a single interface or
- file. The solution to this is to use the one output option -O which
- causes packets to be processed as if they will be split between the
- interfaces/files, but then always go out the primary interface or
- file. Note that even though only one interface/file will be written
- to, both -i and -j must be specified; although they can be the same
- physical interface.
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1=eth0 -j eth0 -O -c sample.cache -e 10.0.0.1:10.1.1.1 sample.pcap
- </DD>
- </DL>Merging the output to a single file:
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -intf1=eth0 -j eth0 -w rewrite.pcap -c sample.cache -e 10.0.0.1:10.1.1.1 sample.pcap
- </DD>
- </DL>
- <P>
- <H1><A NAME="SECTION00080000000000000000">
- Tcpprep Usage</A>
- </H1>
- <P>
- <H2><A NAME="SECTION00081000000000000000">
- What is tcpprep?</A>
- </H2>
- <P>
- Tcpreplay can send traffic out two network cards, however it requires
- the calculations be done in real-time. These calculations can be expensive
- and can significantly reduce the throughput of tcpreplay.
- <P>
- Tcpprep is a libpcap pre-processor for tcpreplay which enables using
- two network cards to send traffic without the performance hit of doing
- the calculations in real-time.
- <P>
- <H2><A NAME="SECTION00082000000000000000">
- What are these 'modes' tcpprep has? </A>
- </H2>
- <P>
- Tcpprep has three basic modes which require the user to specify how
- to split traffic.
- <P>
- <UL>
- <LI>CIDR (-cidr) mode requires the user to provide
- a list of networks. Any packet with a source IP in one of these networks
- gets sent out the primary interface.
- </LI>
- <LI>Regex (-regex) mode requires the user to provide
- a regular expression. Any packet with a source IP matching the regex
- gets sent out the primary interface.
- </LI>
- <LI>Port (-port) mode splits TCP/UDP traffic based
- on the destination port in the header. Normally, ports 0-1023 are
- considered ``server'' ports and everything else a client port.
- You can create your own custom mapping file in the same format as
- /etc/services (see the services(5) man page for details) by specifying
- -services <file>.
- </LI>
- </UL>
- And four auto modes in which tcpprep decides how to split traffic.
- Auto modes are useful for when you don't know much about the contents
- of the dump file in question and you want to split traffic up based
- upon servers and clients.
- <P>
- <UL>
- <LI>Auto/Router (-auto router) mode trys to find
- the largest network(s) that contain all the servers and no clients.
- Any unknown system is automatically re-classified as servers if it's
- inside the server network(s), otherwise it is classified as a client.
- </LI>
- <LI>Auto/Bridge (-auto bridge) mode makes the assumption
- that the clients and servers are horribly intermixed on the network
- and there's no way to subnet them. While this takes less processing
- time to create the cache file it is unable to deal with unknown systems.
- </LI>
- <LI>Auto/Client (-auto client) mode which works just
- like Auto/Bridge mode, except that any system it can't figure out
- is treated like a client.
- </LI>
- <LI>Auto/Server (-auto server) mode which works just
- like Auto/Bridge mode, except that any system it can't figure out
- is treated like a server.
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION00083000000000000000">
- Splitting traffic based upon IP address</A>
- </H2>
- <P>
- Tcpprep supports the same CIDR mode that tcpreplay supports using
- the -cidr flag. Additionally, tcpprep also supports
- regex(7) regular expressions to match source IP addresses using the
- -regex flag.
- <P>
- <H2><A NAME="SECTION00084000000000000000">
- Auto Mode</A>
- </H2>
- <P>
- <H3><A NAME="SECTION00084100000000000000">
- How does Auto/Bridge mode work? </A>
- </H3>
- <P>
- Tcpprep does an initial pass over the libpcap file to build a binary
- tree (one node per IP). For each IP, it keeps track of how many times
- it was a client or server. It then does a second pass of the file
- using the data in the tree and the ratio to determine if an IP is
- a client or server. If tcpprep is unable to determine the type (client
- or server) for each and every packet, then auto/bridge mode will fail.
- In these cases, it is best to use a different auto mode.
- <P>
- <H3><A NAME="SECTION00084200000000000000">
- How does Auto/Router mode work? </A>
- </H3>
- <P>
- Tcpprep does the same first pass as Auto/Bridge mode. It then trys
- to convert the binary tree into a list of networks containing the
- servers. Finally it uses the CIDR mode with the list of server networks
- in a second pass of the libpcap file. Unlike auto/bridge mode, auto/router
- mode can always successfully split IP addresses into clients and servers.
- <P>
- <H3><A NAME="SECTION00084300000000000000">
- Determining Clients and Servers</A>
- </H3>
- <P>
- Tcpprep uses the following methods in auto/router and auto/bridge
- mode to determine if an IP address is a client or server:
- <P>
- <UL>
- <LI>Client:
- <P>
- <UL>
- <LI>TCP with Syn flag set
- </LI>
- <LI>UDP source/destination port 53 (DNS) without query flag set
- </LI>
- <LI>ICMP port unreachable (destination IP of packet)
- </LI>
- </UL>
- </LI>
- <LI>Server:
- <P>
- <UL>
- <LI>TCP with Syn/Ack flag set
- </LI>
- <LI>UDP source/destination port 53 (DNS) with query flag set
- </LI>
- <LI>ICMP port unreachable (source IP of packet)
- </LI>
- </UL>
- </LI>
- </UL>
- <P>
- <H3><A NAME="SECTION00084400000000000000">
- Client/Server ratio</A>
- </H3>
- <P>
- Since a system may send traffic which would classify it as both a
- client and server, it's necessary to be able to weigh the traffic.
- This is done by specifying the client/server ratio (-R) which is by
- default set to 2.0. The ratio is the modifier to the number of client
- connections. Hence, by default, client connections are valued twice
- as high as server connections.
- <P>
- <H2><A NAME="SECTION00085000000000000000">
- Selectively sending/dropping packets</A>
- </H2>
- <P>
- Tcpprep supports the same -include and -exclude
- options to selectively send or drop packets.
- <P>
- <H2><A NAME="SECTION00086000000000000000">
- Using tcpprep cache files with tcpreplay</A>
- </H2>
- <P>
- Just run:
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpreplay -cachefile sample.cache -intf1=eth0 -intf2=eth1 sample.pcap
- </DD>
- </DL>
- <P>
- <H2><A NAME="SECTION00087000000000000000">
- Commenting tcpprep cache files</A>
- </H2>
- <P>
- In versions of tcpprep >= 2.1.0, you can specify a comment to be embeded
- in the tcpprep cache file. Comments are user specified and automatically
- include the command line arguments passed to tcpprep.
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpprep -comment ``this is my comment'' -pcap sample.pcap -cachefile sample.cache <other args>
- </DD>
- </DL>Or for no user comment, but still embed the command arguments:
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpprep -comment ``'' -pcap sample.pcap -cachefile sample.cache <other args>
- </DD>
- </DL>You can then later on print out the comments by running:
- <P>
- <DL COMPACT>
- <DT>
- <DD>tcpprep -print-comment sample.cache
- </DD>
- </DL>
- <P>
- <H1><A NAME="SECTION00090000000000000000">
- Using Configuration Files</A>
- </H1>
- <P>
- Each of the applications in the tcpreplay suite offers the choice
- of specifying configuration options in a config file in addition to
- the traditional command line. Each command line option has an equivalent
- config file option which is listed in the man page. To specify the
- configuration file you'd like to use, use the -load-opts=<filename>
- option.
- <P>
- Configuration files have one option per line, and lines beginning
- with the pound sign (#) are considered comments and ignored. An example
- config file follows:
- <P>
- ------BEGIN CONFIG FILE-------
- <P>
- <TT># send traffic out 'eth0'</TT>
- <BR><TT>intf1 eth0</TT>
- <BR>
- <BR><TT># loop 5 times</TT>
- <BR><TT>loop 5</TT>
- <BR>
- <BR><TT># send traffic 2x as fast</TT>
- <BR><TT>multiplier 2</TT>
- <BR>-------END CONFIG FILE--------
- <P>
- You would then execute:
- <P>
- <DL COMPACT>
- <DT>
- <DD># tcpreplay -load-opts=myconfigfile sample.pcap
- </DD>
- </DL>You can also group configuration options for tcpprep, tcprewrite and
- tcpreplay in a single config file by placing section markers in the
- config file. An example:
- <P>
- ------BEGIN CONFIG FILE-------
- <P>
- <TT>cachefile=example.tcpprep</TT>
- <BR>
- <BR><TT>[TCPREPLAY]</TT>
- <BR><TT>intf1 eth0</TT>
- <BR><TT>intf2 eth1</TT>
- <BR><TT>topspeed </TT>
- <BR>
- <BR><TT>[TCPPREP]</TT>
- <BR><TT>auto=bridge</TT>
- <BR><TT>comment='This cache file was created with a config file'</TT>
- <BR><TT>pcap=sample.pcap</TT>
- <BR>
- <BR><TT>[TCPREWRITE]</TT>
- <BR><TT>infile=sample.pcap</TT>
- <BR><TT>outfile=newsample.pcap</TT>
- <BR><TT>vlan=add</TT>
- <BR><TT>vlan-tag=44</TT>
- <BR><TT>endpoints=10.0.0.1:10.0.1.1</TT>
- <P>
- ------END CONFIG FILE-------
- <P>
- <H1><A NAME="SECTION000100000000000000000">
- Flowreplay Usage</A>
- </H1>
- <P>
- While tcpreplay is a great way to test NIDS and firewalls, it can't
- be used to test servers or HIDS since tcpreplay can't connect to a
- service running on a device. The solution to this problem is flowreplay
- which instead of sending packets at Layer 2 (ethernet header and up),
- it can actually connect via TCP or UDP to server and then sends and
- receives data based upon a pcap capture file created with a tool like
- Ethereal or tcpdump.
- <P>
- Please note that flowreplay is currently alpha quality and is missing
- a number of key features.
- <P>
- <H2><A NAME="SECTION000101000000000000000">
- How flowreplay works</A>
- </H2>
- <P>
- Put simply, flowreplay opens a socket connection to a service on a
- target system(s) and sends data over that socket based on the packet
- capture. Flowreplay has no understanding of the application protocol
- (like HTTP or FTP) so it is somewhat limited in how it can deal with
- complicated exchanges between client and server.
- <P>
- Some of these limitations are:
- <P>
- <UL>
- <LI>Flowreplay only plays the client side<A NAME="tex2html10"
- HREF="#foot452"><SUP><SPAN CLASS="arabic">10</SPAN></SUP></A> of the connection.
- </LI>
- <LI>Flowreplay doesn't understand the application protocols. Hence it
- can't always deal with the case when the server sends a different
- response then what was originally captured in the pcap file.
- </LI>
- <LI>Flowreplay only sends TCP and UDP traffic.
- </LI>
- <LI>Flowreplay doesn't know about multi-flow protocols like FTP.
- </LI>
- <LI>Flowreplay can't listen on a port and wait for a client to connect
- to it.
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION000102000000000000000">
- Running flowreplay</A>
- </H2>
- <P>
- See the flowreplay(8) man page for details.
- <P>
- <H1><A NAME="SECTION000110000000000000000">
- Tuning OS's for high performance</A>
- </H1>
- <P>
- Regardless of the size of physical memory, UNIX kernels will only
- allocate a static amount for network buffers. This includes packets
- sent via the "raw" interface, like with tcpreplay.
- Most kernels will allow you to tweak the size of these buffers, drastically
- increasing performance and accuracy.
- <P>
- N<SMALL>OTE:</SMALL> The following information is provided based upon our
- own experiences or the reported experiences of others. Depending on
- your hardware and specific hardware, it may or may not work for you.
- It may even make your system horribly unstable, corrupt your harddrive,
- or worse.
- <P>
- N<SMALL>OTE</SMALL>: Different operating systems, network card drivers, and
- even hardware can have an effect on the accuracy of packet timestamps
- that tcpdump or other capture utilities generate. And as you know:
- garbage in, garbage out.
- <P>
- N<SMALL>OTE:</SMALL> If you have information on tuning the kernel of an operating
- system not listed here, please send it to me so I can include it.
- <P>
- <H2><A NAME="SECTION000111000000000000000">
- Linux 2.4.x</A>
- </H2>
- <P>
- The following is known to apply to the 2.4.x series of kernels. If
- anyone has any information regarding other kernel versions, please
- let us know. By default Linux's tcpreplay performance isn't all that
- stellar. However, with a simple tweak, relatively decent performance
- can be had on the right hardware. By default, Linux specifies a 64K
- buffer for sending packets. Increasing this buffer to about half a
- megabyte does a good job:
- <P>
- <SPAN CLASS="textit">echo 524287 >/proc/sys/net/core/wmem_default </SPAN>
- <BR><SPAN CLASS="textit">echo 524287 >/proc/sys/net/core/wmem_max </SPAN>
- <BR><SPAN CLASS="textit">echo 524287 >/proc/sys/net/core/rmem_max </SPAN>
- <BR><SPAN CLASS="textit">echo 524287 >/proc/sys/net/core/rmem_default </SPAN>
- <P>
- On one system, we've seen a jump from 23.02 megabits/sec (5560 packets/sec)
- to 220.30 megabits/sec (53212 packets/sec) which is nearly a 10x increase
- in performance. Depending on your system and capture file, different
- numbers may provide different results.
- <P>
- <H2><A NAME="SECTION000112000000000000000">
- *BSD</A>
- </H2>
- <P>
- *BSD systems typically allow you to specify the size of network
- buffers with the NMBCLUSTERS option in the kernel config file. Experiment
- with different sizes to see which yields the best performance. See
- the options(4) man page for more details.
- <P>
- <H1><A NAME="SECTION000120000000000000000">
- Required Libraries and Tools</A>
- </H1>
- <P>
- <H2><A NAME="SECTION000121000000000000000">
- Libpcap</A>
- </H2>
- <P>
- As of tcpreplay v1.4, you'll need to have libpcap installed on your
- system. As of v2.0, you'll need at least version 0.6.0 or better,
- but I only test our code with the latest version. Libpcap can be obtained
- on the tcpdump homepage<A NAME="tex2html11"
- HREF="#foot516"><SUP><SPAN CLASS="arabic">11</SPAN></SUP></A>.
- <P>
- <H2><A NAME="SECTION000122000000000000000">
- Libnet</A>
- </H2>
- <P>
- Tcpreplay v1.3 is the last version to support the old libnet API (everything
- before 1.1.x). As of v1.4 you will need to use Libnet 1.1.0 or better
- which can be obtained from the Libnet homepage<A NAME="tex2html12"
- HREF="#foot517"><SUP><SPAN CLASS="arabic">12</SPAN></SUP></A>.
- <P>
- <H2><A NAME="SECTION000123000000000000000">
- Tcpdump</A>
- </H2>
- <P>
- As of 2.0, tcpreplay uses tcpdump (the binary, not code) to decode
- packets to STDOUT in a human readable (with practice) format as it
- sends them. If you would like this feature, tcpdump must be installed
- on your system.
- <P>
- N<SMALL>OTE:</SMALL> The location of the tcpdump binary is hardcoded in tcpreplay
- at compile time. If tcpdump gets renamed or moved, the feature will
- become disabled.
- <P>
- <BR><HR><H4>Footnotes</H4>
- <DL>
- <DT><A NAME="foot56">... Libnet</A><A
- HREF="manual.html#tex2html1"><SUP><SPAN CLASS="arabic">1</SPAN></SUP></A></DT>
- <DD>http://www.packetfactory.net/libnet/
- </DD>
- <DT><A NAME="foot57">... Libpcap</A><A
- HREF="manual.html#tex2html2"><SUP><SPAN CLASS="arabic">2</SPAN></SUP></A></DT>
- <DD>http://www.tcpdump.org/
- </DD>
- <DT><A NAME="foot58">... tcpdump</A><A
- HREF="manual.html#tex2html3"><SUP><SPAN CLASS="arabic">3</SPAN></SUP></A></DT>
- <DD>http://www.tcpdump.org/
- </DD>
- <DT><A NAME="foot505">...
- captured</A><A
- HREF="manual.html#tex2html4"><SUP><SPAN CLASS="arabic">4</SPAN></SUP></A></DT>
- <DD>Tcpreplay makes a "best" effort to replay traffic
- at the given rate, but due to limitations in hardware or the pcap
- file itself, it may not be possible. Capture files with only a few
- packets in them are especially susceptible to inaccurately timing
- packets.
- </DD>
- <DT><A NAME="foot118">... times</A><A
- HREF="manual.html#tex2html5"><SUP><SPAN CLASS="arabic">5</SPAN></SUP></A></DT>
- <DD>Looping files resets internal counters which control the speed that
- the file is replayed. Also because the file has to be closed and re-opened,
- an added delay between the last and first packet may occur.
- </DD>
- <DT><A NAME="foot182">... interface</A><A
- HREF="manual.html#tex2html6"><SUP><SPAN CLASS="arabic">6</SPAN></SUP></A></DT>
- <DD>Note that you can also use the following options to split traffic
- into two files using -w and -W which are described later on in this
- FAQ.
- </DD>
- <DT><A NAME="foot184">... cachefile</A><A
- HREF="manual.html#tex2html7"><SUP><SPAN CLASS="arabic">7</SPAN></SUP></A></DT>
- <DD>For information on generating tcpprep cache files, see the section
- on tcpprep.
- </DD>
- <DT><A NAME="foot208">... -x</A><A
- HREF="manual.html#tex2html8"><SUP><SPAN CLASS="arabic">8</SPAN></SUP></A></DT>
- <DD>Note that if you want to send all the packets which do not match a
- bpf filter, all you have to do is negate the bpf filter. See the tcpdump(1)
- man page for more info.
- </DD>
- <DT><A NAME="foot277">... libpcap</A><A
- HREF="manual.html#tex2html9"><SUP><SPAN CLASS="arabic">9</SPAN></SUP></A></DT>
- <DD>Note that some versions of tcpreplay prior to 1.4 also supported the
- Solaris snoop format.
- </DD>
- <DT><A NAME="foot452">... side</A><A
- HREF="manual.html#tex2html10"><SUP><SPAN CLASS="arabic">10</SPAN></SUP></A></DT>
- <DD>Flowreplay assumes the first UDP packet on a given 4-tuple is the
- client
- </DD>
- <DT><A NAME="foot516">... homepage</A><A
- HREF="manual.html#tex2html11"><SUP><SPAN CLASS="arabic">11</SPAN></SUP></A></DT>
- <DD>http://www.tcpdump.org/
- </DD>
- <DT><A NAME="foot517">... homepage</A><A
- HREF="manual.html#tex2html12"><SUP><SPAN CLASS="arabic">12</SPAN></SUP></A></DT>
- <DD>http://www.packetfactory.net/Projects/Libnet/
- </DD>
- </DL>
- <BR><HR>
- <!--Table of Child-Links-->
- <A NAME="CHILD_LINKS"></A>
- <UL CLASS="ChildLinks">
- <LI><UL>
- <LI><UL>
- <LI><A NAME="tex2html15"
- HREF="manual.html#SECTION00010000000000000000">Notice</A>
- <LI><A NAME="tex2html16"
- HREF="manual.html#SECTION00020000000000000000">Overview</A>
- <UL>
- <LI><A NAME="tex2html17"
- HREF="manual.html#SECTION00021000000000000000">Using this manual</A>
- <LI><A NAME="tex2html18"
- HREF="manual.html#SECTION00022000000000000000">Getting Help</A>
- <LI><A NAME="tex2html19"
- HREF="manual.html#SECTION00023000000000000000">Corrections and additions to the manual</A>
- </UL>
- <LI><A NAME="tex2html20"
- HREF="manual.html#SECTION00030000000000000000">Getting Tcpreplay working on your system</A>
- <UL>
- <LI><A NAME="tex2html21"
- HREF="manual.html#SECTION00031000000000000000">Getting the source code</A>
- <LI><A NAME="tex2html22"
- HREF="manual.html#SECTION00032000000000000000">Requirements</A>
- <LI><A NAME="tex2html23"
- HREF="manual.html#SECTION00033000000000000000">Compiling Tcpreplay</A>
- </UL>
- <LI><A NAME="tex2html24"
- HREF="manual.html#SECTION00040000000000000000">Basic Tcpreplay Usage</A>
- <UL>
- <LI><A NAME="tex2html25"
- HREF="manual.html#SECTION00041000000000000000">Replaying the traffic</A>
- <LI><A NAME="tex2html26"
- HREF="manual.html#SECTION00042000000000000000">Replaying at different speeds</A>
- <LI><A NAME="tex2html27"
- HREF="manual.html#SECTION00043000000000000000">Replaying files multiple times</A>
- </UL>
- <LI><A NAME="tex2html28"
- HREF="manual.html#SECTION00050000000000000000">Editing Packets</A>
- <LI><A NAME="tex2html29"
- HREF="manual.html#SECTION00060000000000000000">Splitting Traffic</A>
- <UL>
- <LI><A NAME="tex2html30"
- HREF="manual.html#SECTION00061000000000000000">Classifying client and servers with tcpprep</A>
- <LI><A NAME="tex2html31"
- HREF="manual.html#SECTION00062000000000000000">Replaying on multiple interfaces</A>
- <LI><A NAME="tex2html32"
- HREF="manual.html#SECTION00063000000000000000">Selectively sending or dropping packets</A>
- <LI><A NAME="tex2html33"
- HREF="manual.html#SECTION00064000000000000000">Replaying only a few packets</A>
- <LI><A NAME="tex2html34"
- HREF="manual.html#SECTION00065000000000000000">Skipping the first bytes in a pcap file</A>
- <LI><A NAME="tex2html35"
- HREF="manual.html#SECTION00066000000000000000">Replaying packets which are bigger then the MTU</A>
- <LI><A NAME="tex2html36"
- HREF="manual.html#SECTION00067000000000000000">Writing packets to a file</A>
- <LI><A NAME="tex2html37"
- HREF="manual.html#SECTION00068000000000000000">Extracting Application Data (Layer 7)</A>
- <LI><A NAME="tex2html38"
- HREF="manual.html#SECTION00069000000000000000">Replaying Live Traffic</A>
- <LI><A NAME="tex2html39"
- HREF="manual.html#SECTION000610000000000000000">Replaying Packet Capture Formats Other Than Libpcap</A>
- <LI><A NAME="tex2html40"
- HREF="manual.html#SECTION000611000000000000000">Replaying Client Traffic to a Server</A>
- <LI><A NAME="tex2html41"
- HREF="manual.html#SECTION000612000000000000000">Decoding Packets</A>
- </UL>
- <LI><A NAME="tex2html42"
- HREF="manual.html#SECTION00070000000000000000">Packet Editing</A>
- <UL>
- <LI><A NAME="tex2html43"
- HREF="manual.html#SECTION00071000000000000000">Rewriting MAC addresses</A>
- <LI><A NAME="tex2html44"
- HREF="manual.html#SECTION00072000000000000000">Randomizing IP addresses</A>
- <LI><A NAME="tex2html45"
- HREF="manual.html#SECTION00073000000000000000">Replaying (de)truncated packets</A>
- <LI><A NAME="tex2html46"
- HREF="manual.html#SECTION00074000000000000000">Rewriting Layer 2 with -2</A>
- <LI><A NAME="tex2html47"
- HREF="manual.html#SECTION00075000000000000000">Rewriting DLT_LINUX_SLL (Linux Cooked Socket) captures</A>
- <LI><A NAME="tex2html48"
- HREF="manual.html#SECTION00076000000000000000">Rewriting IP Addresses (pseudo-NAT)</A>
- <LI><A NAME="tex2html49"
- HREF="manual.html#SECTION00077000000000000000">Advanced pseudo-NAT</A>
- <LI><A NAME="tex2html50"
- HREF="manual.html#SECTION00078000000000000000">IP Endpoints</A>
- <LI><A NAME="tex2html51"
- HREF="manual.html#SECTION00079000000000000000">Unifying Dual-Outputs</A>
- </UL>
- <LI><A NAME="tex2html52"
- HREF="manual.html#SECTION00080000000000000000">Tcpprep Usage</A>
- <UL>
- <LI><A NAME="tex2html53"
- HREF="manual.html#SECTION00081000000000000000">What is tcpprep?</A>
- <LI><A NAME="tex2html54"
- HREF="manual.html#SECTION00082000000000000000">What are these 'modes' tcpprep has? </A>
- <LI><A NAME="tex2html55"
- HREF="manual.html#SECTION00083000000000000000">Splitting traffic based upon IP address</A>
- <LI><A NAME="tex2html56"
- HREF="manual.html#SECTION00084000000000000000">Auto Mode</A>
- <LI><A NAME="tex2html57"
- HREF="manual.html#SECTION00085000000000000000">Selectively sending/dropping packets</A>
- <LI><A NAME="tex2html58"
- HREF="manual.html#SECTION00086000000000000000">Using tcpprep cache files with tcpreplay</A>
- <LI><A NAME="tex2html59"
- HREF="manual.html#SECTION00087000000000000000">Commenting tcpprep cache files</A>
- </UL>
- <LI><A NAME="tex2html60"
- HREF="manual.html#SECTION00090000000000000000">Using Configuration Files</A>
- <LI><A NAME="tex2html61"
- HREF="manual.html#SECTION000100000000000000000">Flowreplay Usage</A>
- <UL>
- <LI><A NAME="tex2html62"
- HREF="manual.html#SECTION000101000000000000000">How flowreplay works</A>
- <LI><A NAME="tex2html63"
- HREF="manual.html#SECTION000102000000000000000">Running flowreplay</A>
- </UL>
- <LI><A NAME="tex2html64"
- HREF="manual.html#SECTION000110000000000000000">Tuning OS's for high performance</A>
- <UL>
- <LI><A NAME="tex2html65"
- HREF="manual.html#SECTION000111000000000000000">Linux 2.4.x</A>
- <LI><A NAME="tex2html66"
- HREF="manual.html#SECTION000112000000000000000">*BSD</A>
- </UL>
- <LI><A NAME="tex2html67"
- HREF="manual.html#SECTION000120000000000000000">Required Libraries and Tools</A>
- <UL>
- <LI><A NAME="tex2html68"
- HREF="manual.html#SECTION000121000000000000000">Libpcap</A>
- <LI><A NAME="tex2html69"
- HREF="manual.html#SECTION000122000000000000000">Libnet</A>
- <LI><A NAME="tex2html70"
- HREF="manual.html#SECTION000123000000000000000">Tcpdump</A>
- </UL>
- </UL>
- </UL>
- <BR>
- <LI><A NAME="tex2html71"
- HREF="node1.html">Other Resources</A>
- <UL>
- <LI><A NAME="tex2html72"
- HREF="node1.html#SECTION01010000000000000000">Other pcap tools available</A>
- <UL>
- <LI><A NAME="tex2html73"
- HREF="node1.html#SECTION01011000000000000000">Tools to capture network traffic or decode pcap files</A>
- <LI><A NAME="tex2html74"
- HREF="node1.html#SECTION01012000000000000000">Tools to edit pcap files</A>
- <LI><A NAME="tex2html75"
- HREF="node1.html#SECTION01013000000000000000">Other useful tools</A>
- </UL></UL></UL>
- <!--End of Table of Child-Links-->
- <DIV CLASS="navigation"><HR>
- <!--Navigation Panel-->
- <A NAME="tex2html13"
- HREF="node1.html">
- <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
- <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up_g.png">
- <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev_g.png">
- <BR>
- <B> Next:</B> <A NAME="tex2html14"
- HREF="node1.html">Other Resources</A></DIV>
- <!--End of Navigation Panel-->
- <ADDRESS>
- Aaron Turner
- 2006-08-07
- </ADDRESS>
- </BODY>
- </HTML>
|