manual.html 60 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066
  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
  2. <!--Converted with LaTeX2HTML 2002-2 (1.70)
  3. original version by: Nikos Drakos, CBLU, University of Leeds
  4. * revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
  5. * with significant contributions from:
  6. Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
  7. <HTML>
  8. <HEAD>
  9. <TITLE>Tcpreplay 3.x Manual (BETA)</TITLE>
  10. <META NAME="description" CONTENT="Tcpreplay 3.x Manual (BETA)">
  11. <META NAME="keywords" CONTENT="manual">
  12. <META NAME="resource-type" CONTENT="document">
  13. <META NAME="distribution" CONTENT="global">
  14. <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
  15. <META NAME="Generator" CONTENT="LaTeX2HTML v2002-2">
  16. <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
  17. <LINK REL="STYLESHEET" HREF="manual.css">
  18. <LINK REL="next" HREF="node1.html">
  19. </HEAD>
  20. <BODY >
  21. <DIV CLASS="navigation"><!--Navigation Panel-->
  22. <A NAME="tex2html13"
  23. HREF="node1.html">
  24. <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
  25. <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up_g.png">
  26. <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev_g.png">
  27. <BR>
  28. <B> Next:</B> <A NAME="tex2html14"
  29. HREF="node1.html">Other Resources</A>
  30. <BR>
  31. <BR></DIV>
  32. <!--End of Navigation Panel-->
  33. <P>
  34. <P>
  35. <P>
  36. <H1 ALIGN="CENTER">Tcpreplay 3.x Manual (BETA)</H1>
  37. <DIV CLASS="author_info">
  38. <P ALIGN="CENTER"><STRONG>Aaron Turner</STRONG></P>
  39. <P ALIGN="CENTER"><I>http://tcpreplay.sourceforge.net/</I></P>
  40. </DIV>
  41. <P>
  42. <H1><A NAME="SECTION00010000000000000000">
  43. Notice</A>
  44. </H1>
  45. <P>
  46. This document is still in the process of being re-written due to the
  47. significant CLI and configuration file changes between versions 2.x
  48. and 3.x. For the definative source of configuration options, please
  49. see the tcpprep, tcprewrite, tcpreplay and tcpbridge man pages.
  50. <P>
  51. <H1><A NAME="SECTION00020000000000000000">
  52. Overview</A>
  53. </H1>
  54. <P>
  55. Tcpreplay is a suite of utilities for UNIX systems for editing and
  56. replaying network traffic which was previously captured by tools like
  57. tcpdump and ethereal. The goal of tcpreplay is to provide the means
  58. for providing reliable and repeatible means for testing a variety
  59. of network devices such as switches, router, firewalls, network intrusion
  60. detection and prevention systems (IDS and IPS).
  61. <P>
  62. Tcpreplay provides the ability to classify traffic as client or server,
  63. edit packets at layers 2-4 and replay the traffic at arbitrary speeds
  64. onto a network for sniffing or through a device.
  65. <P>
  66. Some of the advantages of using tcpreplay over using ``exploit
  67. code'' are:
  68. <P>
  69. <UL>
  70. <LI>Since tcpreplay emulates the victim and the attacker, you generally
  71. only need a tcpreplay box and the device under test (DUT)
  72. </LI>
  73. <LI>Tests can include background traffic of entire networks without the
  74. cost and effort of setting up dozens of hosts or costly emulators
  75. </LI>
  76. <LI>No need to have a ``victim'' host which needs to have the appropriate
  77. software installed, properly configured and rebuilt after compromise
  78. </LI>
  79. <LI>Less chance that a virus or trojan might escape your network and wreak
  80. havoc on your systems
  81. </LI>
  82. <LI>Uses the open standard pcap file format for which dozens of command
  83. line and GUI utilities exist
  84. </LI>
  85. <LI>Tests are fully repeatable without a complex test harnesses or network
  86. configuration
  87. </LI>
  88. <LI>Tests can be replayed at arbitrary speeds
  89. </LI>
  90. <LI>Single command-line interface to learn and integrate into test harness
  91. </LI>
  92. <LI>You only need to audit tcpreplay, rather then each and every exploit
  93. individually
  94. </LI>
  95. <LI>Actively developed and supported by it's author
  96. </LI>
  97. </UL>
  98. <P>
  99. <H2><A NAME="SECTION00021000000000000000">
  100. Using this manual</A>
  101. </H2>
  102. <P>
  103. The goal of this manual is to provide an idea of what tcpreplay and
  104. it's utilities can do. It is not however intended to be a complete
  105. document which covers every possible use case or situation. It is
  106. also very much a work in progress and is far from complete and has
  107. numerous errors since a lot of things have changed since tcpreplay
  108. 2.x. It is expected that most of these issues will be ironed out before
  109. the offical 3.0 release is made. You should keep in mind the following
  110. conventions when reading this document:
  111. <P>
  112. <UL>
  113. <LI>Commands you should run from the command line <TT>are in monotype</TT>.
  114. </LI>
  115. <LI>Commands that should be run as root will have a '#' in front of them.
  116. </LI>
  117. <LI>Commands that should be run as an unprivelged user will have a '$'
  118. in front of them.
  119. </LI>
  120. <LI>Text that should be placed in a file <TT>is in monospace.</TT>
  121. </LI>
  122. </UL>
  123. All of the applications shipped with tcpreplay support both short
  124. (a single dash followed by a single character) and long (two dashes
  125. followed by multiple characters) arguments. For consistancy, this
  126. document uses the long option format. Please review the man pages
  127. for the short argument equivalents.
  128. <P>
  129. <H2><A NAME="SECTION00022000000000000000">
  130. Getting Help</A>
  131. </H2>
  132. <P>
  133. If you still have a question after reading the Tcpreplay manual, man
  134. pages and FAQ, please contact the Tcpreplay-Users &lt;tcpreplay-users@lists.sourceforge.net&gt;
  135. mailing list. Note that if you ask a question which has clearly been
  136. covered in either the manual or FAQ, you will most likely be told
  137. to RTFM. Also, please try to explain your problem in detail. It is
  138. very difficult and fustrating to get requests from people seeking
  139. help who only provide vague and incomplete information.
  140. <P>
  141. <H2><A NAME="SECTION00023000000000000000">
  142. Corrections and additions to the manual</A>
  143. </H2>
  144. <P>
  145. I've tried to keep this document up to date with the changes in tcpreplay,
  146. but occasionally I get too busy, make a mistake or just forget something.
  147. If you find anything in this document which could be improved upon,
  148. please let me know.
  149. <P>
  150. <H1><A NAME="SECTION00030000000000000000">
  151. Getting Tcpreplay working on your system</A>
  152. </H1>
  153. <P>
  154. <H2><A NAME="SECTION00031000000000000000">
  155. Getting the source code</A>
  156. </H2>
  157. <P>
  158. The source code is available as a tarball on the tcpreplay homepage:
  159. http://tcpreplay.sourceforge.net/ I also encourage users familiar
  160. with Subversion to try checking out the latest code as it often has
  161. additional features and bugfixes not yet found in the offical releases.
  162. <P>
  163. <DL COMPACT>
  164. <DT>
  165. <DD>$&nbsp;svn&nbsp;checkout&nbsp;https://www.synfin.net/svn/tcpreplay/trunk&nbsp;tcpreplay
  166. </DD>
  167. </DL>
  168. <P>
  169. <H2><A NAME="SECTION00032000000000000000">
  170. Requirements</A>
  171. </H2>
  172. <P>
  173. <OL>
  174. <LI>Libnet<A NAME="tex2html1"
  175. HREF="#foot56"><SUP><SPAN CLASS="arabic">1</SPAN></SUP></A> 1.1.x or better (1.1.3 fixes a checksum bug which effects tcprewrite)
  176. </LI>
  177. <LI>Libpcap<A NAME="tex2html2"
  178. HREF="#foot57"><SUP><SPAN CLASS="arabic">2</SPAN></SUP></A> 0.6.x or better (0.8.3 or better recommended)
  179. </LI>
  180. <LI>To support the packet decoding feature you'll need tcpdump<A NAME="tex2html3"
  181. HREF="#foot58"><SUP><SPAN CLASS="arabic">3</SPAN></SUP></A> binary installed.
  182. </LI>
  183. <LI>You'll also need a compatible operating system. Basically, any *NIX
  184. operating system should work. Linux, *BSD, Solaris, OS X and others
  185. should all work. If you find any compatibility issues with any *NIX
  186. OS, please let me know.
  187. </LI>
  188. </OL>
  189. <P>
  190. <H2><A NAME="SECTION00033000000000000000">
  191. Compiling Tcpreplay</A>
  192. </H2>
  193. <P>
  194. Two easy steps:
  195. <P>
  196. <DL COMPACT>
  197. <DT>
  198. <DD><SPAN CLASS="textit">$</SPAN>&nbsp;./configure&nbsp;&amp;&amp;&nbsp;make&nbsp;<SPAN CLASS="textit"></SPAN>
  199. <P>
  200. <SPAN CLASS="textit">#</SPAN>&nbsp;make&nbsp;install
  201. </DD>
  202. </DL>There are some optional arguments which can be passed to the 'configure'
  203. script which may help in cases where your libnet, libpcap or tcpdump
  204. installation is not standard or if it can't determine the correct
  205. network interface card to use for testing. I also recommend that for
  206. beta code you specify <SPAN CLASS="textbf">-enable-debug</SPAN>
  207. to the configure script in case you find any bugs. If you find that
  208. configure isn't completing correctly, run: <SPAN CLASS="textit">./configure -help</SPAN>
  209. for more information.
  210. <P>
  211. You may also choose to run:
  212. <P>
  213. <DL COMPACT>
  214. <DT>
  215. <DD>#&nbsp;<SPAN CLASS="textit">make&nbsp;test&nbsp;-i</SPAN>
  216. </DD>
  217. </DL>
  218. <UL>
  219. <LI>make test is just a series of sanity checks which try to find serious
  220. bugs (crashes) in tcpprep and tcpreplay.
  221. </LI>
  222. <LI>make test requires at least one properly configured network interface.
  223. If the configure script can't guess what a valid interface is you
  224. can specify it with the -with-testnic and -with-testnic2
  225. arguments.
  226. </LI>
  227. <LI>If make test fails, often you can find details in test/test.log.
  228. </LI>
  229. <LI>OpenBSD's make has a bug where it ignores the MAKEFLAGS variable in
  230. the Makefile, hence you'll probably want to run: <SPAN CLASS="textit">make -is test</SPAN>
  231. instead.
  232. </LI>
  233. </UL>
  234. <P>
  235. <H1><A NAME="SECTION00040000000000000000">
  236. Basic Tcpreplay Usage</A>
  237. </H1>
  238. <P>
  239. <H2><A NAME="SECTION00041000000000000000">
  240. Replaying the traffic</A>
  241. </H2>
  242. <P>
  243. To replay a given pcap as it was captured all you need to do is specify
  244. the pcap file and the interface to send the traffic out interface
  245. 'eth0':
  246. <P>
  247. <DL COMPACT>
  248. <DT>
  249. <DD>#&nbsp;tcpreplay&nbsp;-intf1=eth0&nbsp;sample.pcap
  250. </DD>
  251. </DL>
  252. <P>
  253. <H2><A NAME="SECTION00042000000000000000">
  254. Replaying at different speeds</A>
  255. </H2>
  256. <P>
  257. You can also replay the traffic at different speeds then it was originally
  258. captured<A NAME="tex2html4"
  259. HREF="#foot505"><SUP><SPAN CLASS="arabic">4</SPAN></SUP></A>.
  260. <P>
  261. Some examples:
  262. <P>
  263. <UL>
  264. <LI>To replay traffic as quickly as possible:
  265. </LI>
  266. </UL>
  267. <DL COMPACT>
  268. <DT>
  269. <DD>#&nbsp;tcpreplay&nbsp;-topspeed&nbsp;-intf1=eth0&nbsp;sample.pcap
  270. </DD>
  271. </DL>
  272. <UL>
  273. <LI>To replay traffic at a rate of 10Mbps:
  274. </LI>
  275. </UL>
  276. <DL COMPACT>
  277. <DT>
  278. <DD>#&nbsp;tcpreplay&nbsp;-mbps=10.0&nbsp;-intf1=eth0&nbsp;sample.pcap
  279. </DD>
  280. </DL>
  281. <UL>
  282. <LI>To replay traffic 7.3 times as fast as it was captured:
  283. </LI>
  284. </UL>
  285. <DL COMPACT>
  286. <DT>
  287. <DD>#&nbsp;tcpreplay&nbsp;-multiplier=7.3&nbsp;-intf1=eth0&nbsp;sample.pcap
  288. </DD>
  289. </DL>
  290. <UL>
  291. <LI>To replay traffic at half-speed:
  292. </LI>
  293. </UL>
  294. <DL COMPACT>
  295. <DT>
  296. <DD>#&nbsp;tcpreplay&nbsp;-multiplier=0.5&nbsp;-intf1=eth0&nbsp;sample.pcap
  297. </DD>
  298. </DL>
  299. <UL>
  300. <LI>To replay at 25 packets per second:
  301. </LI>
  302. </UL>
  303. <DL COMPACT>
  304. <DT>
  305. <DD>#&nbsp;tcpreplay&nbsp;-pps=25&nbsp;-intf1=eth0&nbsp;sample.pcap
  306. </DD>
  307. </DL>
  308. <P>
  309. <H2><A NAME="SECTION00043000000000000000">
  310. Replaying files multiple times</A>
  311. </H2>
  312. <P>
  313. Using the loop flag you can specify that a pcap file will be sent
  314. two or more times<A NAME="tex2html5"
  315. HREF="#foot118"><SUP><SPAN CLASS="arabic">5</SPAN></SUP></A>:
  316. <P>
  317. To replay the sample.pcap file 10 times:
  318. <P>
  319. <DL COMPACT>
  320. <DT>
  321. <DD>#&nbsp;tcpreplay&nbsp;-loop=10&nbsp;-intf1=eth0&nbsp;sample.pcap
  322. </DD>
  323. </DL>To replay the sample.pcap an infinitely or until CTRL-C is pressed:
  324. <P>
  325. <DL COMPACT>
  326. <DT>
  327. <DD>#&nbsp;tcpreplay&nbsp;-loop=0&nbsp;-intf1=eth0&nbsp;sample.pcap
  328. </DD>
  329. </DL>
  330. <P>
  331. <H1><A NAME="SECTION00050000000000000000">
  332. Editing Packets</A>
  333. </H1>
  334. <P>
  335. There are a number of ways you can edit packets stored in a pcap file:
  336. <P>
  337. <OL>
  338. <LI>Rewriting IP addresses so that they appear to be sent from and to
  339. different hosts
  340. </LI>
  341. <LI>Fixing corrupted packets which were truncated by tcpdump or had bad
  342. checksums
  343. </LI>
  344. <LI>Adding, removing or changing 802.1q VLAN tags on frames
  345. </LI>
  346. <LI>Rewriting traffic so that it no longer uses ``standard'' TCP or
  347. UDP ports for the given service
  348. </LI>
  349. <LI>Changing ethernet MAC addresses so that packets will be accepted by
  350. a switch, router or firewall
  351. </LI>
  352. </OL>
  353. <P>
  354. <H1><A NAME="SECTION00060000000000000000">
  355. Splitting Traffic</A>
  356. </H1>
  357. <P>
  358. Anything other then just replaying packets at different speeds requires
  359. additional work and CPU cycles. While older versions of tcpreplay
  360. allowed you to do many of these calculations while replaying traffic,
  361. it had a negative effect on the overall throughput and performance
  362. of tcpreplay. Hence, these secondary features have been placed in
  363. two utilities:
  364. <P>
  365. <UL>
  366. <LI>tcpprep - Used to categorize packets as originating from clients or
  367. servers
  368. </LI>
  369. <LI>tcprewrite - Used to edit packets
  370. </LI>
  371. </UL>
  372. By using tcpprep and tcprewrite on a pcap file before sending it using
  373. tcpreplay, many possibilities open up. A few of these possibilities
  374. are:
  375. <P>
  376. <H2><A NAME="SECTION00061000000000000000">
  377. Classifying client and servers with tcpprep</A>
  378. </H2>
  379. <P>
  380. Both tcpreplay and tcprewrite process a single pcap file and generate
  381. output. Some features, such as rewriting IP or MAC addresses or sending
  382. traffic out two different interfaces, require tcpreplay and tcprewrite
  383. to have some basic knowledge about which packets were sent by ``clients''
  384. and ``servers''. Such classification is often rather arbitrary
  385. since for example a SMTP mail server both accepts inbound email (acts
  386. as a server) and forwards mail to other mail servers (acts as a client).
  387. A webserver might accept inbound HTTP requests, but make client connections
  388. to a SQL server.
  389. <P>
  390. To deal with this problem, tcpreplay comes with tcpprep which provides
  391. a number of manual and automatic classification methods which cover
  392. a variety of situations.
  393. <P>
  394. <H3><A NAME="SECTION00061100000000000000">
  395. Seperating clients and servers automatically</A>
  396. </H3>
  397. <P>
  398. The easiest way to split clients and servers is to let tcpprep do
  399. the classification for you. Tcpprep examines the pcap file for TCP
  400. three-way handshakes, DNS lookups and other types of traffic to figure
  401. out which IP's mostly act like clients and which mostly act like servers.
  402. There are four different automatic modes that you can choose between:
  403. <P>
  404. <OL>
  405. <LI>Bridge - This is the simplest mode. Each IP is individually tracked
  406. and ranked as a client or server. However, if any of the hosts do
  407. not generate enough ``client'' or ``server'' traffic then
  408. tcpprep will abort complaining that it was unable to determine its
  409. classification. This works best when clients and servers are intermixed
  410. on the same subnet.
  411. </LI>
  412. <LI>Client - This works just like bridge mode, except that unknown hosts
  413. will be marked a client.
  414. </LI>
  415. <LI>Server - This works just like bridge mode, except that unknown hosts
  416. will be marked a server.
  417. </LI>
  418. <LI>Router - Hosts are first ranked as client or server. Then each host
  419. is placed in a subnet which is expanded until either all the unknown
  420. hosts are included or the -maxmask is reached. This works best when
  421. clients and servers are on diffierent networks.
  422. </LI>
  423. </OL>
  424. <DIV ALIGN="CENTER">
  425. <TABLE CELLPADDING=3 BORDER="1">
  426. <TR><TD ALIGN="CENTER" COLSPAN=2><SPAN>TCPPREP AUTOMATIC ROUTER MODE PROCESS</SPAN>
  427. <BR>
  428. S<SMALL>TEP 1:</SMALL> Categorize Clients, Servers and Unknowns</TD>
  429. </TR>
  430. </TABLE></DIV>
  431. <P>
  432. <DIV ALIGN="CENTER">
  433. </DIV>
  434. <P>
  435. &nbsp;&nbsp;&nbsp;
  436. <P>
  437. <DIV ALIGN="CENTER">
  438. <TABLE CELLPADDING=3>
  439. <TR><TD ALIGN="CENTER">S<SMALL>TEP 3:</SMALL> Unknowns Now Marked as Clients and Servers
  440. <BR></SMALL>
  441. <BR></TD>
  442. </TR>
  443. </TABLE></DIV>
  444. <P>
  445. <DIV ALIGN="CENTER">
  446. </DIV>
  447. <P>
  448. Classifying clients and servers in automatic mode is as easy as choosing
  449. a pcap file, an output ``tcpprep cache file'' and the mode to
  450. use:
  451. <P>
  452. <DL COMPACT>
  453. <DT>
  454. <DD><SPAN CLASS="textit">$</SPAN>&nbsp;tcpprep&nbsp;-auto=bridge&nbsp;-pcap=input.pcap&nbsp;-cachefile=input.cache
  455. </DD>
  456. </DL>The above example would split traffic in bridge mode. Other modes
  457. are ``router'', ``client'' and ``server''. If you wish,
  458. you can override the default 2:1 ratio of server vs. client traffic
  459. required to classify an IP as a server. If for example you wanted
  460. to require 3.5 times as much server to client traffic you would specify
  461. it like:
  462. <P>
  463. <DL COMPACT>
  464. <DT>
  465. <DD><SPAN CLASS="textit">$</SPAN>&nbsp;tcpprep&nbsp;-auto=bridge&nbsp;-ratio=3.5&nbsp;-pcap=input.pcap&nbsp;-cachefile=input.cache
  466. </DD>
  467. </DL>
  468. <P>
  469. <H3><A NAME="SECTION00061200000000000000">
  470. Seperating clients and servers manually by subnet</A>
  471. </H3>
  472. <P>
  473. Sometimes, you may not want to split traffic based on clients and
  474. servers. The alternative to using on of the automatic modes in this
  475. case, is to use one of the manual modes. One manual way of differentiating
  476. between clients and servers using tcpprep is by specifying a list
  477. of networks in CIDR notation which contain ``servers''. Of course
  478. the specified CIDR netblocks don't have to contain
  479. <P>
  480. <H2><A NAME="SECTION00062000000000000000">
  481. Replaying on multiple interfaces</A>
  482. </H2>
  483. <P>
  484. Tcpreplay can also split traffic so that each side of a connection
  485. is sent out a different interface<A NAME="tex2html6"
  486. HREF="#foot182"><SUP><SPAN CLASS="arabic">6</SPAN></SUP></A>. In order to do this, tcpreplay needs the name of the second interface
  487. (-j) and a way to split the traffic. Currently, there are two ways
  488. to split traffic:
  489. <P>
  490. <OL>
  491. <LI>-C = split traffic by source IP address which is specified in CIDR
  492. notation
  493. </LI>
  494. <LI>-c = split traffic according to a tcpprep cachefile<A NAME="tex2html7"
  495. HREF="#foot184"><SUP><SPAN CLASS="arabic">7</SPAN></SUP></A>
  496. </LI>
  497. </OL>
  498. When splitting traffic, it is important to remember that traffic that
  499. matches the filter is sent out the primary interface (-intf1). In
  500. this case, when splitting traffic by source IP address, you provide
  501. a list of networks in CIDR notation. For example:
  502. <P>
  503. <UL>
  504. <LI>To send traffic from 10.0.0.0/8 out eth0 and everything else out eth1:
  505. </LI>
  506. </UL>
  507. <DL COMPACT>
  508. <DT>
  509. <DD>tcpreplay&nbsp;-C&nbsp;10.0.0.0/8&nbsp;-intf1=eth0&nbsp;-intf2=eth1&nbsp;sample.pcap
  510. </DD>
  511. </DL>
  512. <UL>
  513. <LI>To send traffic from 10.1.0.0/24 and 10.2.0.0/20 out eth0 and everything
  514. else out eth1:
  515. </LI>
  516. </UL>
  517. <DL COMPACT>
  518. <DT>
  519. <DD>tcpreplay&nbsp;-C&nbsp;10.1.0.0/24,10.2.0.0/20&nbsp;-intf1=eth0&nbsp;-intf2=eth1&nbsp;sample.pcap
  520. </DD>
  521. </DL>
  522. <UL>
  523. <LI>After using tcpprep to generate a cache file, you can use it to split
  524. traffic between two interfaces like this:
  525. </LI>
  526. </UL>
  527. <DL COMPACT>
  528. <DT>
  529. <DD>tcpreplay&nbsp;-c&nbsp;sample.cache&nbsp;-intf1=eth0&nbsp;-intf2=eth1&nbsp;sample.pcap
  530. </DD>
  531. </DL>
  532. <P>
  533. <H2><A NAME="SECTION00063000000000000000">
  534. Selectively sending or dropping packets</A>
  535. </H2>
  536. <P>
  537. Sometimes, you want to do some post-capture filtering of packets.
  538. Tcpreplay let's you have some control over which packets get sent.
  539. <P>
  540. <OL>
  541. <LI>-M = disables sending of martian packets. By definition, martian packets
  542. have a source IP of 0.x.x.x, 127.x.x.x, or 255.x.x.x
  543. </LI>
  544. <LI>-x = send packets which match a specific pattern
  545. </LI>
  546. <LI>-X = send packets which do not match a specific pattern
  547. </LI>
  548. </OL>
  549. Both -x and -X support a variety of pattern matching types. These
  550. types are specified by a single character, followed by a colon, followed
  551. by the pattern. The following pattern matching types are available:
  552. <P>
  553. <OL>
  554. <LI>S - Source IP
  555. <BR>
  556. Pattern is a comma delimited CIDR notation
  557. </LI>
  558. <LI>D - Destination IP
  559. <BR>
  560. Pattern is a comma delimited CIDR notation
  561. </LI>
  562. <LI>B - Both source and destination IP must match
  563. <BR>
  564. Pattern is a comma delimited CIDR notation
  565. </LI>
  566. <LI>E - Either source or destination IP must match
  567. <BR>
  568. Pattern is a comma delimited CIDR notation
  569. </LI>
  570. <LI>P - A list of packet numbers from the pcap file.
  571. <BR>
  572. Pattern is a series of numbers, separated by commas or dashes.
  573. </LI>
  574. <LI>F - BPF syntax (same as used in tcpdump).
  575. <BR>
  576. Filter must be quoted and is only supported with -x<A NAME="tex2html8"
  577. HREF="#foot208"><SUP><SPAN CLASS="arabic">8</SPAN></SUP></A>.
  578. </LI>
  579. </OL>
  580. Examples:
  581. <P>
  582. <UL>
  583. <LI>To only send traffic that is too and from a host in 10.0.0.0/8:
  584. </LI>
  585. </UL>
  586. <DL COMPACT>
  587. <DT>
  588. <DD>tcpreplay&nbsp;-x&nbsp;B:10.0.0.0/8&nbsp;-intf1&nbsp;eth0&nbsp;sample.pcap
  589. </DD>
  590. </DL>
  591. <UL>
  592. <LI>To not send traffic that is too or from a host in 10.0.0.0/8:
  593. </LI>
  594. </UL>
  595. <DL COMPACT>
  596. <DT>
  597. <DD>tcpreplay&nbsp;-X&nbsp;E:10.0.0.0/8&nbsp;-intf1&nbsp;eth0&nbsp;sample.pcap
  598. </DD>
  599. </DL>
  600. <UL>
  601. <LI>To send every packet except the first 10 packets:
  602. </LI>
  603. </UL>
  604. <DL COMPACT>
  605. <DT>
  606. <DD>tcpreplay&nbsp;-X&nbsp;P:1-10&nbsp;-intf1&nbsp;eth0&nbsp;sample.pcap
  607. </DD>
  608. </DL>
  609. <UL>
  610. <LI>To only send the first 50 packets followed by packets: 100, 150, 200
  611. and 250:
  612. </LI>
  613. </UL>
  614. <DL COMPACT>
  615. <DT>
  616. <DD>tcpreplay&nbsp;-x&nbsp;P:1-50,100,150,200,250&nbsp;-intf1&nbsp;eth0&nbsp;sample.pcap
  617. </DD>
  618. </DL>
  619. <UL>
  620. <LI>To only send TCP packets from 10.0.0.1:
  621. </LI>
  622. </UL>
  623. <DL COMPACT>
  624. <DT>
  625. <DD><SPAN CLASS="textit">tcpreplay&nbsp;-x&nbsp;F:'tcp&nbsp;and&nbsp;host&nbsp;10.0.0.1'&nbsp;-intf1&nbsp;eth0&nbsp;sample.pcap</SPAN>
  626. </DD>
  627. </DL>
  628. <P>
  629. <H2><A NAME="SECTION00064000000000000000">
  630. Replaying only a few packets</A>
  631. </H2>
  632. <P>
  633. Using the limit packets flag (-L) you can specify that tcpreplay will
  634. only send at most a specified number of packets.
  635. <P>
  636. <UL>
  637. <LI>To send at most 100 packets:
  638. </LI>
  639. </UL>
  640. <DL COMPACT>
  641. <DT>
  642. <DD>tcpreplay&nbsp;-intf1&nbsp;eth0&nbsp;-L&nbsp;100&nbsp;sample.pcap
  643. </DD>
  644. </DL>
  645. <P>
  646. <H2><A NAME="SECTION00065000000000000000">
  647. Skipping the first bytes in a pcap file</A>
  648. </H2>
  649. <P>
  650. If you want to skip the beginning of a pcap file, you can use the
  651. offset flag (-o) to skip a specified number of bytes and start sending
  652. on the next packet.
  653. <P>
  654. <UL>
  655. <LI>To skip 15Kb into the pcap file and start sending packets from there:
  656. </LI>
  657. </UL>
  658. <DL COMPACT>
  659. <DT>
  660. <DD>tcpreplay&nbsp;-intf1=eth0&nbsp;-o&nbsp;15000&nbsp;sample.pcap
  661. </DD>
  662. </DL>
  663. <P>
  664. <H2><A NAME="SECTION00066000000000000000">
  665. Replaying packets which are bigger then the MTU</A>
  666. </H2>
  667. <P>
  668. Occasionally, you might find yourself trying to replay a pcap file
  669. which contains packets which are larger then the MTU for the sending
  670. interface. This might be due to the packets being captured on the
  671. loopback interface or on a 1000Mbps ethernet interface supporting
  672. ``jumbo frames''. I've even seen packets which are 1500 bytes
  673. but contain both an ethernet header and trailer which bumps the total
  674. frame size to 1518 which is 4 bytes too large.
  675. <P>
  676. By default, tcpreplay will skip these packets and not send them. Alternatively,
  677. you can specify the -T flag to truncate these packets to the MTU and
  678. then send them. Of course this may invalidate your testing, but it
  679. has proven useful in certain situations. Also, when this feature is
  680. enabled, tcpreplay will automatically recalculate the IP and TCP,
  681. UDP or ICMP checksums as needed. Example:
  682. <P>
  683. <DL COMPACT>
  684. <DT>
  685. <DD>tcpreplay&nbsp;-intf1&nbsp;eth0&nbsp;-T&nbsp;sample.pcap
  686. </DD>
  687. </DL>
  688. <P>
  689. <H2><A NAME="SECTION00067000000000000000">
  690. Writing packets to a file</A>
  691. </H2>
  692. <P>
  693. It's not always necessary to write packets to the network. Since tcpreplay
  694. has so many features which modify and select which packets are sent,
  695. it is occasionally useful to save these changes to another pcap file
  696. for comparison. Rather then running a separate tcpdump process to
  697. capture the packets, tcpreplay now supports output directly to a file.
  698. Example:
  699. <P>
  700. <DL COMPACT>
  701. <DT>
  702. <DD>tcpreplay&nbsp;-intf1&nbsp;eth0&nbsp;-w&nbsp;output.pcap&nbsp;-F&nbsp;-u&nbsp;pad&nbsp;-x&nbsp;E:10.0.0.0/8&nbsp;input1.pcap&nbsp;input2.pcap&nbsp;input3.pcap
  703. </DD>
  704. </DL>Notice that specifying an interface is still required (required for
  705. various internal functions), but all the packets will be written to
  706. <SPAN CLASS="textit">output.pcap</SPAN>.
  707. <P>
  708. You can also split traffic into two files by using -W &lt;2nd output
  709. file&gt;.
  710. <P>
  711. <H2><A NAME="SECTION00068000000000000000">
  712. Extracting Application Data (Layer 7)</A>
  713. </H2>
  714. <P>
  715. New to version 2.0 is the ability to extract the application layer
  716. data from the packets and write them to a file. In the man page, we
  717. call this ``data dump mode'' which is enabled with -D. It's important
  718. to specify -D before -w (and -W if you're splitting data into two
  719. files). Example:
  720. <P>
  721. <DL COMPACT>
  722. <DT>
  723. <DD>tcpreplay&nbsp;-D&nbsp;-intf1&nbsp;eth0&nbsp;-j&nbsp;eth0&nbsp;-w&nbsp;clientdata&nbsp;-W&nbsp;serverdata&nbsp;-C&nbsp;10.0.0.0/24&nbsp;sample.pcap
  724. </DD>
  725. </DL>
  726. <P>
  727. <H2><A NAME="SECTION00069000000000000000">
  728. Replaying Live Traffic</A>
  729. </H2>
  730. <P>
  731. You can now replay live traffic sniffed on one network interface and
  732. replay it on another interface using the -S flag to indicate sniff
  733. mode and the appropriate snaplen in bytes (0 denotes the entire packet).
  734. You can also enabling bi-directional traffic using the bridge mode
  735. flag: -b.
  736. <P>
  737. N<SMALL>OTE:</SMALL> It is critical for your sanity (and to prevent your murder
  738. by your network administrators) that the input interface and the output
  739. interface be on separate networks and additionally that no other network
  740. devices (such as bridges, switches, routers, etc) be connecting the
  741. two networks, else you will surely get a networkstorm the likes that
  742. have not been seen for years.
  743. <P>
  744. <UL>
  745. <LI>Send packets sniffed on eth0 out eth1:
  746. </LI>
  747. </UL>
  748. <DL COMPACT>
  749. <DT>
  750. <DD>tcpreplay&nbsp;-intf1&nbsp;eth1&nbsp;-S&nbsp;0&nbsp;eth0
  751. </DD>
  752. </DL>
  753. <UL>
  754. <LI>Bridge two subnets connected to eth0 and eth1:
  755. </LI>
  756. </UL>
  757. <DL COMPACT>
  758. <DT>
  759. <DD>tcpreplay&nbsp;-intf1&nbsp;eth0&nbsp;-intf2=eth1&nbsp;-b&nbsp;-S&nbsp;0
  760. </DD>
  761. </DL>By default, tcpreplay listens in promiscuous mode on the specified
  762. interface, however if you only want to send unicasts directed for
  763. the local system and broadcasts, you can specify the ``not_nosy''
  764. option in the configuration file or -n on the command line. Note that
  765. if another program has already placed the interface in promiscuous
  766. mode, the -n flag will have no effect, so you may want to use the
  767. -x or -X argument to limit packets.
  768. <P>
  769. <H2><A NAME="SECTION000610000000000000000">
  770. Replaying Packet Capture Formats Other Than Libpcap</A>
  771. </H2>
  772. <P>
  773. There are about as many different capture file formats as there are
  774. sniffers. In the interest of simplicity, tcpreplay only supports libpcap<A NAME="tex2html9"
  775. HREF="#foot277"><SUP><SPAN CLASS="arabic">9</SPAN></SUP></A>. If you would like to replay a file in one of these multitude of
  776. formats, the excellent open source tool Ethereal easily allows you
  777. to convert it to libpcap. For instance, to convert a file in Sun's
  778. snoop format to libpcap, issue the command:
  779. <P>
  780. <DL COMPACT>
  781. <DT>
  782. <DD>tethereal&nbsp;-r&nbsp;blah.snoop&nbsp;-w&nbsp;blah.pcap
  783. </DD>
  784. </DL>and replay the resulting file.
  785. <P>
  786. <H2><A NAME="SECTION000611000000000000000">
  787. Replaying Client Traffic to a Server</A>
  788. </H2>
  789. <P>
  790. A common question on the tcpreplay-users list is how does one replay
  791. the client side of a connection back to a server. Unfortunately, tcpreplay
  792. doesn't support this right now. The major problem concerns syncing
  793. up TCP Seq/Ack numbers which will be different. ICMP also often contains
  794. IP header information which would need to be adjusted. About the only
  795. thing that could be easy to do is UDP, which isn't usually requested.
  796. <P>
  797. This is however a feature that we're looking into implementing in
  798. the flowreplay utility. If you're interested in helping work on this
  799. feature, please contact us and we'd be more then happy to work with
  800. you. At this time however, we don't have an ETA when this will be
  801. implemented, so don't bother asking.
  802. <P>
  803. <H2><A NAME="SECTION000612000000000000000">
  804. Decoding Packets</A>
  805. </H2>
  806. <P>
  807. If the tcpdump binary is installed on your system when tcpreplay is
  808. compiled, it will allow you to decode packets as they are sent without
  809. running tcpdump in a separate window or worrying about it capturing
  810. packets which weren't sent by tcpreplay.
  811. <P>
  812. <UL>
  813. <LI>Decode packets as they are sent:
  814. </LI>
  815. </UL>
  816. <DL COMPACT>
  817. <DT>
  818. <DD>tcpreplay&nbsp;-intf1&nbsp;eth0&nbsp;-v&nbsp;sample.pcap
  819. </DD>
  820. </DL>
  821. <UL>
  822. <LI>Decode packets with the link level header:
  823. </LI>
  824. </UL>
  825. <DL COMPACT>
  826. <DT>
  827. <DD>tcpreplay&nbsp;-intf1&nbsp;eth0&nbsp;-v&nbsp;-A&nbsp;``-e''&nbsp;sample.pcap
  828. </DD>
  829. </DL>
  830. <UL>
  831. <LI>Fully decode and send one packet at a time:
  832. </LI>
  833. </UL>
  834. <DL COMPACT>
  835. <DT>
  836. <DD>tcpreplay&nbsp;-intf1&nbsp;eth0&nbsp;-v&nbsp;-1&nbsp;-A&nbsp;``-s0&nbsp;-evvvxX''&nbsp;sample.pcap
  837. </DD>
  838. </DL>Note that tcpreplay automatically applies the -n flag to disable DNS
  839. lookups which would slow down tcpdump too much to make it effective.
  840. <P>
  841. <H1><A NAME="SECTION00070000000000000000">
  842. Packet Editing</A>
  843. </H1>
  844. <P>
  845. <H2><A NAME="SECTION00071000000000000000">
  846. Rewriting MAC addresses</A>
  847. </H2>
  848. <P>
  849. If you ever want to send traffic to another device on a switched LAN,
  850. you may need to change the destination MAC address of the packets.
  851. Tcpreplay allows you to set the destination MAC for each interface
  852. independently using the -I and -J switches. As of version 2.1.0, you
  853. can also specify the source MAC via -k and -K. Example:
  854. <P>
  855. <UL>
  856. <LI>To send traffic out eth0 with a destination MAC of your router (00:00:01:02:03:04)
  857. and the source MAC of the server (00:20:30:40:50:60):
  858. </LI>
  859. </UL>
  860. <DL COMPACT>
  861. <DT>
  862. <DD>tcpreplay&nbsp;-intf1=eth0&nbsp;-I&nbsp;00:00:01:02:03:04&nbsp;-k&nbsp;00:20:30:40:50:60&nbsp;sample.pcap
  863. </DD>
  864. </DL>
  865. <UL>
  866. <LI>To split traffic between internal (10.0.0.0/24) and external addresses
  867. and to send that traffic to the two interfaces of a firewall:
  868. </LI>
  869. </UL>
  870. <DL COMPACT>
  871. <DT>
  872. <DD>tcpreplay&nbsp;-intf1=eth0&nbsp;-intf2=eth1&nbsp;-I&nbsp;00:01:00:00:AA:01&nbsp;-J&nbsp;00:01:00:00:AA:02&nbsp;-C&nbsp;10.0.0.0/24&nbsp;sample.pcap
  873. </DD>
  874. </DL>
  875. <P>
  876. <H2><A NAME="SECTION00072000000000000000">
  877. Randomizing IP addresses</A>
  878. </H2>
  879. <P>
  880. Occasionally, it is necessary to have tcpreplay rewrite the source
  881. and destination IP addresses, yet maintain the client/server relationship.
  882. Such a case might be having multiple copies of tcpreplay running at
  883. the same time using the same pcap file while trying to stress test
  884. firewall, IDS or other stateful device. If you didn't change the source
  885. and destination IP addresses, the device under test would get confused
  886. since it would see multiple copies of the same connection occurring
  887. at the same time. In order to accomplish this, tcpreplay accepts a
  888. user specified seed which is used to generate pseudo-random IP addresses.
  889. Also, when this feature is enabled, tcpreplay will automatically recalculate
  890. the IP and TCP, UDP or ICMP checksums as needed. Example:
  891. <P>
  892. <DL COMPACT>
  893. <DT>
  894. <DD><SPAN CLASS="textit">tcpreplay&nbsp;-intf1=eth0&nbsp;-s&nbsp;1239&nbsp;sample.pcap&nbsp;&amp;</SPAN>&nbsp;
  895. <BR><SPAN CLASS="textit">tcpreplay&nbsp;-intf1=eth0&nbsp;-s&nbsp;76&nbsp;sample.pcap&nbsp;&amp;</SPAN>&nbsp;
  896. <BR><SPAN CLASS="textit">tcpreplay&nbsp;-intf1=eth0&nbsp;-s&nbsp;239&nbsp;sample.pcap&nbsp;&amp;</SPAN>&nbsp;
  897. <BR><SPAN CLASS="textit">tcpreplay&nbsp;-intf1=eth0&nbsp;sample.pcap</SPAN>
  898. </DD>
  899. </DL>
  900. <P>
  901. <H2><A NAME="SECTION00073000000000000000">
  902. Replaying (de)truncated packets</A>
  903. </H2>
  904. <P>
  905. Occasionally, it is necessary to replay traffic which has been truncated
  906. by tcpdump. This occurs when the tcpdump snaplen is smaller then the
  907. actual packet size. Since this will create problems for devices which
  908. are expecting a full-sized packet or attempting checksum calculations,
  909. tcpreplay allows you to either pad the packet with zeros or reset
  910. the packet length in the headers to the actual packet size. In either
  911. case, the IP and TCP, UDP or ICMP checksums are recalculated. Examples:
  912. <P>
  913. <UL>
  914. <LI>Pad truncated packets:
  915. </LI>
  916. </UL>
  917. <DL COMPACT>
  918. <DT>
  919. <DD>tcpreplay&nbsp;-intf1=eth0&nbsp;-u&nbsp;pad&nbsp;sample.pcap
  920. </DD>
  921. </DL>
  922. <UL>
  923. <LI>Rewrite packet header lengths to the actual packet size:
  924. </LI>
  925. </UL>
  926. <DL COMPACT>
  927. <DT>
  928. <DD>tcpreplay&nbsp;-intf1=eth0&nbsp;-u&nbsp;trunc&nbsp;sample.pcap
  929. </DD>
  930. </DL>
  931. <P>
  932. <H2><A NAME="SECTION00074000000000000000">
  933. Rewriting Layer 2 with -2</A>
  934. </H2>
  935. <P>
  936. Starting in the 2.0.x branch, tcpreplay can replace the existing layer
  937. 2 header with one of your choosing. This is useful for when you want
  938. to change the layer 2 header type or add a header for pcap files without
  939. one. Each pcap file tells the type of frame. Currently tcpreplay knows
  940. how to deal with the following pcap(3) frame types:
  941. <P>
  942. <UL>
  943. <LI>DLT_EN10MB
  944. <BR>
  945. Replace existing 802.3/Ethernet II header
  946. </LI>
  947. <LI>DLT_RAW
  948. <BR>
  949. Frame has no Layer 2 header, so we can add one.
  950. </LI>
  951. <LI>DLT_LINUX_SLL
  952. <BR>
  953. Frame uses the Linux Cooked Socket header which is most commonly created
  954. with <SPAN CLASS="textit">tcpdump -i any</SPAN> on a Linux system.
  955. </LI>
  956. </UL>
  957. Tcpreplay accepts the new Layer 2 header as a string of comma separated
  958. hex values such as: 0xff,0xac,0x00,0x01,0xc0,0x64. Note that the leading
  959. '0x' is <SPAN CLASS="textit">not</SPAN> required.
  960. <P>
  961. Potential uses for this are to add a layer 2 header for DLT_RAW captures
  962. or add/remove ethernet tags or QoS features.
  963. <P>
  964. <H2><A NAME="SECTION00075000000000000000">
  965. Rewriting DLT_LINUX_SLL (Linux Cooked Socket) captures</A>
  966. </H2>
  967. <P>
  968. Tcpdump uses a special frame type to store captures created with the
  969. ``-i any'' argument. This frame type uses a custom 16 byte layer
  970. 2 header which tracks which interface captured the packet and often
  971. the source MAC address of the original ethernet frame. Unfortunately,
  972. it never stores the destination MAC address and it doesn't store a
  973. source MAC when the packet is captured on the loopback interface.
  974. Normally, tcpreplay can't replay these pcap files because there isn't
  975. enough information in the LINUX_SLL header to do so; however two
  976. options do exist:
  977. <P>
  978. <OL>
  979. <LI>You can send these packets with -2 which will replace the LINUX_SLL
  980. header with an ethernet header of your choosing.
  981. </LI>
  982. <LI>You can specify a destination MAC via -I and -J in which case tcpreplay
  983. will use the stored source MAC and create a new 802.3 Ethernet header.
  984. Note that if the pcap contains loopback packets, you will also need
  985. to specify -k and/or -K to specify the source MAC as well or they
  986. will be skipped.
  987. </LI>
  988. </OL>
  989. <P>
  990. <H2><A NAME="SECTION00076000000000000000">
  991. Rewriting IP Addresses (pseudo-NAT)</A>
  992. </H2>
  993. <P>
  994. Pseudo-NAT allows the mapping of IP addresses in IPv4 and ARP packets
  995. from one subnet to another subnet of the same or different size. This
  996. allows some or all the traffic sent to appear to come from a different
  997. IP subnet then it actually was captured on.
  998. <P>
  999. The mapping is done through a user specified translation table comprised
  1000. of one or more source and destination network(s) in the format of
  1001. &lt;srcnet&gt;/&lt;masklen&gt;:&lt;dstnet&gt;/&lt;masklen&gt; deliminated by a comma. Mapping
  1002. is done by matching IP addresses to the source subnet and rewriting
  1003. the most significant bits with the destination subnet. For example:
  1004. <P>
  1005. <SPAN CLASS="textit">tcpreplay -intf1=eth0 -N 10.100.0.0/16:172.16.10.0/24 sample.pcap</SPAN>
  1006. <P>
  1007. would match any IP in the 10.100.0.0/16 subnet and rewrite it as if
  1008. it came from or sent to the 172.16.10.0/24 subnet. Ie: 10.100.5.88
  1009. would become 172.16.10.88 and 10.100.99.45 would become 172.16.10.45.
  1010. But 10.150.7.44 would not be rewritten.
  1011. <P>
  1012. For any given IP address, the translation table is applied in order
  1013. (so if there are multiple mappings, earlier maps take precedence)
  1014. and occurs only once per IP (no risk of an address getting rewritten
  1015. a second time).
  1016. <P>
  1017. <H2><A NAME="SECTION00077000000000000000">
  1018. Advanced pseudo-NAT</A>
  1019. </H2>
  1020. <P>
  1021. Pseudo-NAT also works with traffic splitting (using two interfaces
  1022. or output files) but with a few important differences. First you have
  1023. the option of specifying one or two pseudo-NAT tables. Using a single
  1024. pseudo-NAT table means that the source and destination IP addresses
  1025. of both interfaces are rewritten using the same rules. Using two pseudo-NAT
  1026. tables (specifying -N &lt;Table1&gt; -N &lt;Table2&gt;) will cause the source
  1027. and destination IP addresses to be rewritten differently for each
  1028. interface using the following matrix:
  1029. <P>
  1030. <DIV ALIGN="CENTER">
  1031. <TABLE CELLPADDING=3 BORDER="1">
  1032. <TR><TD ALIGN="CENTER">&nbsp;</TD>
  1033. <TD ALIGN="CENTER">Out Primary Interface</TD>
  1034. <TD ALIGN="CENTER">Out Secondary Interface
  1035. <BR>
  1036. Src IP</TD>
  1037. </TR>
  1038. </TABLE></DIV>
  1039. <P>
  1040. <DIV ALIGN="CENTER">
  1041. </DIV>
  1042. <P>
  1043. While seemingly a bit confusing, this feature provides a number of
  1044. interesting possibilities such as the ability to rewrite the IP headers
  1045. of packets in the case where traffic is captured on the loopback interface
  1046. (and the source and destination address is always 127.0.0.1) so that
  1047. tcpreplay can make it look like two different systems are talking
  1048. to each other (you'll probably also need to specify the source and
  1049. destination MAC addresses via -I, -J, -k and -K).
  1050. <P>
  1051. <H2><A NAME="SECTION00078000000000000000">
  1052. IP Endpoints</A>
  1053. </H2>
  1054. <P>
  1055. While pseudo-NAT provides a great deal of flexibility, it is often
  1056. more complicated then is necessary for testing of inline devices.
  1057. As a simplier alternative, tcpreplay supports the concept of rewriting
  1058. all traffic to so that it appears to be between two IP addresses:
  1059. <P>
  1060. <DL COMPACT>
  1061. <DT>
  1062. <DD>tcpreplay&nbsp;-intf1=eth0&nbsp;-intf2=eth1&nbsp;-c&nbsp;sample.cache&nbsp;-e&nbsp;10.0.0.1:10.1.1.1&nbsp;sample.pcap
  1063. </DD>
  1064. </DL>Will rewrite all the traffic so that it is between 10.0.0.1 and 10.1.1.1.
  1065. The equivalent command using -N would be:
  1066. <P>
  1067. <DL COMPACT>
  1068. <DT>
  1069. <DD>tcpreplay&nbsp;-intf1=eth0&nbsp;-intf2=eth1&nbsp;-c&nbsp;sample.cache&nbsp;-N&nbsp;0.0.0.0/0:10.0.0.1&nbsp;-N&nbsp;0.0.0.0/0:10.1.1.1&nbsp;sample.pcap
  1070. </DD>
  1071. </DL>
  1072. <P>
  1073. <H2><A NAME="SECTION00079000000000000000">
  1074. Unifying Dual-Outputs</A>
  1075. </H2>
  1076. <P>
  1077. Since a number of tcpreplay's packet editing functions require splitting
  1078. traffic between client and servers, one problem that may arrise is
  1079. needing to edit packets but still output to a single interface or
  1080. file. The solution to this is to use the one output option -O which
  1081. causes packets to be processed as if they will be split between the
  1082. interfaces/files, but then always go out the primary interface or
  1083. file. Note that even though only one interface/file will be written
  1084. to, both -i and -j must be specified; although they can be the same
  1085. physical interface.
  1086. <P>
  1087. <DL COMPACT>
  1088. <DT>
  1089. <DD>tcpreplay&nbsp;-intf1=eth0&nbsp;-j&nbsp;eth0&nbsp;-O&nbsp;-c&nbsp;sample.cache&nbsp;-e&nbsp;10.0.0.1:10.1.1.1&nbsp;sample.pcap
  1090. </DD>
  1091. </DL>Merging the output to a single file:
  1092. <P>
  1093. <DL COMPACT>
  1094. <DT>
  1095. <DD>tcpreplay&nbsp;-intf1=eth0&nbsp;-j&nbsp;eth0&nbsp;-w&nbsp;rewrite.pcap&nbsp;-c&nbsp;sample.cache&nbsp;-e&nbsp;10.0.0.1:10.1.1.1&nbsp;sample.pcap
  1096. </DD>
  1097. </DL>
  1098. <P>
  1099. <H1><A NAME="SECTION00080000000000000000">
  1100. Tcpprep Usage</A>
  1101. </H1>
  1102. <P>
  1103. <H2><A NAME="SECTION00081000000000000000">
  1104. What is tcpprep?</A>
  1105. </H2>
  1106. <P>
  1107. Tcpreplay can send traffic out two network cards, however it requires
  1108. the calculations be done in real-time. These calculations can be expensive
  1109. and can significantly reduce the throughput of tcpreplay.
  1110. <P>
  1111. Tcpprep is a libpcap pre-processor for tcpreplay which enables using
  1112. two network cards to send traffic without the performance hit of doing
  1113. the calculations in real-time.
  1114. <P>
  1115. <H2><A NAME="SECTION00082000000000000000">
  1116. What are these 'modes' tcpprep has? </A>
  1117. </H2>
  1118. <P>
  1119. Tcpprep has three basic modes which require the user to specify how
  1120. to split traffic.
  1121. <P>
  1122. <UL>
  1123. <LI>CIDR (-cidr) mode requires the user to provide
  1124. a list of networks. Any packet with a source IP in one of these networks
  1125. gets sent out the primary interface.
  1126. </LI>
  1127. <LI>Regex (-regex) mode requires the user to provide
  1128. a regular expression. Any packet with a source IP matching the regex
  1129. gets sent out the primary interface.
  1130. </LI>
  1131. <LI>Port (-port) mode splits TCP/UDP traffic based
  1132. on the destination port in the header. Normally, ports 0-1023 are
  1133. considered ``server'' ports and everything else a client port.
  1134. You can create your own custom mapping file in the same format as
  1135. /etc/services (see the services(5) man page for details) by specifying
  1136. -services &lt;file&gt;.
  1137. </LI>
  1138. </UL>
  1139. And four auto modes in which tcpprep decides how to split traffic.
  1140. Auto modes are useful for when you don't know much about the contents
  1141. of the dump file in question and you want to split traffic up based
  1142. upon servers and clients.
  1143. <P>
  1144. <UL>
  1145. <LI>Auto/Router (-auto router) mode trys to find
  1146. the largest network(s) that contain all the servers and no clients.
  1147. Any unknown system is automatically re-classified as servers if it's
  1148. inside the server network(s), otherwise it is classified as a client.
  1149. </LI>
  1150. <LI>Auto/Bridge (-auto bridge) mode makes the assumption
  1151. that the clients and servers are horribly intermixed on the network
  1152. and there's no way to subnet them. While this takes less processing
  1153. time to create the cache file it is unable to deal with unknown systems.
  1154. </LI>
  1155. <LI>Auto/Client (-auto client) mode which works just
  1156. like Auto/Bridge mode, except that any system it can't figure out
  1157. is treated like a client.
  1158. </LI>
  1159. <LI>Auto/Server (-auto server) mode which works just
  1160. like Auto/Bridge mode, except that any system it can't figure out
  1161. is treated like a server.
  1162. </LI>
  1163. </UL>
  1164. <P>
  1165. <H2><A NAME="SECTION00083000000000000000">
  1166. Splitting traffic based upon IP address</A>
  1167. </H2>
  1168. <P>
  1169. Tcpprep supports the same CIDR mode that tcpreplay supports using
  1170. the -cidr flag. Additionally, tcpprep also supports
  1171. regex(7) regular expressions to match source IP addresses using the
  1172. -regex flag.
  1173. <P>
  1174. <H2><A NAME="SECTION00084000000000000000">
  1175. Auto Mode</A>
  1176. </H2>
  1177. <P>
  1178. <H3><A NAME="SECTION00084100000000000000">
  1179. How does Auto/Bridge mode work? </A>
  1180. </H3>
  1181. <P>
  1182. Tcpprep does an initial pass over the libpcap file to build a binary
  1183. tree (one node per IP). For each IP, it keeps track of how many times
  1184. it was a client or server. It then does a second pass of the file
  1185. using the data in the tree and the ratio to determine if an IP is
  1186. a client or server. If tcpprep is unable to determine the type (client
  1187. or server) for each and every packet, then auto/bridge mode will fail.
  1188. In these cases, it is best to use a different auto mode.
  1189. <P>
  1190. <H3><A NAME="SECTION00084200000000000000">
  1191. How does Auto/Router mode work? </A>
  1192. </H3>
  1193. <P>
  1194. Tcpprep does the same first pass as Auto/Bridge mode. It then trys
  1195. to convert the binary tree into a list of networks containing the
  1196. servers. Finally it uses the CIDR mode with the list of server networks
  1197. in a second pass of the libpcap file. Unlike auto/bridge mode, auto/router
  1198. mode can always successfully split IP addresses into clients and servers.
  1199. <P>
  1200. <H3><A NAME="SECTION00084300000000000000">
  1201. Determining Clients and Servers</A>
  1202. </H3>
  1203. <P>
  1204. Tcpprep uses the following methods in auto/router and auto/bridge
  1205. mode to determine if an IP address is a client or server:
  1206. <P>
  1207. <UL>
  1208. <LI>Client:
  1209. <P>
  1210. <UL>
  1211. <LI>TCP with Syn flag set
  1212. </LI>
  1213. <LI>UDP source/destination port 53 (DNS) without query flag set
  1214. </LI>
  1215. <LI>ICMP port unreachable (destination IP of packet)
  1216. </LI>
  1217. </UL>
  1218. </LI>
  1219. <LI>Server:
  1220. <P>
  1221. <UL>
  1222. <LI>TCP with Syn/Ack flag set
  1223. </LI>
  1224. <LI>UDP source/destination port 53 (DNS) with query flag set
  1225. </LI>
  1226. <LI>ICMP port unreachable (source IP of packet)
  1227. </LI>
  1228. </UL>
  1229. </LI>
  1230. </UL>
  1231. <P>
  1232. <H3><A NAME="SECTION00084400000000000000">
  1233. Client/Server ratio</A>
  1234. </H3>
  1235. <P>
  1236. Since a system may send traffic which would classify it as both a
  1237. client and server, it's necessary to be able to weigh the traffic.
  1238. This is done by specifying the client/server ratio (-R) which is by
  1239. default set to 2.0. The ratio is the modifier to the number of client
  1240. connections. Hence, by default, client connections are valued twice
  1241. as high as server connections.
  1242. <P>
  1243. <H2><A NAME="SECTION00085000000000000000">
  1244. Selectively sending/dropping packets</A>
  1245. </H2>
  1246. <P>
  1247. Tcpprep supports the same -include and -exclude
  1248. options to selectively send or drop packets.
  1249. <P>
  1250. <H2><A NAME="SECTION00086000000000000000">
  1251. Using tcpprep cache files with tcpreplay</A>
  1252. </H2>
  1253. <P>
  1254. Just run:
  1255. <P>
  1256. <DL COMPACT>
  1257. <DT>
  1258. <DD>tcpreplay&nbsp;-cachefile&nbsp;sample.cache&nbsp;-intf1=eth0&nbsp;-intf2=eth1&nbsp;sample.pcap
  1259. </DD>
  1260. </DL>
  1261. <P>
  1262. <H2><A NAME="SECTION00087000000000000000">
  1263. Commenting tcpprep cache files</A>
  1264. </H2>
  1265. <P>
  1266. In versions of tcpprep &gt;= 2.1.0, you can specify a comment to be embeded
  1267. in the tcpprep cache file. Comments are user specified and automatically
  1268. include the command line arguments passed to tcpprep.
  1269. <P>
  1270. <DL COMPACT>
  1271. <DT>
  1272. <DD>tcpprep&nbsp;-comment&nbsp;``this&nbsp;is&nbsp;my&nbsp;comment''&nbsp;-pcap&nbsp;sample.pcap&nbsp;-cachefile&nbsp;sample.cache&nbsp;&lt;other&nbsp;args&gt;
  1273. </DD>
  1274. </DL>Or for no user comment, but still embed the command arguments:
  1275. <P>
  1276. <DL COMPACT>
  1277. <DT>
  1278. <DD>tcpprep&nbsp;-comment&nbsp;``''&nbsp;-pcap&nbsp;sample.pcap&nbsp;-cachefile&nbsp;sample.cache&nbsp;&lt;other&nbsp;args&gt;
  1279. </DD>
  1280. </DL>You can then later on print out the comments by running:
  1281. <P>
  1282. <DL COMPACT>
  1283. <DT>
  1284. <DD>tcpprep&nbsp;-print-comment&nbsp;sample.cache
  1285. </DD>
  1286. </DL>
  1287. <P>
  1288. <H1><A NAME="SECTION00090000000000000000">
  1289. Using Configuration Files</A>
  1290. </H1>
  1291. <P>
  1292. Each of the applications in the tcpreplay suite offers the choice
  1293. of specifying configuration options in a config file in addition to
  1294. the traditional command line. Each command line option has an equivalent
  1295. config file option which is listed in the man page. To specify the
  1296. configuration file you'd like to use, use the -load-opts=&lt;filename&gt;
  1297. option.
  1298. <P>
  1299. Configuration files have one option per line, and lines beginning
  1300. with the pound sign (#) are considered comments and ignored. An example
  1301. config file follows:
  1302. <P>
  1303. ------BEGIN CONFIG FILE-------
  1304. <P>
  1305. <TT># send traffic out 'eth0'</TT>&nbsp;
  1306. <BR><TT>intf1 eth0</TT>&nbsp;
  1307. <BR>&nbsp;
  1308. <BR><TT># loop 5 times</TT>&nbsp;
  1309. <BR><TT>loop 5</TT>&nbsp;
  1310. <BR>&nbsp;
  1311. <BR><TT># send traffic 2x as fast</TT>&nbsp;
  1312. <BR><TT>multiplier 2</TT>
  1313. <BR>-------END CONFIG FILE--------
  1314. <P>
  1315. You would then execute:
  1316. <P>
  1317. <DL COMPACT>
  1318. <DT>
  1319. <DD>#&nbsp;tcpreplay&nbsp;-load-opts=myconfigfile&nbsp;sample.pcap
  1320. </DD>
  1321. </DL>You can also group configuration options for tcpprep, tcprewrite and
  1322. tcpreplay in a single config file by placing section markers in the
  1323. config file. An example:
  1324. <P>
  1325. ------BEGIN CONFIG FILE-------
  1326. <P>
  1327. <TT>cachefile=example.tcpprep</TT>&nbsp;
  1328. <BR>&nbsp;
  1329. <BR><TT>[TCPREPLAY]</TT>&nbsp;
  1330. <BR><TT>intf1 eth0</TT>&nbsp;
  1331. <BR><TT>intf2 eth1</TT>&nbsp;
  1332. <BR><TT>topspeed </TT>&nbsp;
  1333. <BR>&nbsp;
  1334. <BR><TT>[TCPPREP]</TT>&nbsp;
  1335. <BR><TT>auto=bridge</TT>&nbsp;
  1336. <BR><TT>comment='This cache file was created with a config file'</TT>&nbsp;
  1337. <BR><TT>pcap=sample.pcap</TT>&nbsp;
  1338. <BR>&nbsp;
  1339. <BR><TT>[TCPREWRITE]</TT>&nbsp;
  1340. <BR><TT>infile=sample.pcap</TT>&nbsp;
  1341. <BR><TT>outfile=newsample.pcap</TT>&nbsp;
  1342. <BR><TT>vlan=add</TT>&nbsp;
  1343. <BR><TT>vlan-tag=44</TT>&nbsp;
  1344. <BR><TT>endpoints=10.0.0.1:10.0.1.1</TT>
  1345. <P>
  1346. ------END CONFIG FILE-------
  1347. <P>
  1348. <H1><A NAME="SECTION000100000000000000000">
  1349. Flowreplay Usage</A>
  1350. </H1>
  1351. <P>
  1352. While tcpreplay is a great way to test NIDS and firewalls, it can't
  1353. be used to test servers or HIDS since tcpreplay can't connect to a
  1354. service running on a device. The solution to this problem is flowreplay
  1355. which instead of sending packets at Layer 2 (ethernet header and up),
  1356. it can actually connect via TCP or UDP to server and then sends and
  1357. receives data based upon a pcap capture file created with a tool like
  1358. Ethereal or tcpdump.
  1359. <P>
  1360. Please note that flowreplay is currently alpha quality and is missing
  1361. a number of key features.
  1362. <P>
  1363. <H2><A NAME="SECTION000101000000000000000">
  1364. How flowreplay works</A>
  1365. </H2>
  1366. <P>
  1367. Put simply, flowreplay opens a socket connection to a service on a
  1368. target system(s) and sends data over that socket based on the packet
  1369. capture. Flowreplay has no understanding of the application protocol
  1370. (like HTTP or FTP) so it is somewhat limited in how it can deal with
  1371. complicated exchanges between client and server.
  1372. <P>
  1373. Some of these limitations are:
  1374. <P>
  1375. <UL>
  1376. <LI>Flowreplay only plays the client side<A NAME="tex2html10"
  1377. HREF="#foot452"><SUP><SPAN CLASS="arabic">10</SPAN></SUP></A> of the connection.
  1378. </LI>
  1379. <LI>Flowreplay doesn't understand the application protocols. Hence it
  1380. can't always deal with the case when the server sends a different
  1381. response then what was originally captured in the pcap file.
  1382. </LI>
  1383. <LI>Flowreplay only sends TCP and UDP traffic.
  1384. </LI>
  1385. <LI>Flowreplay doesn't know about multi-flow protocols like FTP.
  1386. </LI>
  1387. <LI>Flowreplay can't listen on a port and wait for a client to connect
  1388. to it.
  1389. </LI>
  1390. </UL>
  1391. <P>
  1392. <H2><A NAME="SECTION000102000000000000000">
  1393. Running flowreplay</A>
  1394. </H2>
  1395. <P>
  1396. See the flowreplay(8) man page for details.
  1397. <P>
  1398. <H1><A NAME="SECTION000110000000000000000">
  1399. Tuning OS's for high performance</A>
  1400. </H1>
  1401. <P>
  1402. Regardless of the size of physical memory, UNIX kernels will only
  1403. allocate a static amount for network buffers. This includes packets
  1404. sent via the &#34;raw&#34; interface, like with tcpreplay.
  1405. Most kernels will allow you to tweak the size of these buffers, drastically
  1406. increasing performance and accuracy.
  1407. <P>
  1408. N<SMALL>OTE:</SMALL> The following information is provided based upon our
  1409. own experiences or the reported experiences of others. Depending on
  1410. your hardware and specific hardware, it may or may not work for you.
  1411. It may even make your system horribly unstable, corrupt your harddrive,
  1412. or worse.
  1413. <P>
  1414. N<SMALL>OTE</SMALL>: Different operating systems, network card drivers, and
  1415. even hardware can have an effect on the accuracy of packet timestamps
  1416. that tcpdump or other capture utilities generate. And as you know:
  1417. garbage in, garbage out.
  1418. <P>
  1419. N<SMALL>OTE:</SMALL> If you have information on tuning the kernel of an operating
  1420. system not listed here, please send it to me so I can include it.
  1421. <P>
  1422. <H2><A NAME="SECTION000111000000000000000">
  1423. Linux 2.4.x</A>
  1424. </H2>
  1425. <P>
  1426. The following is known to apply to the 2.4.x series of kernels. If
  1427. anyone has any information regarding other kernel versions, please
  1428. let us know. By default Linux's tcpreplay performance isn't all that
  1429. stellar. However, with a simple tweak, relatively decent performance
  1430. can be had on the right hardware. By default, Linux specifies a 64K
  1431. buffer for sending packets. Increasing this buffer to about half a
  1432. megabyte does a good job:
  1433. <P>
  1434. <SPAN CLASS="textit">echo 524287 &gt;/proc/sys/net/core/wmem_default </SPAN>
  1435. <BR><SPAN CLASS="textit">echo 524287 &gt;/proc/sys/net/core/wmem_max </SPAN>
  1436. <BR><SPAN CLASS="textit">echo 524287 &gt;/proc/sys/net/core/rmem_max </SPAN>
  1437. <BR><SPAN CLASS="textit">echo 524287 &gt;/proc/sys/net/core/rmem_default </SPAN>
  1438. <P>
  1439. On one system, we've seen a jump from 23.02 megabits/sec (5560 packets/sec)
  1440. to 220.30 megabits/sec (53212 packets/sec) which is nearly a 10x increase
  1441. in performance. Depending on your system and capture file, different
  1442. numbers may provide different results.
  1443. <P>
  1444. <H2><A NAME="SECTION000112000000000000000">
  1445. *BSD</A>
  1446. </H2>
  1447. <P>
  1448. *BSD systems typically allow you to specify the size of network
  1449. buffers with the NMBCLUSTERS option in the kernel config file. Experiment
  1450. with different sizes to see which yields the best performance. See
  1451. the options(4) man page for more details.
  1452. <P>
  1453. <H1><A NAME="SECTION000120000000000000000">
  1454. Required Libraries and Tools</A>
  1455. </H1>
  1456. <P>
  1457. <H2><A NAME="SECTION000121000000000000000">
  1458. Libpcap</A>
  1459. </H2>
  1460. <P>
  1461. As of tcpreplay v1.4, you'll need to have libpcap installed on your
  1462. system. As of v2.0, you'll need at least version 0.6.0 or better,
  1463. but I only test our code with the latest version. Libpcap can be obtained
  1464. on the tcpdump homepage<A NAME="tex2html11"
  1465. HREF="#foot516"><SUP><SPAN CLASS="arabic">11</SPAN></SUP></A>.
  1466. <P>
  1467. <H2><A NAME="SECTION000122000000000000000">
  1468. Libnet</A>
  1469. </H2>
  1470. <P>
  1471. Tcpreplay v1.3 is the last version to support the old libnet API (everything
  1472. before 1.1.x). As of v1.4 you will need to use Libnet 1.1.0 or better
  1473. which can be obtained from the Libnet homepage<A NAME="tex2html12"
  1474. HREF="#foot517"><SUP><SPAN CLASS="arabic">12</SPAN></SUP></A>.
  1475. <P>
  1476. <H2><A NAME="SECTION000123000000000000000">
  1477. Tcpdump</A>
  1478. </H2>
  1479. <P>
  1480. As of 2.0, tcpreplay uses tcpdump (the binary, not code) to decode
  1481. packets to STDOUT in a human readable (with practice) format as it
  1482. sends them. If you would like this feature, tcpdump must be installed
  1483. on your system.
  1484. <P>
  1485. N<SMALL>OTE:</SMALL> The location of the tcpdump binary is hardcoded in tcpreplay
  1486. at compile time. If tcpdump gets renamed or moved, the feature will
  1487. become disabled.
  1488. <P>
  1489. <BR><HR><H4>Footnotes</H4>
  1490. <DL>
  1491. <DT><A NAME="foot56">... Libnet</A><A
  1492. HREF="manual.html#tex2html1"><SUP><SPAN CLASS="arabic">1</SPAN></SUP></A></DT>
  1493. <DD>http://www.packetfactory.net/libnet/
  1494. </DD>
  1495. <DT><A NAME="foot57">... Libpcap</A><A
  1496. HREF="manual.html#tex2html2"><SUP><SPAN CLASS="arabic">2</SPAN></SUP></A></DT>
  1497. <DD>http://www.tcpdump.org/
  1498. </DD>
  1499. <DT><A NAME="foot58">... tcpdump</A><A
  1500. HREF="manual.html#tex2html3"><SUP><SPAN CLASS="arabic">3</SPAN></SUP></A></DT>
  1501. <DD>http://www.tcpdump.org/
  1502. </DD>
  1503. <DT><A NAME="foot505">...
  1504. captured</A><A
  1505. HREF="manual.html#tex2html4"><SUP><SPAN CLASS="arabic">4</SPAN></SUP></A></DT>
  1506. <DD>Tcpreplay makes a &#34;best&#34; effort to replay traffic
  1507. at the given rate, but due to limitations in hardware or the pcap
  1508. file itself, it may not be possible. Capture files with only a few
  1509. packets in them are especially susceptible to inaccurately timing
  1510. packets.
  1511. </DD>
  1512. <DT><A NAME="foot118">... times</A><A
  1513. HREF="manual.html#tex2html5"><SUP><SPAN CLASS="arabic">5</SPAN></SUP></A></DT>
  1514. <DD>Looping files resets internal counters which control the speed that
  1515. the file is replayed. Also because the file has to be closed and re-opened,
  1516. an added delay between the last and first packet may occur.
  1517. </DD>
  1518. <DT><A NAME="foot182">... interface</A><A
  1519. HREF="manual.html#tex2html6"><SUP><SPAN CLASS="arabic">6</SPAN></SUP></A></DT>
  1520. <DD>Note that you can also use the following options to split traffic
  1521. into two files using -w and -W which are described later on in this
  1522. FAQ.
  1523. </DD>
  1524. <DT><A NAME="foot184">... cachefile</A><A
  1525. HREF="manual.html#tex2html7"><SUP><SPAN CLASS="arabic">7</SPAN></SUP></A></DT>
  1526. <DD>For information on generating tcpprep cache files, see the section
  1527. on tcpprep.
  1528. </DD>
  1529. <DT><A NAME="foot208">... -x</A><A
  1530. HREF="manual.html#tex2html8"><SUP><SPAN CLASS="arabic">8</SPAN></SUP></A></DT>
  1531. <DD>Note that if you want to send all the packets which do not match a
  1532. bpf filter, all you have to do is negate the bpf filter. See the tcpdump(1)
  1533. man page for more info.
  1534. </DD>
  1535. <DT><A NAME="foot277">... libpcap</A><A
  1536. HREF="manual.html#tex2html9"><SUP><SPAN CLASS="arabic">9</SPAN></SUP></A></DT>
  1537. <DD>Note that some versions of tcpreplay prior to 1.4 also supported the
  1538. Solaris snoop format.
  1539. </DD>
  1540. <DT><A NAME="foot452">... side</A><A
  1541. HREF="manual.html#tex2html10"><SUP><SPAN CLASS="arabic">10</SPAN></SUP></A></DT>
  1542. <DD>Flowreplay assumes the first UDP packet on a given 4-tuple is the
  1543. client
  1544. </DD>
  1545. <DT><A NAME="foot516">... homepage</A><A
  1546. HREF="manual.html#tex2html11"><SUP><SPAN CLASS="arabic">11</SPAN></SUP></A></DT>
  1547. <DD>http://www.tcpdump.org/
  1548. </DD>
  1549. <DT><A NAME="foot517">... homepage</A><A
  1550. HREF="manual.html#tex2html12"><SUP><SPAN CLASS="arabic">12</SPAN></SUP></A></DT>
  1551. <DD>http://www.packetfactory.net/Projects/Libnet/
  1552. </DD>
  1553. </DL>
  1554. <BR><HR>
  1555. <!--Table of Child-Links-->
  1556. <A NAME="CHILD_LINKS"></A>
  1557. <UL CLASS="ChildLinks">
  1558. <LI><UL>
  1559. <LI><UL>
  1560. <LI><A NAME="tex2html15"
  1561. HREF="manual.html#SECTION00010000000000000000">Notice</A>
  1562. <LI><A NAME="tex2html16"
  1563. HREF="manual.html#SECTION00020000000000000000">Overview</A>
  1564. <UL>
  1565. <LI><A NAME="tex2html17"
  1566. HREF="manual.html#SECTION00021000000000000000">Using this manual</A>
  1567. <LI><A NAME="tex2html18"
  1568. HREF="manual.html#SECTION00022000000000000000">Getting Help</A>
  1569. <LI><A NAME="tex2html19"
  1570. HREF="manual.html#SECTION00023000000000000000">Corrections and additions to the manual</A>
  1571. </UL>
  1572. <LI><A NAME="tex2html20"
  1573. HREF="manual.html#SECTION00030000000000000000">Getting Tcpreplay working on your system</A>
  1574. <UL>
  1575. <LI><A NAME="tex2html21"
  1576. HREF="manual.html#SECTION00031000000000000000">Getting the source code</A>
  1577. <LI><A NAME="tex2html22"
  1578. HREF="manual.html#SECTION00032000000000000000">Requirements</A>
  1579. <LI><A NAME="tex2html23"
  1580. HREF="manual.html#SECTION00033000000000000000">Compiling Tcpreplay</A>
  1581. </UL>
  1582. <LI><A NAME="tex2html24"
  1583. HREF="manual.html#SECTION00040000000000000000">Basic Tcpreplay Usage</A>
  1584. <UL>
  1585. <LI><A NAME="tex2html25"
  1586. HREF="manual.html#SECTION00041000000000000000">Replaying the traffic</A>
  1587. <LI><A NAME="tex2html26"
  1588. HREF="manual.html#SECTION00042000000000000000">Replaying at different speeds</A>
  1589. <LI><A NAME="tex2html27"
  1590. HREF="manual.html#SECTION00043000000000000000">Replaying files multiple times</A>
  1591. </UL>
  1592. <LI><A NAME="tex2html28"
  1593. HREF="manual.html#SECTION00050000000000000000">Editing Packets</A>
  1594. <LI><A NAME="tex2html29"
  1595. HREF="manual.html#SECTION00060000000000000000">Splitting Traffic</A>
  1596. <UL>
  1597. <LI><A NAME="tex2html30"
  1598. HREF="manual.html#SECTION00061000000000000000">Classifying client and servers with tcpprep</A>
  1599. <LI><A NAME="tex2html31"
  1600. HREF="manual.html#SECTION00062000000000000000">Replaying on multiple interfaces</A>
  1601. <LI><A NAME="tex2html32"
  1602. HREF="manual.html#SECTION00063000000000000000">Selectively sending or dropping packets</A>
  1603. <LI><A NAME="tex2html33"
  1604. HREF="manual.html#SECTION00064000000000000000">Replaying only a few packets</A>
  1605. <LI><A NAME="tex2html34"
  1606. HREF="manual.html#SECTION00065000000000000000">Skipping the first bytes in a pcap file</A>
  1607. <LI><A NAME="tex2html35"
  1608. HREF="manual.html#SECTION00066000000000000000">Replaying packets which are bigger then the MTU</A>
  1609. <LI><A NAME="tex2html36"
  1610. HREF="manual.html#SECTION00067000000000000000">Writing packets to a file</A>
  1611. <LI><A NAME="tex2html37"
  1612. HREF="manual.html#SECTION00068000000000000000">Extracting Application Data (Layer 7)</A>
  1613. <LI><A NAME="tex2html38"
  1614. HREF="manual.html#SECTION00069000000000000000">Replaying Live Traffic</A>
  1615. <LI><A NAME="tex2html39"
  1616. HREF="manual.html#SECTION000610000000000000000">Replaying Packet Capture Formats Other Than Libpcap</A>
  1617. <LI><A NAME="tex2html40"
  1618. HREF="manual.html#SECTION000611000000000000000">Replaying Client Traffic to a Server</A>
  1619. <LI><A NAME="tex2html41"
  1620. HREF="manual.html#SECTION000612000000000000000">Decoding Packets</A>
  1621. </UL>
  1622. <LI><A NAME="tex2html42"
  1623. HREF="manual.html#SECTION00070000000000000000">Packet Editing</A>
  1624. <UL>
  1625. <LI><A NAME="tex2html43"
  1626. HREF="manual.html#SECTION00071000000000000000">Rewriting MAC addresses</A>
  1627. <LI><A NAME="tex2html44"
  1628. HREF="manual.html#SECTION00072000000000000000">Randomizing IP addresses</A>
  1629. <LI><A NAME="tex2html45"
  1630. HREF="manual.html#SECTION00073000000000000000">Replaying (de)truncated packets</A>
  1631. <LI><A NAME="tex2html46"
  1632. HREF="manual.html#SECTION00074000000000000000">Rewriting Layer 2 with -2</A>
  1633. <LI><A NAME="tex2html47"
  1634. HREF="manual.html#SECTION00075000000000000000">Rewriting DLT_LINUX_SLL (Linux Cooked Socket) captures</A>
  1635. <LI><A NAME="tex2html48"
  1636. HREF="manual.html#SECTION00076000000000000000">Rewriting IP Addresses (pseudo-NAT)</A>
  1637. <LI><A NAME="tex2html49"
  1638. HREF="manual.html#SECTION00077000000000000000">Advanced pseudo-NAT</A>
  1639. <LI><A NAME="tex2html50"
  1640. HREF="manual.html#SECTION00078000000000000000">IP Endpoints</A>
  1641. <LI><A NAME="tex2html51"
  1642. HREF="manual.html#SECTION00079000000000000000">Unifying Dual-Outputs</A>
  1643. </UL>
  1644. <LI><A NAME="tex2html52"
  1645. HREF="manual.html#SECTION00080000000000000000">Tcpprep Usage</A>
  1646. <UL>
  1647. <LI><A NAME="tex2html53"
  1648. HREF="manual.html#SECTION00081000000000000000">What is tcpprep?</A>
  1649. <LI><A NAME="tex2html54"
  1650. HREF="manual.html#SECTION00082000000000000000">What are these 'modes' tcpprep has? </A>
  1651. <LI><A NAME="tex2html55"
  1652. HREF="manual.html#SECTION00083000000000000000">Splitting traffic based upon IP address</A>
  1653. <LI><A NAME="tex2html56"
  1654. HREF="manual.html#SECTION00084000000000000000">Auto Mode</A>
  1655. <LI><A NAME="tex2html57"
  1656. HREF="manual.html#SECTION00085000000000000000">Selectively sending/dropping packets</A>
  1657. <LI><A NAME="tex2html58"
  1658. HREF="manual.html#SECTION00086000000000000000">Using tcpprep cache files with tcpreplay</A>
  1659. <LI><A NAME="tex2html59"
  1660. HREF="manual.html#SECTION00087000000000000000">Commenting tcpprep cache files</A>
  1661. </UL>
  1662. <LI><A NAME="tex2html60"
  1663. HREF="manual.html#SECTION00090000000000000000">Using Configuration Files</A>
  1664. <LI><A NAME="tex2html61"
  1665. HREF="manual.html#SECTION000100000000000000000">Flowreplay Usage</A>
  1666. <UL>
  1667. <LI><A NAME="tex2html62"
  1668. HREF="manual.html#SECTION000101000000000000000">How flowreplay works</A>
  1669. <LI><A NAME="tex2html63"
  1670. HREF="manual.html#SECTION000102000000000000000">Running flowreplay</A>
  1671. </UL>
  1672. <LI><A NAME="tex2html64"
  1673. HREF="manual.html#SECTION000110000000000000000">Tuning OS's for high performance</A>
  1674. <UL>
  1675. <LI><A NAME="tex2html65"
  1676. HREF="manual.html#SECTION000111000000000000000">Linux 2.4.x</A>
  1677. <LI><A NAME="tex2html66"
  1678. HREF="manual.html#SECTION000112000000000000000">*BSD</A>
  1679. </UL>
  1680. <LI><A NAME="tex2html67"
  1681. HREF="manual.html#SECTION000120000000000000000">Required Libraries and Tools</A>
  1682. <UL>
  1683. <LI><A NAME="tex2html68"
  1684. HREF="manual.html#SECTION000121000000000000000">Libpcap</A>
  1685. <LI><A NAME="tex2html69"
  1686. HREF="manual.html#SECTION000122000000000000000">Libnet</A>
  1687. <LI><A NAME="tex2html70"
  1688. HREF="manual.html#SECTION000123000000000000000">Tcpdump</A>
  1689. </UL>
  1690. </UL>
  1691. </UL>
  1692. <BR>
  1693. <LI><A NAME="tex2html71"
  1694. HREF="node1.html">Other Resources</A>
  1695. <UL>
  1696. <LI><A NAME="tex2html72"
  1697. HREF="node1.html#SECTION01010000000000000000">Other pcap tools available</A>
  1698. <UL>
  1699. <LI><A NAME="tex2html73"
  1700. HREF="node1.html#SECTION01011000000000000000">Tools to capture network traffic or decode pcap files</A>
  1701. <LI><A NAME="tex2html74"
  1702. HREF="node1.html#SECTION01012000000000000000">Tools to edit pcap files</A>
  1703. <LI><A NAME="tex2html75"
  1704. HREF="node1.html#SECTION01013000000000000000">Other useful tools</A>
  1705. </UL></UL></UL>
  1706. <!--End of Table of Child-Links-->
  1707. <DIV CLASS="navigation"><HR>
  1708. <!--Navigation Panel-->
  1709. <A NAME="tex2html13"
  1710. HREF="node1.html">
  1711. <IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
  1712. <IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up_g.png">
  1713. <IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev_g.png">
  1714. <BR>
  1715. <B> Next:</B> <A NAME="tex2html14"
  1716. HREF="node1.html">Other Resources</A></DIV>
  1717. <!--End of Navigation Panel-->
  1718. <ADDRESS>
  1719. Aaron Turner
  1720. 2006-08-07
  1721. </ADDRESS>
  1722. </BODY>
  1723. </HTML>