tcpprep_opts.def 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646
  1. /* $Id$ */
  2. /*
  3. * Copyright (c) 2001-2010 Aaron Turner <aturner at synfin dot net>
  4. * Copyright (c) 2013-2017 Fred Klassen <tcpreplay at appneta dot com> - AppNeta
  5. *
  6. * The Tcpreplay Suite of tools is free software: you can redistribute it
  7. * and/or modify it under the terms of the GNU General Public License as
  8. * published by the Free Software Foundation, either version 3 of the
  9. * License, or with the authors permission any later version.
  10. *
  11. * The Tcpreplay Suite is distributed in the hope that it will be useful,
  12. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. * GNU General Public License for more details.
  15. *
  16. * You should have received a copy of the GNU General Public License
  17. * along with the Tcpreplay Suite. If not, see <http://www.gnu.org/licenses/>.
  18. */
  19. autogen definitions options;
  20. copyright = {
  21. date = "2000-2017";
  22. owner = "Aaron Turner and Fred Klassen";
  23. eaddr = "tcpreplay-users@lists.sourceforge.net";
  24. type = gpl;
  25. author = <<- EOText
  26. Copyright 2013-2017 Fred Klassen - AppNeta
  27. Copyright 2000-2012 Aaron Turner
  28. For support please use the tcpreplay-users@lists.sourceforge.net mailing list.
  29. The latest version of this software is always available from:
  30. http://tcpreplay.appneta.com/
  31. EOText;
  32. };
  33. package = "tcpprep";
  34. prog-name = "tcpprep";
  35. prog-title = "Create a tcpreplay cache cache file from a pcap file.";
  36. long-opts;
  37. gnu-usage;
  38. help-value = "H";
  39. save-opts-value = "";
  40. load-opts-value = "";
  41. config-header = "config.h";
  42. include = "#include \"defines.h\"\n"
  43. "#include \"common.h\"\n"
  44. "#include \"config.h\"\n"
  45. "#include \"tcpprep.h\"\n"
  46. "#include <stdlib.h>\n"
  47. "#include <string.h>\n"
  48. "#include \"tcpprep_api.h\"\n"
  49. "extern tcpprep_t *tcpprep;\n";
  50. homerc = "$$/";
  51. explain = <<- EOExplain
  52. tcpprep is a @file{pcap(3)} file pre-processor which creates a cache
  53. file which provides "rules" for @file{tcprewrite(1)} and @file{tcpreplay(1)}
  54. on how to process and send packets.
  55. EOExplain;
  56. detail = <<- EODetail
  57. The basic operation of tcpreplay is to resend all packets from the
  58. input file(s) out a single file. Tcpprep processes a pcap file and
  59. applies a set of user-specified rules to create a cache file which
  60. tells tcpreplay whether or not to send each packet and which interface the
  61. packet should be sent out of.
  62. For more details, please see the Tcpreplay Manual at:
  63. http://tcpreplay.appneta.com
  64. EODetail;
  65. man-doc = <<- EOMan
  66. .SH "SEE ALSO"
  67. tcpdump(1), tcpbridge(1), tcprewrite(1), tcpreplay(1), tcpcapinfo(1)
  68. EOMan;
  69. flag = {
  70. ifdef = DEBUG;
  71. name = dbug;
  72. value = d;
  73. arg-type = number;
  74. max = 1;
  75. immediate;
  76. arg-range = "0->5";
  77. arg-default = 0;
  78. descrip = "Enable debugging output";
  79. doc = <<- EOText
  80. If configured with --enable-debug, then you can specify a verbosity
  81. level for debugging output. Higher numbers increase verbosity.
  82. EOText;
  83. };
  84. /* Modes: -a bridge/router/client/server, -c (cidr) */
  85. flag = {
  86. name = auto;
  87. value = a;
  88. descrip = "Auto-split mode";
  89. arg-type = string;
  90. max = 1;
  91. flags-cant = cidr;
  92. flags-cant = port;
  93. flags-cant = regex;
  94. flags-cant = mac;
  95. flag-code = <<- EOAuto
  96. tcpprep->options->mode = AUTO_MODE;
  97. if (strcmp(OPT_ARG(AUTO), "bridge") == 0) {
  98. tcpprep->options->automode = BRIDGE_MODE;
  99. }
  100. else if (strcmp(OPT_ARG(AUTO), "router") == 0) {
  101. tcpprep->options->automode = ROUTER_MODE;
  102. }
  103. else if (strcmp(OPT_ARG(AUTO), "client") == 0) {
  104. tcpprep->options->automode = CLIENT_MODE;
  105. }
  106. else if (strcmp(OPT_ARG(AUTO), "server") == 0) {
  107. tcpprep->options->automode = SERVER_MODE;
  108. }
  109. else if (strcmp(OPT_ARG(AUTO), "first") == 0) {
  110. tcpprep->options->automode = FIRST_MODE;
  111. }
  112. else {
  113. errx(-1, "Invalid auto mode type: %s", OPT_ARG(AUTO));
  114. }
  115. EOAuto;
  116. doc = <<- EOText
  117. Tcpprep will try to automatically determine the primary function of hosts
  118. based on the traffic captured and classify each host as client or server.
  119. In order to do so, you must provide a hint to tcpprep as to how to search
  120. for clients and servers. Valid hints are:
  121. @table @bullet
  122. @item
  123. @var{bridge}
  124. Bridge mode processes each packet to try to determine if the sender is a
  125. client or server. Once all the packets are processed, the results are weighed
  126. according to the server/client ratio (@samp{--ratio}) and systems are assigned an
  127. interface. If tcpprep is unable to determine what role a system plays, tcpprep
  128. will abort.
  129. @item
  130. @var{router}
  131. Router mode works just like bridge mode, except that after weighing is done,
  132. systems which are undetermined are considered a server if they fall inside a
  133. network known to contain other servers. Router has a greater chance of
  134. successfully splitting clients and servers but is not 100% foolproof.
  135. @item
  136. @var{client}
  137. Client mode works just like bridge mode, except that unclassified systems are
  138. treated as clients. Client mode should always complete successfully.
  139. @item
  140. @var{server}
  141. Server mode works just like bridge mode, except that unclassified systems are
  142. treated as servers. Server mode should always complete successfully.
  143. @item
  144. @var{first}
  145. First mode works by looking at the first time each IP is seen in the SRC and DST
  146. fields in the IP header. If the host is first seen in the SRC field, it is a
  147. client and if it's first seen in the DST field, it is marked as a server. This
  148. effectively replicates the processing of the tomahawk test tool. First
  149. mode should always complete successfully.
  150. @end table
  151. EOText;
  152. };
  153. flag = {
  154. name = cidr;
  155. value = c;
  156. descrip = "CIDR-split mode";
  157. arg-type = string;
  158. max = 1;
  159. flags-cant = auto;
  160. flags-cant = port;
  161. flags-cant = regex;
  162. flags-cant = mac;
  163. flag-code = <<- EOCidr
  164. char *cidr = safe_strdup(OPT_ARG(CIDR));
  165. tcpprep->options->mode = CIDR_MODE;
  166. if (!parse_cidr(&tcpprep->options->cidrdata, cidr, ","))
  167. errx(-1, "Unable to parse CIDR map: %s", OPT_ARG(CIDR));
  168. free(cidr);
  169. EOCidr;
  170. doc = <<- EOText
  171. Specify a comma delimited list of CIDR netblocks to match against
  172. the source IP of each packet. Packets matching any of the CIDR's
  173. are classified as servers.
  174. IPv4 Example:
  175. @example
  176. --cidr=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
  177. @end example
  178. IPv6 Example:
  179. @example
  180. --cidr=[::ffff:0:0/96],[fe80::/16]
  181. @end example
  182. EOText;
  183. };
  184. flag = {
  185. name = regex;
  186. value = r;
  187. descrip = "Regex-split mode";
  188. arg-type = string;
  189. max = 1;
  190. flags-cant = auto;
  191. flags-cant = port;
  192. flags-cant = cidr;
  193. flags-cant = mac;
  194. flag-code = <<- EORegex
  195. int regex_error;
  196. char ebuf[EBUF_SIZE];
  197. tcpprep->options->mode = REGEX_MODE;
  198. if ((regex_error = regcomp(&tcpprep->options->preg, OPT_ARG(REGEX),
  199. REG_EXTENDED|REG_NOSUB))) {
  200. regerror(regex_error, &tcpprep->options->preg, ebuf, EBUF_SIZE);
  201. errx(-1, "Unable to compile regex: %s", ebuf);
  202. }
  203. EORegex;
  204. doc = <<- EOText
  205. Specify a regular expression to match against the source IP of each
  206. packet. Packets matching the regex are classified as servers.
  207. EOText;
  208. };
  209. flag = {
  210. name = port;
  211. value = p;
  212. descrip = "Port-split mode";
  213. max = 1;
  214. flags-cant = auto;
  215. flags-cant = regex;
  216. flags-cant = cidr;
  217. flags-cant = mac;
  218. flag-code = <<- EOPort
  219. tcpprep->options->mode = PORT_MODE;
  220. EOPort;
  221. doc = <<- EOText
  222. Specifies that TCP and UDP traffic over IPv4 and IPv6 should be classified
  223. as client or server based upon the destination port of the header.
  224. EOText;
  225. };
  226. flag = {
  227. name = mac;
  228. value = e;
  229. arg-type = string;
  230. max = 1;
  231. descrip = "Source MAC split mode";
  232. flags-cant = auto;
  233. flags-cant = regex;
  234. flags-cant = cidr;
  235. flags-cant = port;
  236. flag-code = <<- EOMac
  237. tcpprep->options->mode = MAC_MODE;
  238. tcpprep->options->maclist = safe_strdup(OPT_ARG(MAC));
  239. EOMac;
  240. doc = <<- EOText
  241. Specify a list of MAC addresses to match against the source MAC
  242. of each packet. Packets matching one of the values are classified
  243. as servers.
  244. EOText;
  245. };
  246. flag = {
  247. name = reverse;
  248. max = 1;
  249. descrip = "Matches to be client instead of server";
  250. doc = <<- EOText
  251. Normally the @samp{--mac}, @samp{--regex} and @samp{--cidr} flags specify are used to specify
  252. the servers and non-IP packets are classified as clients. By using @samp{--reverse}, these
  253. features are reversed so that the flags specify clients and non-IP packets are classified as
  254. servers.
  255. EOText;
  256. };
  257. flag = {
  258. name = comment;
  259. value = C;
  260. arg-type = string;
  261. max = 1;
  262. descrip = "Embedded cache file comment";
  263. flag-code = <<- EOComment
  264. /* our comment_len is only 16bit - myargs[] */
  265. if (strlen(OPT_ARG(COMMENT)) > ((1 << 16) - 1 - MYARGS_LEN))
  266. errx(-1, "Comment length %zu is longer then max allowed (%d)",
  267. strlen(OPT_ARG(COMMENT)), (1 << 16) - 1 - MYARGS_LEN);
  268. /* save the comment */
  269. tcpprep->options->comment = (char *)safe_malloc(strlen(OPT_ARG(COMMENT)) + 1);
  270. strcpy(tcpprep->options->comment, OPT_ARG(COMMENT));
  271. EOComment;
  272. doc = <<- EOText
  273. Specify a comment to be imbedded within the output cache file and later
  274. viewed.
  275. EOText;
  276. };
  277. flag = {
  278. name = no-arg-comment;
  279. max = 1;
  280. descrip = "Do not embed any cache file comment";
  281. flag-code = <<- EOCode
  282. tcpprep->options->nocomment = 1;
  283. EOCode;
  284. doc = <<- EOText
  285. By default, tcpprep includes the arguments passed on the command line
  286. in the cache file comment (in addition to any user specified --comment).
  287. If for some reason you do not wish to include this, specify this option.
  288. EOText;
  289. };
  290. /* Include/Exclude */
  291. flag = {
  292. name = include;
  293. value = x;
  294. arg-type = string;
  295. max = 1;
  296. descrip = "Include only packets matching rule";
  297. flags-cant = exclude;
  298. flag-code = <<- EOInclude
  299. char *include;
  300. include = safe_strdup(OPT_ARG(INCLUDE));
  301. tcpprep->options->xX.mode = xX_MODE_INCLUDE;
  302. if ((tcpprep->options->xX.mode = parse_xX_str(&tcpprep->options->xX, include, &tcpprep->options->bpf)) == xXError)
  303. errx(-1, "Unable to parse include/exclude rule: %s", OPT_ARG(INCLUDE));
  304. free(include);
  305. EOInclude;
  306. doc = <<- EOText
  307. Override default of processing all packets stored in the capture file and only
  308. send/edit packets which match the provided rule. Rules can be one of:
  309. @table @bullet
  310. @item S:<CIDR1>,...
  311. - Source IP must match specified IPv4/v6 CIDR(s)
  312. @item D:<CIDR1>,...
  313. - Destination IP must match specified IPv4/v6 CIDR(s)
  314. @item B:<CIDR1>,...
  315. - Both source and destination IP must match specified IPv4/v6 CIDR(s)
  316. @item E:<CIDR1>,...
  317. - Either IP must match specified IPv4/v6 CIDR(s)
  318. @item P:<LIST>
  319. - Must be one of the listed packets where the list
  320. corresponds to the packet number in the capture file.
  321. @example
  322. -x P:1-5,9,15,72-
  323. @end example
  324. would process packets 1 thru 5, the 9th and 15th packet, and packets 72 until the
  325. end of the file
  326. @item F:'<bpf>'
  327. - BPF filter. See the @file{tcpdump(8)} man page for syntax.
  328. @end table
  329. EOText;
  330. };
  331. flag = {
  332. name = exclude;
  333. value = X;
  334. arg-type = string;
  335. max = 1;
  336. descrip = "Exclude any packet matching this rule";
  337. flags-cant = include;
  338. flag-code = <<- EOExclude
  339. char *exclude;
  340. exclude = safe_strdup(OPT_ARG(EXCLUDE));
  341. tcpprep->options->xX.mode = xX_MODE_EXCLUDE;
  342. if ((tcpprep->options->xX.mode = parse_xX_str(&tcpprep->options->xX, exclude, &tcpprep->options->bpf)) == xXError)
  343. errx(-1, "Unable to parse include/exclude rule: %s", OPT_ARG(EXCLUDE));
  344. free(exclude);
  345. EOExclude;
  346. doc = <<- EOText
  347. Override default of processing all packets stored in the capture file and only
  348. send/edit packets which do NOT match the provided rule. Rules can be one of:
  349. @table @bullet
  350. @item S:<CIDR1>,...
  351. - Source IP must not match specified IPv4/v6 CIDR(s)
  352. @item D:<CIDR1>,...
  353. - Destination IP must not match specified IPv4/v6 CIDR(s)
  354. @item B:<CIDR1>,...
  355. - Both source and destination IP must not match specified IPv4/v6 CIDR(s)
  356. @item E:<CIDR1>,...
  357. - Either IP must not match specified IPv4/v6 CIDR(s)
  358. @item P:<LIST>
  359. - Must not be one of the listed packets where the list
  360. corresponds to the packet number in the capture file.
  361. @example
  362. -x P:1-5,9,15,72-
  363. @end example
  364. would skip packets 1 thru 5, the 9th and 15th packet, and packets 72 until the
  365. end of the file
  366. @end table
  367. EOText;
  368. };
  369. flag = {
  370. name = cachefile;
  371. value = o;
  372. arg-type = string;
  373. max = 1;
  374. descrip = "Output cache file";
  375. doc = "";
  376. };
  377. flag = {
  378. name = pcap;
  379. value = i;
  380. descrip = "Input pcap file to process";
  381. arg-type = string;
  382. max = 1;
  383. doc = "";
  384. };
  385. flag = {
  386. name = print-comment;
  387. value = P;
  388. arg-type = string;
  389. descrip = "Print embedded comment in the specified cache file";
  390. max = 1;
  391. doc = "";
  392. };
  393. flag = {
  394. name = print-info;
  395. value = I;
  396. arg-type = string;
  397. descrip = "Print basic info from the specified cache file";
  398. max = 1;
  399. doc = "";
  400. };
  401. flag = {
  402. name = print-stats;
  403. value = S;
  404. arg-type = string;
  405. descrip = "Print statistical information about the specified cache file";
  406. max = 1;
  407. doc = "";
  408. };
  409. flag = {
  410. name = services;
  411. value = s;
  412. descrip = "Load services file for server ports";
  413. flags-must = port;
  414. max = 1;
  415. arg-type = string;
  416. doc = <<- EOText
  417. Uses a list of ports used by servers in the same format as of /etc/services:
  418. <service_name> <port>/<protocol> # comment
  419. Example:
  420. http 80/tcp
  421. EOText;
  422. flag-code = <<- EOServices
  423. parse_services(OPT_ARG(SERVICES), &tcpprep->options->services);
  424. EOServices;
  425. };
  426. flag = {
  427. name = nonip;
  428. value = N;
  429. descrip = "Send non-IP traffic out server interface";
  430. max = 1;
  431. flag-code = <<- EONonip
  432. tcpprep->options->nonip = DIR_SERVER;
  433. EONonip;
  434. doc = <<- EOText
  435. By default, non-IP traffic which can not be classified as client
  436. or server is classified as "client". Specifying @samp{--nonip}
  437. will reclassify non-IP traffic as "server". Note that the meaning
  438. of this flag is reversed if @samp{--reverse} is used.
  439. EOText;
  440. };
  441. flag = {
  442. name = ratio;
  443. value = R;
  444. arg-type = string;
  445. max = 1;
  446. flags-must = auto;
  447. arg_default = "2.0";
  448. descrip = "Ratio of client to server packets";
  449. doc = <<- EOText
  450. Since a given host may have both client and server traffic being sent
  451. to/from it, tcpprep uses a ratio to weigh these packets. If you would
  452. like to override the default of 2:1 server to client packets required for
  453. a host to be classified as a server, specify it as a floating point value.
  454. EOText;
  455. };
  456. flag = {
  457. name = minmask;
  458. value = m;
  459. descrip = "Minimum network mask length in auto mode";
  460. flags-must = auto;
  461. max = 1;
  462. arg-type = number;
  463. arg-range = "0->32";
  464. arg_default = 30;
  465. doc = <<- EOText
  466. By default, auto modes use a minimum network mask length of 30 bits
  467. to build networks containing clients and servers. This allows you
  468. to override this value. Larger values will increase performance but
  469. may provide inaccurate results.
  470. EOText;
  471. };
  472. flag = {
  473. name = maxmask;
  474. value = M;
  475. descrip = "Maximum network mask length in auto mode";
  476. flags-must = auto;
  477. max = 1;
  478. arg-type = number;
  479. arg-range = "0->32";
  480. arg_default = 8;
  481. doc = <<- EOText
  482. By default, auto modes use a maximum network mask length of 8 bits
  483. to build networks containing clients and servers. This allows you
  484. to override this value. Larger values will decrease performance
  485. and accuracy but will provide greater chance of success.
  486. EOText;
  487. };
  488. flag = {
  489. ifdef = ENABLE_VERBOSE;
  490. name = verbose;
  491. value = v;
  492. max = 1;
  493. immediate;
  494. descrip = "Print decoded packets via tcpdump to STDOUT";
  495. settable;
  496. doc = "";
  497. };
  498. flag = {
  499. ifdef = ENABLE_VERBOSE;
  500. name = decode;
  501. flags-must = verbose;
  502. value = A;
  503. arg-type = string;
  504. max = 1;
  505. descrip = "Arguments passed to tcpdump decoder";
  506. doc = <<- EOText
  507. When enabling verbose mode (@samp{-v}) you may also specify one or
  508. more additional arguments to pass to @code{tcpdump} to modify
  509. the way packets are decoded. By default, -n and -l are used.
  510. Be sure to quote the arguments so that they are not interpreted
  511. by tcprewrite. The following arguments are valid:
  512. [ -aAeNqRStuvxX ]
  513. [ -E spi@ipaddr algo:secret,... ]
  514. [ -s snaplen ]
  515. EOText;
  516. };
  517. flag = {
  518. name = version;
  519. value = V;
  520. descrip = "Print version information";
  521. flag-code = <<- EOVersion
  522. fprintf(stderr, "tcpprep version: %s (build %s)", VERSION, git_version());
  523. #ifdef DEBUG
  524. fprintf(stderr, " (debug)");
  525. #endif
  526. fprintf(stderr, "\n");
  527. fprintf(stderr, "Copyright 2013-2017 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta\n");
  528. fprintf(stderr, "Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>\n");
  529. fprintf(stderr, "The entire Tcpreplay Suite is licensed under the GPLv3\n");
  530. fprintf(stderr, "Cache file supported: %s\n", CACHEVERSION);
  531. #ifdef HAVE_LIBDNET
  532. fprintf(stderr, "Compiled against libdnet: %s\n", LIBDNET_VERSION);
  533. #else
  534. fprintf(stderr, "Not compiled with libdnet.\n");
  535. #endif
  536. #ifdef HAVE_WINPCAP
  537. fprintf(stderr, "Compiled against winpcap: %s\n", get_pcap_version());
  538. #elif defined HAVE_PF_RING_PCAP
  539. fprintf(stderr, "Compiled against PF_RING libpcap: %s\n", get_pcap_version());
  540. #else
  541. fprintf(stderr, "Compiled against libpcap: %s\n", get_pcap_version());
  542. #endif
  543. #ifdef ENABLE_64BITS
  544. fprintf(stderr, "64 bit packet counters: enabled\n");
  545. #else
  546. fprintf(stderr, "64 bit packet counters: disabled\n");
  547. #endif
  548. #ifdef ENABLE_VERBOSE
  549. fprintf(stderr, "Verbose printing via tcpdump: enabled\n");
  550. #else
  551. fprintf(stderr, "Verbose printing via tcpdump: disabled\n");
  552. #endif
  553. exit(0);
  554. EOVersion;
  555. doc = "";
  556. };
  557. flag = {
  558. name = less-help;
  559. value = "h";
  560. immediate;
  561. descrip = "Display less usage information and exit";
  562. flag-code = <<- EOHelp
  563. USAGE(EXIT_FAILURE);
  564. EOHelp;
  565. };