123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346 |
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
- <!--Converted with LaTeX2HTML 2002-2-1 (1.70)
- original version by: Nikos Drakos, CBLU, University of Leeds
- * revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
- * with significant contributions from:
- Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
- <HTML>
- <HEAD>
- <TITLE>Tcpreplay 2.x FAQ</TITLE>
- <META NAME="description" CONTENT="Tcpreplay 2.x FAQ">
- <META NAME="keywords" CONTENT="FAQ">
- <META NAME="resource-type" CONTENT="document">
- <META NAME="distribution" CONTENT="global">
- <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
- <META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1">
- <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
- <LINK REL="STYLESHEET" HREF="tcpreplay-2-faq.css">
- </HEAD>
- <BODY >
- <P>
- <P>
- <P>
- <P>
- <H1 ALIGN="CENTER">Tcpreplay 2.x FAQ</H1>
- <DIV>
- <P ALIGN="CENTER"><STRONG>Aaron Turner</STRONG></P>
- <P ALIGN="CENTER"><I>http://tcpreplay.sourceforge.net/</I></P>
- <P ALIGN="CENTER"><STRONG>Last Edited:
- <BR>
- Sept 6, 2004</STRONG></P>
- </DIV>
- <BR>
- <H2><A NAME="SECTION01000000000000000000">
- Contents</A>
- </H2>
- <!--Table of Contents-->
- <UL>
- <LI><A NAME="tex2html109"
- HREF="FAQ.html#SECTION02000000000000000000">1 Before You Start</A>
- <UL>
- <LI><A NAME="tex2html110"
- HREF="FAQ.html#SECTION02010000000000000000">1 General Info</A>
- <UL>
- <LI><A NAME="tex2html111"
- HREF="FAQ.html#SECTION02011000000000000000">1.1 What is this FAQ for?</A>
- <LI><A NAME="tex2html112"
- HREF="FAQ.html#SECTION02012000000000000000">1.2 What tools come with tcpreplay?</A>
- <LI><A NAME="tex2html113"
- HREF="FAQ.html#SECTION02013000000000000000">1.3 How can I get tcpreplay's source?</A>
- <LI><A NAME="tex2html114"
- HREF="FAQ.html#SECTION02014000000000000000">1.4 What requirements does tcpreplay have?</A>
- <LI><A NAME="tex2html115"
- HREF="FAQ.html#SECTION02015000000000000000">1.5 How do I compile tcpreplay?</A>
- <LI><A NAME="tex2html116"
- HREF="FAQ.html#SECTION02016000000000000000">1.6 Are there binaries available?</A>
- <LI><A NAME="tex2html117"
- HREF="FAQ.html#SECTION02017000000000000000">1.7 Is there a Microsoft Windows port?</A>
- <LI><A NAME="tex2html118"
- HREF="FAQ.html#SECTION02018000000000000000">1.8 How is tcpreplay licensed?</A>
- <LI><A NAME="tex2html119"
- HREF="FAQ.html#SECTION02019000000000000000">1.9 What is tcpreplay?</A>
- <LI><A NAME="tex2html120"
- HREF="FAQ.html#SECTION020110000000000000000">1.10 What isn't tcpreplay?</A>
- <LI><A NAME="tex2html121"
- HREF="FAQ.html#SECTION020111000000000000000">1.11 What are some uses for tcpreplay?</A>
- <LI><A NAME="tex2html122"
- HREF="FAQ.html#SECTION020112000000000000000">1.12 What are some uses for flowreplay?</A>
- <LI><A NAME="tex2html123"
- HREF="FAQ.html#SECTION020113000000000000000">1.13 What happened to version 1.5?</A>
- <LI><A NAME="tex2html124"
- HREF="FAQ.html#SECTION020114000000000000000">1.14 What is the history of tcpreplay?</A>
- </UL>
- <LI><A NAME="tex2html125"
- HREF="FAQ.html#SECTION02020000000000000000">2 Bugs, Feature Requests, and Patches</A>
- <UL>
- <LI><A NAME="tex2html126"
- HREF="FAQ.html#SECTION02021000000000000000">2.1 Where can I get help, report bugs or contact the developers?</A>
- <LI><A NAME="tex2html127"
- HREF="FAQ.html#SECTION02022000000000000000">2.2 What information should I provide when I report a bug?</A>
- <LI><A NAME="tex2html128"
- HREF="FAQ.html#SECTION02023000000000000000">2.3 I have a feature request, what should I do?</A>
- <LI><A NAME="tex2html129"
- HREF="FAQ.html#SECTION02024000000000000000">2.4 I've written a patch for tcpreplay, how can I submit it?</A>
- <LI><A NAME="tex2html130"
- HREF="FAQ.html#SECTION02025000000000000000">2.5 Patch requirements</A>
- </UL>
- </UL>
- <BR>
- <LI><A NAME="tex2html131"
- HREF="FAQ.html#SECTION03000000000000000000">2 Basics</A>
- <UL>
- <LI><A NAME="tex2html132"
- HREF="FAQ.html#SECTION03010000000000000000">3 Basic Tcpreplay Usage</A>
- <UL>
- <LI><A NAME="tex2html133"
- HREF="FAQ.html#SECTION03011000000000000000">3.1 Replaying the traffic</A>
- <LI><A NAME="tex2html134"
- HREF="FAQ.html#SECTION03012000000000000000">3.2 Replaying at different speeds</A>
- <LI><A NAME="tex2html135"
- HREF="FAQ.html#SECTION03013000000000000000">3.3 Replaying the same file over and over again</A>
- <LI><A NAME="tex2html136"
- HREF="FAQ.html#SECTION03014000000000000000">3.4 Using Configuration Files</A>
- </UL>
- </UL>
- <BR>
- <LI><A NAME="tex2html137"
- HREF="FAQ.html#SECTION04000000000000000000">3 Advanced Usage</A>
- <UL>
- <LI><A NAME="tex2html138"
- HREF="FAQ.html#SECTION04010000000000000000">4 Output: Interfaces, Packets & Files</A>
- <UL>
- <LI><A NAME="tex2html139"
- HREF="FAQ.html#SECTION04011000000000000000">4.1 Replaying on multiple interfaces</A>
- <LI><A NAME="tex2html140"
- HREF="FAQ.html#SECTION04012000000000000000">4.2 Selectively sending or dropping packets</A>
- <LI><A NAME="tex2html141"
- HREF="FAQ.html#SECTION04013000000000000000">4.3 Replaying only a few packets</A>
- <LI><A NAME="tex2html142"
- HREF="FAQ.html#SECTION04014000000000000000">4.4 Skipping the first bytes in a pcap file</A>
- <LI><A NAME="tex2html143"
- HREF="FAQ.html#SECTION04015000000000000000">4.5 Replaying packets which are bigger then the MTU</A>
- <LI><A NAME="tex2html144"
- HREF="FAQ.html#SECTION04016000000000000000">4.6 Writing packets to a file</A>
- <LI><A NAME="tex2html145"
- HREF="FAQ.html#SECTION04017000000000000000">4.7 Extracting Application Data (Layer 7)</A>
- <LI><A NAME="tex2html146"
- HREF="FAQ.html#SECTION04018000000000000000">4.8 Replaying Live Traffic</A>
- <LI><A NAME="tex2html147"
- HREF="FAQ.html#SECTION04019000000000000000">4.9 Replaying Packet Capture Formats Other Than Libpcap</A>
- <LI><A NAME="tex2html148"
- HREF="FAQ.html#SECTION040110000000000000000">4.10 Replaying Client Traffic to a Server</A>
- <LI><A NAME="tex2html149"
- HREF="FAQ.html#SECTION040111000000000000000">4.11 Decoding Packets</A>
- </UL>
- <LI><A NAME="tex2html150"
- HREF="FAQ.html#SECTION04020000000000000000">5 Packet Editing</A>
- <UL>
- <LI><A NAME="tex2html151"
- HREF="FAQ.html#SECTION04021000000000000000">5.1 Rewriting MAC addresses</A>
- <LI><A NAME="tex2html152"
- HREF="FAQ.html#SECTION04022000000000000000">5.2 Randomizing IP addresses</A>
- <LI><A NAME="tex2html153"
- HREF="FAQ.html#SECTION04023000000000000000">5.3 Replaying (de)truncated packets</A>
- <LI><A NAME="tex2html154"
- HREF="FAQ.html#SECTION04024000000000000000">5.4 Rewriting Layer 2 with -2</A>
- <LI><A NAME="tex2html155"
- HREF="FAQ.html#SECTION04025000000000000000">5.5 Rewriting DLT_LINUX_SLL (Linux Cooked Socket) captures</A>
- <LI><A NAME="tex2html156"
- HREF="FAQ.html#SECTION04026000000000000000">5.6 Rewriting IP Addresses (pseudo-NAT)</A>
- <LI><A NAME="tex2html157"
- HREF="FAQ.html#SECTION04027000000000000000">5.7 Advanced pseudo-NAT</A>
- <LI><A NAME="tex2html158"
- HREF="FAQ.html#SECTION04028000000000000000">5.8 IP Endpoints</A>
- <LI><A NAME="tex2html159"
- HREF="FAQ.html#SECTION04029000000000000000">5.9 Unifying Dual-Outputs</A>
- </UL>
- <LI><A NAME="tex2html160"
- HREF="FAQ.html#SECTION04030000000000000000">6 Tcpprep Usage</A>
- <UL>
- <LI><A NAME="tex2html161"
- HREF="FAQ.html#SECTION04031000000000000000">6.1 What is tcpprep?</A>
- <LI><A NAME="tex2html162"
- HREF="FAQ.html#SECTION04032000000000000000">6.2 How does tcpprep work? </A>
- <LI><A NAME="tex2html163"
- HREF="FAQ.html#SECTION04033000000000000000">6.3 Does tcpprep modify my libpcap file?</A>
- <LI><A NAME="tex2html164"
- HREF="FAQ.html#SECTION04034000000000000000">6.4 Why use tcpprep?</A>
- <LI><A NAME="tex2html165"
- HREF="FAQ.html#SECTION04035000000000000000">6.5 Can a cache file be used for multiple (different) libpcap files? </A>
- <LI><A NAME="tex2html166"
- HREF="FAQ.html#SECTION04036000000000000000">6.6 Why would I want to use tcpreplay with two network cards? </A>
- <LI><A NAME="tex2html167"
- HREF="FAQ.html#SECTION04037000000000000000">6.7 How big are the cache files?</A>
- <LI><A NAME="tex2html168"
- HREF="FAQ.html#SECTION04038000000000000000">6.8 What are these 'modes' tcpprep has? </A>
- <LI><A NAME="tex2html169"
- HREF="FAQ.html#SECTION04039000000000000000">6.9 Splitting traffic based upon IP address</A>
- <LI><A NAME="tex2html170"
- HREF="FAQ.html#SECTION040310000000000000000">6.10 Auto Mode</A>
- <LI><A NAME="tex2html171"
- HREF="FAQ.html#SECTION040311000000000000000">6.11 Selectively sending/dropping packets</A>
- <LI><A NAME="tex2html172"
- HREF="FAQ.html#SECTION040312000000000000000">6.12 Using tcpprep cache files with tcpreplay</A>
- <LI><A NAME="tex2html173"
- HREF="FAQ.html#SECTION040313000000000000000">6.13 Commenting tcpprep cache files</A>
- </UL>
- <LI><A NAME="tex2html174"
- HREF="FAQ.html#SECTION04040000000000000000">7 Flowreplay Usage</A>
- <UL>
- <LI><A NAME="tex2html175"
- HREF="FAQ.html#SECTION04041000000000000000">7.1 How flowreplay works</A>
- <LI><A NAME="tex2html176"
- HREF="FAQ.html#SECTION04042000000000000000">7.2 Running flowreplay</A>
- </UL>
- <LI><A NAME="tex2html177"
- HREF="FAQ.html#SECTION04050000000000000000">8 Tuning OS's for high performance</A>
- <UL>
- <LI><A NAME="tex2html178"
- HREF="FAQ.html#SECTION04051000000000000000">8.1 Linux 2.4.x</A>
- <LI><A NAME="tex2html179"
- HREF="FAQ.html#SECTION04052000000000000000">8.2 *BSD</A>
- </UL>
- <LI><A NAME="tex2html180"
- HREF="FAQ.html#SECTION04060000000000000000">9 Understanding Common Error and Warning Messages</A>
- <UL>
- <LI><A NAME="tex2html181"
- HREF="FAQ.html#SECTION04061000000000000000">9.1 Can't open eth0: libnet_select_device(): Can't find interface eth0</A>
- <LI><A NAME="tex2html182"
- HREF="FAQ.html#SECTION04062000000000000000">9.2 Can't open lo: libnet_select_device(): Can't find interface lo</A>
- <LI><A NAME="tex2html183"
- HREF="FAQ.html#SECTION04063000000000000000">9.3 Can't open eth0: UID != 0</A>
- <LI><A NAME="tex2html184"
- HREF="FAQ.html#SECTION04064000000000000000">9.4 100000 write attempts failed from full buffers and were repeated</A>
- <LI><A NAME="tex2html185"
- HREF="FAQ.html#SECTION04065000000000000000">9.5 Invalid mac address: 00:00:00:00:00:00</A>
- <LI><A NAME="tex2html186"
- HREF="FAQ.html#SECTION04066000000000000000">9.6 Unable to process test.cache: cache file version missmatch</A>
- <LI><A NAME="tex2html187"
- HREF="FAQ.html#SECTION04067000000000000000">9.7 Skipping SLL loopback packet.</A>
- <LI><A NAME="tex2html188"
- HREF="FAQ.html#SECTION04068000000000000000">9.8 Packet length (8892) is greater then MTU; skipping packet.</A>
- <LI><A NAME="tex2html189"
- HREF="FAQ.html#SECTION04069000000000000000">9.9 Why is tcpreplay not sending all the packets?</A>
- </UL>
- <LI><A NAME="tex2html190"
- HREF="FAQ.html#SECTION04070000000000000000">10 Required Libraries and Tools</A>
- <UL>
- <LI><A NAME="tex2html191"
- HREF="FAQ.html#SECTION04071000000000000000">10.1 Libpcap</A>
- <LI><A NAME="tex2html192"
- HREF="FAQ.html#SECTION04072000000000000000">10.2 Libnet</A>
- <LI><A NAME="tex2html193"
- HREF="FAQ.html#SECTION04073000000000000000">10.3 Libpcapnav</A>
- <LI><A NAME="tex2html194"
- HREF="FAQ.html#SECTION04074000000000000000">10.4 Tcpdump</A>
- </UL>
- </UL>
- <BR>
- <LI><A NAME="tex2html195"
- HREF="FAQ.html#SECTION05000000000000000000">4 Other Resources</A>
- <UL>
- <LI><A NAME="tex2html196"
- HREF="FAQ.html#SECTION05010000000000000000">11 Other pcap tools available</A>
- <UL>
- <LI><A NAME="tex2html197"
- HREF="FAQ.html#SECTION05011000000000000000">11.1 Tools to capture network traffic or decode pcap files</A>
- <LI><A NAME="tex2html198"
- HREF="FAQ.html#SECTION05012000000000000000">11.2 Tools to edit pcap files</A>
- <LI><A NAME="tex2html199"
- HREF="FAQ.html#SECTION05013000000000000000">11.3 Other useful tools</A>
- </UL>
- <LI><A NAME="tex2html200"
- HREF="FAQ.html#SECTION06010000000000000000">1 BSD License</A>
- </UL></UL>
- <!--End of Table of Contents-->
- <P>
- <H1><A NAME="SECTION02000000000000000000">
- 1 Before You Start</A>
- </H1>
- <P>
- <H1><A NAME="SECTION02010000000000000000">
- 1 General Info</A>
- </H1>
- <P>
- <H2><A NAME="SECTION02011000000000000000">
- 1.1 What is this FAQ for?</A>
- </H2>
- <P>
- Tcpreplay is a suite of powerful tools, but with that power comes
- complexity. While I have done my best to write good man pages for
- tcpreplay and it's associated utilities, I understand that many people
- may want more information then I can provide in the man pages. Additionally,
- this FAQ attempts to cover material which I feel will be of use to
- people using tcpreplay, as well as common questions that occur on
- the Tcpreplay-Users <tcpreplay-users@lists.sourceforge.net> mailing
- list.
- <P>
- <H2><A NAME="SECTION02012000000000000000">
- 1.2 What tools come with tcpreplay?</A>
- </H2>
- <P>
- <UL>
- <LI>tcpreplay - replay ethernet packets stored in a pcap file as they
- were captured
- </LI>
- <LI>tcpprep - a pcap pre-processor for tcpreplay
- </LI>
- <LI>flowreplay<A NAME="tex2html1"
- HREF="#foot310"><SUP>1</SUP></A> - connects to a server(s) and replays the client side of the connection
- stored in a pcap file
- </LI>
- <LI>pcapmerge - merges two or more pcap files into one
- </LI>
- <LI>capinfo - displays basic information about a pcap file
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION02013000000000000000">
- 1.3 How can I get tcpreplay's source?</A>
- </H2>
- <P>
- The source code is available in tarball format on the tcpreplay homepage:
- http://tcpreplay.sourceforge.net/ I also encourage users familiar
- with CVS to try checking out the latest code as it often has additional
- features and bugfixes not found in the tarballs.
- <P>
- cvs -d:pserver:anonymous@cvs.sf.net:/cvsroot/tcpreplay login
- <BR>
- Pass: <I><Enter></I>
- <BR>
- cvs -z3 -d:pserver:anonymous@cvs.sf.net:/cvsroot/tcpreplay co tcpreplay
- <P>
- <H2><A NAME="SECTION02014000000000000000">
- 1.4 What requirements does tcpreplay have?</A>
- </H2>
- <P>
- <OL>
- <LI>You'll need the libnet and libpcap libraries.
- </LI>
- <LI>To support the jump to offset feature, you'll need the libpcapnav<A NAME="tex2html2"
- HREF="#foot38"><SUP>2</SUP></A> library.
- </LI>
- <LI>To support the packet decoding feature you'll need tcpdump<A NAME="tex2html3"
- HREF="#foot39"><SUP>3</SUP></A> installed.
- </LI>
- <LI>You'll also need a compatible operating system. Basically, any UNIX-like
- or UNIX-based operating system should work. Linux, *BSD, Solaris,
- OS X and others should all work. If you find any compatibility issues
- with any UNIX-like/based OS, please let me know.
- </LI>
- </OL>
- <P>
- <H2><A NAME="SECTION02015000000000000000">
- 1.5 How do I compile tcpreplay?</A>
- </H2>
- <P>
- Two easy steps:
- <P>
- <OL>
- <LI>As a normal user: <I>./configure && make</I>
- </LI>
- <LI>As root: <I>make test -i && make install</I>
- </LI>
- </OL>
- There are some optional arguments which can be passed to the configure
- script which may help in cases where your libnet, libpcap, libpcapnav
- or tcpdump installation is not standard or if it can't determine the
- correct network interface card to use for testing. If you find that
- configure isn't completing correctly, run: <I>./configure -help</I>
- for more information.
- <P>
- A few comments about 'make test':
- <P>
- <UL>
- <LI>make test is just a series of sanity checks which try to find serious
- bugs (crashes) in tcpprep and tcpreplay.
- </LI>
- <LI>make test requires at least one properly configured network interface.
- If the configure script can't guess what a valid interface is you
- can specify it with the -with-testnic and -with-testnic2 arguments.
- </LI>
- <LI>If make test fails, often you can find details in test/test.log.
- </LI>
- <LI>OpenBSD's make has a bug where it ignores the MAKEFLAGS variable in
- the Makefile, hence you'll probably want to run: <I>make -is test</I>
- instead.
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION02016000000000000000">
- 1.6 Are there binaries available?</A>
- </H2>
- <P>
- Occasionally. And even when we do, generally only for one or two operating
- systems. Generally speaking, we assume people who want to use a tool
- like this can figure out how to compile it.
- <P>
- <H2><A NAME="SECTION02017000000000000000">
- 1.7 Is there a Microsoft Windows port?</A>
- </H2>
- <P>
- Not really. We had one user port the code over for a slightly old
- version of tcpreplay to Windows. Now we're looking for someone to
- help merge and maintain the code in to the main development tree.
- If you're interested in helping with this please contact Aaron Turner
- or the tcpreplay-users list.
- <P>
- <H2><A NAME="SECTION02018000000000000000">
- 1.8 How is tcpreplay licensed?</A>
- </H2>
- <P>
- Tcpreplay is licensed under a BSD-style license. For details, see
- Appendix A.
- <P>
- <H2><A NAME="SECTION02019000000000000000">
- 1.9 What is tcpreplay?</A>
- </H2>
- <P>
- In the simplest terms, tcpreplay is a tool to send network traffic
- stored in pcap format back onto the network; basically the exact opposite
- of tcpdump. Tcpreplay also has the ability to edit various packet
- headers as the packets are sent. Tcpreplay is also a suite of tools:
- tcpreplay, tcpprep, pcapmerge, capinfo and flowreplay.
- <P>
- <H2><A NAME="SECTION020110000000000000000">
- 1.10 What isn't tcpreplay?</A>
- </H2>
- <P>
- Tcpreplay is <I>not</I> a tool to replay captured traffic to a server
- or client. Specifically, tcpreplay does not have the ability to rewrite
- IP addresses to a user-specified value or synchronize TCP sequence
- and acknowledgment numbers. In other words, tcpreplay can't ``connect''
- to a server or be used to emulate a server and have clients connect
- to it. If you're looking for that, check out flowreplay.
- <P>
- <H2><A NAME="SECTION020111000000000000000">
- 1.11 What are some uses for tcpreplay?</A>
- </H2>
- <P>
- Originally, tcpreplay was written to test network intrusion detection
- systems (NIDS), however tcpreplay has been used to test firewalls,
- routers, and other network devices.
- <P>
- <H2><A NAME="SECTION020112000000000000000">
- 1.12 What are some uses for flowreplay?</A>
- </H2>
- <P>
- A lot of people wanted a tool like tcpreplay, but wanted to be able
- to replay traffic <I>to</I> a server. Since tcpreplay was unable to
- do this, I developed flowreplay which replays the data portion of
- the flow, but recreates the connection to the specified server(s).
- This makes flowreplay an ideal tool to test host intrusion detection
- systems (HIDS) as well as captured exploits and security patches when
- the actual exploit code is not available. Please note that flowreplay
- is still alpha quality code and is currently missing some important
- features.
- <P>
- <H2><A NAME="SECTION020113000000000000000">
- 1.13 What happened to version 1.5?</A>
- </H2>
- <P>
- After looking at all the changes that have happened over the last
- year or so, I decided that it was finally time to graduate tcpreplay
- to 2.0 status. Hence the 1.5 branch was renamed 2.0.
- <P>
- <H2><A NAME="SECTION020114000000000000000">
- 1.14 What is the history of tcpreplay?</A>
- </H2>
- <P>
- Tcpreplay has had quite a few authors over the past five or so years.
- One of the advantages of the BSD and GPL licenses is that if someone
- becomes unable or unwilling to continue development, anyone else can
- take over.
- <P>
- Originally, Matt Undy of Anzen Computing wrote tcpreplay. Matt released
- version 1.0.1 sometime in 1999. Sometime after that, Anzen Computing
- was (at least partially) purchased by NFR and development ceased.
- <P>
- Then in 2001, two people independently started work on tcpreplay:
- Matt Bing of NFR and Aaron Turner. After developing a series of patches
- (the -adt branch), Aaron attempted to send the patches in to be included
- in the main development tree.
- <P>
- After some discussion between Aaron and Matt Bing, they decided to
- continue development together. Since then, over a dozen stable releases
- have been made and more then twenty new features have been added,
- including the addition of a number of accessory tools.
- <P>
- Today, Aaron continues active development of the code.
- <P>
- <H1><A NAME="SECTION02020000000000000000">
- 2 Bugs, Feature Requests, and Patches</A>
- </H1>
- <P>
- <H2><A NAME="SECTION02021000000000000000">
- 2.1 Where can I get help, report bugs or contact the developers?</A>
- </H2>
- <P>
- The best place to get help or report a bug is the Tcpreplay-Users
- mailing list:
- <BR>
- http://lists.sourceforge.net/lists/listinfo/tcpreplay-users
- <P>
- <H2><A NAME="SECTION02022000000000000000">
- 2.2 What information should I provide when I report a bug?</A>
- </H2>
- <P>
- One of the most frustrating things for any developer trying to help
- a user with a problem is not enough information. Please be sure to
- include <I>at minimum</I> the following information, however any additional
- information you feel may be helpful will be appreciated.
- <P>
- <UL>
- <LI>Version information (output of -V)
- </LI>
- <LI>Command line used (options and arguments)
- </LI>
- <LI>Platform (Red Hat Linux 9 on Intel, Solaris 7 on SPARC, etc)
- </LI>
- <LI>Error message (if available) and/or description of problem
- </LI>
- <LI>If possible, attach the pcap file used (compressed with bzip2 or gzip
- preferred)
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION02023000000000000000">
- 2.3 I have a feature request, what should I do?</A>
- </H2>
- <P>
- Let us know! Many of the features exist today because users like you
- asked for them. To make a feature request, you can either email the
- tcpreplay-users mailing list (see above) or fill out the feature request
- form on the tcpreplay SourceForge website.
- <P>
- <H2><A NAME="SECTION02024000000000000000">
- 2.4 I've written a patch for tcpreplay, how can I submit it?</A>
- </H2>
- <P>
- I'm always willing to include new features or bug fixes submitted
- by users. You may email me directly or the tcpreplay-users mailing
- list. Please <I>do not</I> use the Patch Tracker on the tcpreplay
- SourceForge web site.
- <P>
- <H2><A NAME="SECTION02025000000000000000">
- 2.5 Patch requirements</A>
- </H2>
- <P>
- <UL>
- <LI>Be aware that submitting a patch, <I>you are licensing it under
- the BSD License</I> as written in Appendix A. If this is not acceptable
- to you, then <I>do not</I> send me the patch!
- </LI>
- <LI>If you wish to maintain the copyright over your code, be sure that
- your patch contains the appropriate information.
- </LI>
- <LI>Please provide a description of what your patch does!
- </LI>
- <LI>Comment your code! I won't use code I can't understand.
- </LI>
- <LI>Make sure you are patching a branch that is still being maintained.
- Generally that means that most recent stable and development branches
- (1.4 and 2.0 at the time of this writing).
- </LI>
- <LI>Make sure you are patching against the most recent release for that
- branch.
- </LI>
- <LI>Please submit your patch in the unified diff format so I can better
- understand what you're changing.
- </LI>
- <LI>Please provide any relevant personal information you'd like listed
- in the CREDITS file.
- </LI>
- </UL>
- Please note that while I'm always interested in patches, I may rewrite
- some or all of your submission to maintain a consistent coding style.
- <P>
- <H1><A NAME="SECTION03000000000000000000">
- 2 Basics</A>
- </H1>
- <P>
- <H1><A NAME="SECTION03010000000000000000">
- 3 Basic Tcpreplay Usage</A>
- </H1>
- <P>
- <H2><A NAME="SECTION03011000000000000000">
- 3.1 Replaying the traffic</A>
- </H2>
- <P>
- To replay a given pcap as it was captured all you need to do is specify
- the pcap file and the interface to send the traffic out of:
- <P>
- <I>tcpreplay -i eth0 sample.pcap</I>
- <P>
- <H2><A NAME="SECTION03012000000000000000">
- 3.2 Replaying at different speeds</A>
- </H2>
- <P>
- You can also replay the traffic at different speeds then it was originally
- captured<A NAME="tex2html4"
- HREF="#foot311"><SUP>4</SUP></A>. To support this, tcpreplay supports four different flags: -R, -r,
- -m, and -p
- <P>
- Some examples:
- <P>
- <UL>
- <LI>To replay traffic as fast as possible:
- <BR><I>tcpreplay -R -i eth0 sample.pcap</I>
- </LI>
- <LI>To replay traffic at 10Mbps:
- <BR><I>tcpreplay -r 10.0 -i eth0 sample.pcap</I>
- </LI>
- <LI>To replay traffic 7.3 times as fast as it was captured:
- <BR><I>tcpreplay -m 7.3 -i eth0 sample.pcap</I>
- </LI>
- <LI>To replay traffic at half-speed:
- <BR><I>tcpreplay -m 0.5 -i eth0 sample.pcap</I>
- </LI>
- <LI>To replay at 25.5 packets per second:
- <BR><I>tcpreplay -p 25.5 -i eth0 sample.pcap</I>
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION03013000000000000000">
- 3.3 Replaying the same file over and over again</A>
- </H2>
- <P>
- Using the loop flag (-l) you can specify that a pcap file will be
- sent two or more times<A NAME="tex2html5"
- HREF="#foot93"><SUP>5</SUP></A>:
- <P>
- <UL>
- <LI>To replay the sample.pcap file 10 times:
- <BR><I>tcpreplay -l 10 -i eth0 sample.pcap</I>
- </LI>
- <LI>To replay the sample.pcap an infinitely or until CTRL-C is pressed:
- <BR><I>tcpreplay -l 0 -i eth0 sample.pcap</I>
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION03014000000000000000">
- 3.4 Using Configuration Files</A>
- </H2>
- <P>
- Tcpreplay offers the options of specifying configuration options in
- a config file in addition to the traditional command line. Each configuration
- option has an equivalent config file option which is listed in the
- tcpreplay man page. To specify the configuration file you'd like to
- use, use the -f <filename> option.
- <P>
- Configuration files have one option per line, and lines beginning
- with the pound sign (#) are considered comments and ignored. An example
- config file follows:
- <P>
- # send traffic out 'eth0'
- <BR>
- intf eth0
- <BR>
- <BR># loop 5 times
- <BR>
- loop 5
- <BR>
- <BR># send traffic 2x as fast
- <BR>
- multiplier 2
- <BR>
- <BR># pad any packets out to their original size if they were truncated
- during capture
- <BR>
- untruncate pad
- <BR>
- <BR>
- <BR>
- <P>
- You would then execute:
- <BR><I>tcpreplay -f myconfigfile sample.pcap</I>
- <P>
- <H1><A NAME="SECTION04000000000000000000">
- 3 Advanced Usage</A>
- </H1>
- <P>
- <H1><A NAME="SECTION04010000000000000000">
- 4 Output: Interfaces, Packets & Files</A>
- </H1>
- <P>
- <H2><A NAME="SECTION04011000000000000000">
- 4.1 Replaying on multiple interfaces</A>
- </H2>
- <P>
- Tcpreplay can also split traffic so that each side of a connection
- is sent out a different interface<A NAME="tex2html6"
- HREF="#foot103"><SUP>6</SUP></A>. In order to do this, tcpreplay needs the name of the second interface
- (-j) and a way to split the traffic. Currently, there are two ways
- to split traffic:
- <P>
- <OL>
- <LI>-C = split traffic by source IP address which is specified in CIDR
- notation
- </LI>
- <LI>-c = split traffic according to a tcpprep cachefile<A NAME="tex2html7"
- HREF="#foot105"><SUP>7</SUP></A>
- </LI>
- </OL>
- When splitting traffic, it is important to remember that traffic that
- matches the filter is sent out the primary interface (-i). In this
- case, when splitting traffic by source IP address, you provide a list
- of networks in CIDR notation. For example:
- <P>
- <UL>
- <LI>To send traffic from 10.0.0.0/8 out eth0 and everything else out eth1:
- <BR><I>tcpreplay -C 10.0.0.0/8 -i eth0 -j eth1 sample.pcap</I>
- </LI>
- <LI>To send traffic from 10.1.0.0/24 and 10.2.0.0/20 out eth0 and everything
- else out eth1:
- <BR><I>tcpreplay -C 10.1.0.0/24,10.2.0.0/20 -i eth0 -j eth1 sample.pcap</I>
- </LI>
- <LI>After using tcpprep to generate a cache file, you can use it to split
- traffic between two interfaces like this:
- <BR><I>tcpreplay -c sample.cache -i eth0 -j eth1 sample.pcap</I>
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION04012000000000000000">
- 4.2 Selectively sending or dropping packets</A>
- </H2>
- <P>
- Sometimes, you want to do some post-capture filtering of packets.
- Tcpreplay let's you have some control over which packets get sent.
- <P>
- <OL>
- <LI>-M = disables sending of martian packets. By definition, martian packets
- have a source IP of 0.x.x.x, 127.x.x.x, or 255.x.x.x
- </LI>
- <LI>-x = send packets which match a specific pattern
- </LI>
- <LI>-X = send packets which do not match a specific pattern
- </LI>
- </OL>
- Both -x and -X support a variety of pattern matching types. These
- types are specified by a single character, followed by a colon, followed
- by the pattern. The following pattern matching types are available:
- <P>
- <OL>
- <LI>S - Source IP
- <BR>
- Pattern is a comma delimited CIDR notation
- </LI>
- <LI>D - Destination IP
- <BR>
- Pattern is a comma delimited CIDR notation
- </LI>
- <LI>B - Both source and destination IP must match
- <BR>
- Pattern is a comma delimited CIDR notation
- </LI>
- <LI>E - Either source or destination IP must match
- <BR>
- Pattern is a comma delimited CIDR notation
- </LI>
- <LI>P - A list of packet numbers from the pcap file.
- <BR>
- Pattern is a series of numbers, separated by commas or dashes.
- </LI>
- <LI>F - BPF syntax (same as used in tcpdump).
- <BR>
- Filter must be quoted and is only supported with -x<A NAME="tex2html8"
- HREF="#foot116"><SUP>8</SUP></A>.
- </LI>
- </OL>
- Examples:
- <P>
- <UL>
- <LI>To only send traffic that is too and from a host in 10.0.0.0/8:
- <BR><I>tcpreplay -x B:10.0.0.0/8 -i eth0 sample.pcap</I>
- </LI>
- <LI>To not send traffic that is too or from a host in 10.0.0.0/8:
- <BR><I>tcpreplay -X E:10.0.0.0/8 -i eth0 sample.pcap</I>
- </LI>
- <LI>To send every packet except the first 10 packets:
- <BR><I>tcpreplay -X P:1-10 -i eth0 sample.pcap</I>
- </LI>
- <LI>To only send the first 50 packets followed by packets: 100, 150, 200
- and 250:
- <BR><I>tcpreplay -x P:1-50,100,150,200,250 -i eth0 sample.pcap</I>
- </LI>
- <LI>To only send TCP packets from 10.0.0.1:
- <BR>
- tcpreplay -x F:'tcp and host 10.0.0.1' -i eth0 sample.pcap
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION04013000000000000000">
- 4.3 Replaying only a few packets</A>
- </H2>
- <P>
- Using the limit packets flag (-L) you can specify that tcpreplay will
- only send at most a specified number of packets.
- <P>
- <UL>
- <LI>To send at most 100 packets:
- <BR><I>tcpreplay -i eth0 -L 100 sample.pcap</I>
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION04014000000000000000">
- 4.4 Skipping the first bytes in a pcap file</A>
- </H2>
- <P>
- If you want to skip the beginning of a pcap file, you can use the
- offset flag (-o) to skip a specified number of bytes and start sending
- on the next packet.
- <P>
- <UL>
- <LI>To skip 15Kb into the pcap file and start sending packets from there:
- <BR><I>tcpreplay -i eth0 -o 15000 sample.pcap</I>
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION04015000000000000000">
- 4.5 Replaying packets which are bigger then the MTU</A>
- </H2>
- <P>
- Occasionally, you might find yourself trying to replay a pcap file
- which contains packets which are larger then the MTU for the sending
- interface. This might be due to the packets being captured on the
- loopback interface or on a 1000Mbps ethernet interface supporting
- ``jumbo frames''. I've even seen packets which are 1500 bytes
- but contain both an ethernet header and trailer which bumps the total
- frame size to 1518 which is 4 bytes too large.
- <P>
- By default, tcpreplay will skip these packets and not send them. Alternatively,
- you can specify the -T flag to truncate these packets to the MTU and
- then send them. Of course this may invalidate your testing, but it
- has proven useful in certain situations. Also, when this feature is
- enabled, tcpreplay will automatically recalculate the IP and TCP,
- UDP or ICMP checksums as needed. Example:
- <P>
- <I>tcpreplay -i eth0 -T sample.pcap</I>
- <P>
- <H2><A NAME="SECTION04016000000000000000">
- 4.6 Writing packets to a file</A>
- </H2>
- <P>
- It's not always necessary to write packets to the network. Since tcpreplay
- has so many features which modify and select which packets are sent,
- it is occasionally useful to save these changes to another pcap file
- for comparison. Rather then running a separate tcpdump process to
- capture the packets, tcpreplay now supports output directly to a file.
- Example:
- <P>
- <I>tcpreplay -i eth0 -w output.pcap -F -u pad -x E:10.0.0.0/8 input1.pcap
- input2.pcap input3.pcap</I>
- <P>
- Notice that specifying an interface is still required (required for
- various internal functions), but all the packets will be written to
- <I>output.pcap</I>.
- <P>
- You can also split traffic into two files by using -W <2nd output
- file>.
- <P>
- <H2><A NAME="SECTION04017000000000000000">
- 4.7 Extracting Application Data (Layer 7)</A>
- </H2>
- <P>
- New to version 2.0 is the ability to extract the application layer
- data from the packets and write them to a file. In the man page, we
- call this ``data dump mode'' which is enabled with -D. It's important
- to specify -D before -w (and -W if you're splitting data into two
- files). Example:
- <P>
- <I>tcpreplay -D -i eth0 -j eth0 -w clientdata -W serverdata -C
- 10.0.0.0/24 sample.pcap</I>
- <P>
- <H2><A NAME="SECTION04018000000000000000">
- 4.8 Replaying Live Traffic</A>
- </H2>
- <P>
- You can now replay live traffic sniffed on one network interface and
- replay it on another interface using the -S flag to indicate sniff
- mode and the appropriate snaplen in bytes (0 denotes the entire packet).
- You can also enabling bi-directional traffic using the bridge mode
- flag: -b.
- <P>
- N<SMALL>OTE:</SMALL> It is critical for your sanity (and to prevent your
- murder by your network administrators) that the input interface and
- the output interface be on separate networks and additionally that
- no other network devices (such as bridges, switches, routers, etc)
- be connecting the two networks, else you will surely get a networkstorm
- the likes that have not been seen for years.
- <P>
- <UL>
- <LI>Send packets sniffed on eth0 out eth1:
- <BR><I>tcpreplay -i eth1 -S 0 eth0</I>
- </LI>
- <LI>Bridge two subnets connected to eth0 and eth1:
- <BR><I>tcpreplay -i eth0 -j eth1 -b -S 0</I>
- </LI>
- </UL>
- By default, tcpreplay listens in promiscuous mode on the specified
- interface, however if you only want to send unicasts directed for
- the local system and broadcasts, you can specify the ``not_nosy''
- option in the configuration file or -n on the command line. Note that
- if another program has already placed the interface in promiscuous
- mode, the -n flag will have no effect, so you may want to use the
- -x or -X argument to limit packets.
- <P>
- <H2><A NAME="SECTION04019000000000000000">
- 4.9 Replaying Packet Capture Formats Other Than Libpcap</A>
- </H2>
- <P>
- There are about as many different capture file formats as there are
- sniffers. In the interest of simplicity, tcpreplay only supports libpcap<A NAME="tex2html9"
- HREF="#foot149"><SUP>9</SUP></A>. If you would like to replay a file in one of these multitude of
- formats, the excellent open source tool Ethereal easily allows you
- to convert it to libpcap. For instance, to convert a file in Sun's
- snoop format to libpcap, issue the command:
- <P>
- <I>tethereal -r blah.snoop -w blah.pcap</I>
- <P>
- and replay the resulting file.
- <P>
- <H2><A NAME="SECTION040110000000000000000">
- 4.10 Replaying Client Traffic to a Server</A>
- </H2>
- <P>
- A common question on the tcpreplay-users list is how does one replay
- the client side of a connection back to a server. Unfortunately, tcpreplay
- doesn't support this right now. The major problem concerns syncing
- up TCP Seq/Ack numbers which will be different. ICMP also often contains
- IP header information which would need to be adjusted. About the only
- thing that could be easy to do is UDP, which isn't usually requested.
- <P>
- This is however a feature that we're looking into implementing in
- the flowreplay utility. If you're interested in helping work on this
- feature, please contact us and we'd be more then happy to work with
- you. At this time however, we don't have an ETA when this will be
- implemented, so don't bother asking.
- <P>
- <H2><A NAME="SECTION040111000000000000000">
- 4.11 Decoding Packets</A>
- </H2>
- <P>
- If the tcpdump binary is installed on your system when tcpreplay is
- compiled, it will allow you to decode packets as they are sent without
- running tcpdump in a separate window or worrying about it capturing
- packets which weren't sent by tcpreplay.
- <P>
- <UL>
- <LI>Decode packets as they are sent:
- <BR><I>tcpreplay -i eth0 -v sample.pcap</I>
- </LI>
- <LI>Decode packets with the link level header:
- <BR><I>tcpreplay -i eth0 -v -A ``-e'' sample.pcap</I>
- </LI>
- <LI>Fully decode and send one packet at a time:
- <BR><I>tcpreplay -i eth0 -v -1 -A ``-s0 -evvvxX'' sample.pcap</I>
- </LI>
- </UL>
- Note that tcpreplay automatically applies the -n flag to disable DNS
- lookups which would slow down tcpdump too much to make it effective.
- <P>
- <H1><A NAME="SECTION04020000000000000000">
- 5 Packet Editing</A>
- </H1>
- <P>
- <H2><A NAME="SECTION04021000000000000000">
- 5.1 Rewriting MAC addresses</A>
- </H2>
- <P>
- If you ever want to send traffic to another device on a switched LAN,
- you may need to change the destination MAC address of the packets.
- Tcpreplay allows you to set the destination MAC for each interface
- independently using the -I and -J switches. As of version 2.1.0, you
- can also specify the source MAC via -k and -K. Example:
- <P>
- <UL>
- <LI>To send traffic out eth0 with a destination MAC of your router (00:00:01:02:03:04)
- and the source MAC of the server (00:20:30:40:50:60):
- <BR><I>tcpreplay -i eth0 -I 00:00:01:02:03:04 -k 00:20:30:40:50:60
- sample.pcap</I>
- </LI>
- <LI>To split traffic between internal (10.0.0.0/24) and external addresses
- and to send that traffic to the two interfaces of a firewall:
- <BR><I>tcpreplay -i eth0 -j eth1 -I 00:01:00:00:AA:01 -J 00:01:00:00:AA:02
- -C 10.0.0.0/24 sample.pcap</I>
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION04022000000000000000">
- 5.2 Randomizing IP addresses</A>
- </H2>
- <P>
- Occasionally, it is necessary to have tcpreplay rewrite the source
- and destination IP addresses, yet maintain the client/server relationship.
- Such a case might be having multiple copies of tcpreplay running at
- the same time using the same pcap file while trying to stress test
- firewall, IDS or other stateful device. If you didn't change the source
- and destination IP addresses, the device under test would get confused
- since it would see multiple copies of the same connection occurring
- at the same time. In order to accomplish this, tcpreplay accepts a
- user specified seed which is used to generate pseudo-random IP addresses.
- Also, when this feature is enabled, tcpreplay will automatically recalculate
- the IP and TCP, UDP or ICMP checksums as needed. Example:
- <P>
- <I>tcpreplay -i eth0 -s 1239 sample.pcap &</I>
- <BR><I>tcpreplay -i eth0 -s 76 sample.pcap &</I>
- <BR><I>tcpreplay -i eth0 -s 239 sample.pcap &</I>
- <BR><I>tcpreplay -i eth0 sample.pcap</I>
- <P>
- <H2><A NAME="SECTION04023000000000000000">
- 5.3 Replaying (de)truncated packets</A>
- </H2>
- <P>
- Occasionally, it is necessary to replay traffic which has been truncated
- by tcpdump. This occurs when the tcpdump snaplen is smaller then the
- actual packet size. Since this will create problems for devices which
- are expecting a full-sized packet or attempting checksum calculations,
- tcpreplay allows you to either pad the packet with zeros or reset
- the packet length in the headers to the actual packet size. In either
- case, the IP and TCP, UDP or ICMP checksums are recalculated. Examples:
- <P>
- <UL>
- <LI>Pad truncated packets:
- <BR><I>tcpreplay -i eth0 -u pad sample.pcap</I>
- </LI>
- <LI>Rewrite packet header lengths to the actual packet size:
- <BR><I>tcpreplay -i eth0 -u trunc sample.pcap</I>
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION04024000000000000000">
- 5.4 Rewriting Layer 2 with -2</A>
- </H2>
- <P>
- Starting in the 2.0.x branch, tcpreplay can replace the existing layer
- 2 header with one of your choosing. This is useful for when you want
- to change the layer 2 header type or add a header for pcap files without
- one. Each pcap file tells the type of frame. Currently tcpreplay knows
- how to deal with the following pcap(3) frame types:
- <P>
- <UL>
- <LI>DLT_EN10MB
- <BR>
- Replace existing 802.3/Ethernet II header
- </LI>
- <LI>DLT_RAW
- <BR>
- Frame has no Layer 2 header, so we can add one.
- </LI>
- <LI>DLT_LINUX_SLL
- <BR>
- Frame uses the Linux Cooked Socket header which is most commonly created
- with <I>tcpdump -i any</I> on a Linux system.
- </LI>
- </UL>
- Tcpreplay accepts the new Layer 2 header as a string of comma separated
- hex values such as: 0xff,0xac,0x00,0x01,0xc0,0x64. Note that the leading
- '0x' is <I>not</I> required.
- <P>
- Potential uses for this are to add a layer 2 header for DLT_RAW captures
- or add/remove ethernet tags or QoS features.
- <P>
- <H2><A NAME="SECTION04025000000000000000">
- 5.5 Rewriting DLT_LINUX_SLL (Linux Cooked Socket) captures</A>
- </H2>
- <P>
- Tcpdump uses a special frame type to store captures created with the
- ``-i any'' argument. This frame type uses a custom 16 byte layer
- 2 header which tracks which interface captured the packet and often
- the source MAC address of the original ethernet frame. Unfortunately,
- it never stores the destination MAC address and it doesn't store a
- source MAC when the packet is captured on the loopback interface.
- Normally, tcpreplay can't replay these pcap files because there isn't
- enough information in the LINUX_SLL header to do so; however two
- options do exist:
- <P>
- <OL>
- <LI>You can send these packets with -2 which will replace the LINUX_SLL
- header with an ethernet header of your choosing.
- </LI>
- <LI>You can specify a destination MAC via -I and -J in which case tcpreplay
- will use the stored source MAC and create a new 802.3 Ethernet header.
- Note that if the pcap contains loopback packets, you will also need
- to specify -k and/or -K to specify the source MAC as well or they
- will be skipped.
- </LI>
- </OL>
- <P>
- <H2><A NAME="SECTION04026000000000000000">
- 5.6 Rewriting IP Addresses (pseudo-NAT)</A>
- </H2>
- <P>
- Pseudo-NAT allows the mapping of IP addresses in IPv4 and ARP packets
- from one subnet to another subnet of the same or different size. This
- allows some or all the traffic sent to appear to come from a different
- IP subnet then it actually was captured on.
- <P>
- The mapping is done through a user specified translation table comprised
- of one or more source and destination network(s) in the format of
- <srcnet>/<masklen>:<dstnet>/<masklen> deliminated by a comma. Mapping
- is done by matching IP addresses to the source subnet and rewriting
- the most significant bits with the destination subnet. For example:
- <P>
- <I>tcpreplay -i eth0 -N 10.100.0.0/16:172.16.10.0/24 sample.pcap</I>
- <P>
- would match any IP in the 10.100.0.0/16 subnet and rewrite it as if
- it came from or sent to the 172.16.10.0/24 subnet. Ie: 10.100.5.88
- would become 172.16.10.88 and 10.100.99.45 would become 172.16.10.45.
- But 10.150.7.44 would not be rewritten.
- <P>
- For any given IP address, the translation table is applied in order
- (so if there are multiple mappings, earlier maps take precedence)
- and occurs only once per IP (no risk of an address getting rewritten
- a second time).
- <P>
- <H2><A NAME="SECTION04027000000000000000">
- 5.7 Advanced pseudo-NAT</A>
- </H2>
- <P>
- Pseudo-NAT also works with traffic splitting (using two interfaces
- or output files) but with a few important differences. First you have
- the option of specifying one or two pseudo-NAT tables. Using a single
- pseudo-NAT table means that the source and destination IP addresses
- of both interfaces are rewritten using the same rules. Using two pseudo-NAT
- tables (specifying -N <Table1> -N <Table2>) will cause the source
- and destination IP addresses to be rewritten differently for each
- interface using the following matrix:
- <P>
- <DIV ALIGN="CENTER">
- <TABLE CELLPADDING=3 BORDER="1">
- <TR><TD ALIGN="CENTER"> </TD>
- <TD ALIGN="CENTER">Out Primary Interface</TD>
- <TD ALIGN="CENTER">Out Secondary Interface
- <BR>
- Src IP</TD>
- </TR>
- </TABLE>
- </DIV>
- <P>
- While seemingly a bit confusing, this feature provides a number of
- interesting possibilities such as the ability to rewrite the IP headers
- of packets in the case where traffic is captured on the loopback interface
- (and the source and destination address is always 127.0.0.1) so that
- tcpreplay can make it look like two different systems are talking
- to each other (you'll probably also need to specify the source and
- destination MAC addresses via -I, -J, -k and -K).
- <P>
- <H2><A NAME="SECTION04028000000000000000">
- 5.8 IP Endpoints</A>
- </H2>
- <P>
- While pseudo-NAT provides a great deal of flexibility, it is often
- more complicated then is necessary for testing of inline devices.
- As a simplier alternative, tcpreplay supports the concept of rewriting
- all traffic to so that it appears to be between two IP addresses:
- <P>
- <I>tcpreplay -i eth0 -j eth1 -c sample.cache -e 10.0.0.1:10.1.1.1
- sample.pcap</I>
- <P>
- Will rewrite all the traffic so that it is between 10.0.0.1 and 10.1.1.1.
- The equivalent command using -N would be:
- <P>
- <I>tcpreplay -i eth0 -j eth1 -c sample.cache -N 0.0.0.0/0:10.0.0.1
- -N 0.0.0.0/0:10.1.1.1 sample.pcap</I>
- <P>
- <H2><A NAME="SECTION04029000000000000000">
- 5.9 Unifying Dual-Outputs</A>
- </H2>
- <P>
- Since a number of tcpreplay's packet editing functions require splitting
- traffic between client and servers, one problem that may arrise is
- needing to edit packets but still output to a single interface or
- file. The solution to this is to use the one output option -O which
- causes packets to be processed as if they will be split between the
- interfaces/files, but then always go out the primary interface or
- file. Note that even though only one interface/file will be written
- to, both -i and -j must be specified; although they can be the same
- physical interface.
- <P>
- <I>tcpreplay -i eth0 -j eth0 -O -c sample.cache -e 10.0.0.1:10.1.1.1
- sample.pcap</I>
- <P>
- Merging the output to a single file:
- <P>
- <I>tcpreplay -i eth0 -j eth0 -w rewrite.pcap -c sample.cache -e
- 10.0.0.1:10.1.1.1 sample.pcap</I>
- <P>
- <H1><A NAME="SECTION04030000000000000000">
- 6 Tcpprep Usage</A>
- </H1>
- <P>
- <H2><A NAME="SECTION04031000000000000000">
- 6.1 What is tcpprep?</A>
- </H2>
- <P>
- Tcpreplay can send traffic out two network cards, however it requires
- the calculations be done in real-time. These calculations can be expensive
- and can significantly reduce the throughput of tcpreplay.
- <P>
- Tcpprep is a libpcap pre-processor for tcpreplay which enables using
- two network cards to send traffic without the performance hit of doing
- the calculations in real-time.
- <P>
- <H2><A NAME="SECTION04032000000000000000">
- 6.2 How does tcpprep work? </A>
- </H2>
- <P>
- Tcpprep reads in a libpcap (tcpdump) formatted capture file and does
- some processing to generate a tcpreplay cache file. This cache file
- tells tcpreplay which interface a given packet should be sent out
- of.
- <P>
- <H2><A NAME="SECTION04033000000000000000">
- 6.3 Does tcpprep modify my libpcap file?</A>
- </H2>
- <P>
- No.
- <P>
- <H2><A NAME="SECTION04034000000000000000">
- 6.4 Why use tcpprep?</A>
- </H2>
- <P>
- There are three major reasons to use tcpprep:
- <P>
- <OL>
- <LI>Tcpprep can split traffic based upon more methods and criteria then
- tcpreplay.
- </LI>
- <LI>By pre-processing the pcap, tcpreplay has a higher theoretical maximum
- throughput.
- </LI>
- <LI>By pre-processing the pcap, tcpreplay can be more accurate in timing
- when replaying traffic at normal speed.
- </LI>
- </OL>
- <P>
- <H2><A NAME="SECTION04035000000000000000">
- 6.5 Can a cache file be used for multiple (different) libpcap files? </A>
- </H2>
- <P>
- Cache files have nothing linking them to a given libpcap file, so
- there is nothing to stop you from doing this. However running tcpreplay
- with a cache file from a different libpcap source file is likely to
- cause a lot of problems and is not supported.
- <P>
- <H2><A NAME="SECTION04036000000000000000">
- 6.6 Why would I want to use tcpreplay with two network cards? </A>
- </H2>
- <P>
- Tcpreplay traditionally is good for putting traffic on a given network,
- often used to test a network intrusion detection system (NIDS). However,
- there are cases where putting traffic onto a subnet in this manner
- is not good enough- you have to be able to send traffic *through*
- a device such as a router, firewall, or bridge.
- <P>
- In these cases, being able to use a single source file (libpcap) for
- both ends of the connection solves this problem.
- <P>
- <H2><A NAME="SECTION04037000000000000000">
- 6.7 How big are the cache files?</A>
- </H2>
- <P>
- Very small. Actual size depends on the number of packets in the dump
- file. Two bits of data is stored for each packet. On a test using
- a 900MB dump file containing over 500,000 packets, the cache file
- was only 150K.
- <P>
- <H2><A NAME="SECTION04038000000000000000">
- 6.8 What are these 'modes' tcpprep has? </A>
- </H2>
- <P>
- Tcpprep has three basic modes which require the user to specify how
- to split traffic.
- <P>
- <UL>
- <LI>CIDR (-c) mode requires the user to provide a list of networks. Any
- packet with a source IP in one of these networks gets sent out the
- primary interface.
- </LI>
- <LI>Regex (-r) mode requires the user to provide a regular expression.
- Any packet with a source IP matching the regex gets sent out the primary
- interface.
- </LI>
- <LI>Port (-p) mode splits TCP/UDP traffic based on the destination port
- in the header. Normally, ports 0-1023 are considered ``server''
- ports and everything else a client port. You can create your own custom
- mapping file in the same format as /etc/services (see the services(5)
- man page for details) by specifying -s <file>.
- </LI>
- </UL>
- And four auto modes in which tcpprep decides how to split traffic.
- Auto modes are useful for when you don't know much about the contents
- of the dump file in question and you want to split traffic up based
- upon servers and clients.
- <P>
- <UL>
- <LI>Auto/Router (-a -n router) mode trys to find the largest network(s)
- that contain all the servers and no clients. Any unknown system is
- automatically re-classified as servers if it's inside the server network(s),
- otherwise it is classified as a client.
- </LI>
- <LI>Auto/Bridge (-a -n bridge) mode makes the assumption that the clients
- and servers are horribly intermixed on the network and there's no
- way to subnet them. While this takes less processing time to create
- the cache file it is unable to deal with unknown systems.
- </LI>
- <LI>Auto/Client (-a -n client) mode which works just like Auto/Bridge
- mode, except that any system it can't figure out is treated like a
- client.
- </LI>
- <LI>Auto/Server (-a -n server) mode which works just like Auto/Bridge
- mode, except that any system it can't figure out is treated like a
- server.
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION04039000000000000000">
- 6.9 Splitting traffic based upon IP address</A>
- </H2>
- <P>
- Tcpprep supports the same CIDR mode that tcpreplay supports using
- the -c flag (tcpreplay uses -C). Additionally, tcpprep also supports
- regex(7) regular expressions to match source IP addresses using the
- -r flag.
- <P>
- <H2><A NAME="SECTION040310000000000000000">
- 6.10 Auto Mode</A>
- </H2>
- <P>
- <H3><A NAME="SECTION040310100000000000000">
- 6.10.1 How does Auto/Bridge mode work? </A>
- </H3>
- <P>
- Tcpprep does an initial pass over the libpcap file to build a binary
- tree (one node per IP). For each IP, it keeps track of how many times
- it was a client or server. It then does a second pass of the file
- using the data in the tree and the ratio to determine if an IP is
- a client or server. If tcpprep is unable to determine the type (client
- or server) for each and every packet, then auto/bridge mode will fail.
- In these cases, it is best to use a different auto mode.
- <P>
- <H3><A NAME="SECTION040310200000000000000">
- 6.10.2 How does Auto/Router mode work? </A>
- </H3>
- <P>
- Tcpprep does the same first pass as Auto/Bridge mode. It then trys
- to convert the binary tree into a list of networks containing the
- servers. Finally it uses the CIDR mode with the list of server networks
- in a second pass of the libpcap file. Unlike auto/bridge mode, auto/router
- mode can always successfully split IP addresses into clients and servers.
- <P>
- <H3><A NAME="SECTION040310300000000000000">
- 6.10.3 Determining Clients and Servers</A>
- </H3>
- <P>
- Tcpprep uses the following methods in auto/router and auto/bridge
- mode to determine if an IP address is a client or server:
- <P>
- <UL>
- <LI>Client:
- <P>
- <UL>
- <LI>TCP with Syn flag set
- </LI>
- <LI>UDP source/destination port 53 (DNS) without query flag set
- </LI>
- <LI>ICMP port unreachable (destination IP of packet)
- </LI>
- </UL>
- </LI>
- <LI>Server:
- <P>
- <UL>
- <LI>TCP with Syn/Ack flag set
- </LI>
- <LI>UDP source/destination port 53 (DNS) with query flag set
- </LI>
- <LI>ICMP port unreachable (source IP of packet)
- </LI>
- </UL>
- </LI>
- </UL>
- <P>
- <H3><A NAME="SECTION040310400000000000000">
- 6.10.4 Client/Server ratio</A>
- </H3>
- <P>
- Since a system may send traffic which would classify it as both a
- client and server, it's necessary to be able to weigh the traffic.
- This is done by specifying the client/server ratio (-R) which is by
- default set to 2.0. The ratio is the modifier to the number of client
- connections. Hence, by default, client connections are valued twice
- as high as server connections.
- <P>
- <H2><A NAME="SECTION040311000000000000000">
- 6.11 Selectively sending/dropping packets</A>
- </H2>
- <P>
- Tcpprep supports the same -x and -X options to selectively send or
- drop packets.
- <P>
- <H2><A NAME="SECTION040312000000000000000">
- 6.12 Using tcpprep cache files with tcpreplay</A>
- </H2>
- <P>
- Just run:
- <P>
- <I>tcpreplay -c sample.cache -i eth0 -j eth1 sample.pcap</I>
- <P>
- <H2><A NAME="SECTION040313000000000000000">
- 6.13 Commenting tcpprep cache files</A>
- </H2>
- <P>
- In versions of tcpprep >= 2.1.0, you can specify a comment to be embeded
- in the tcpprep cache file. Comments are user specified and automatically
- include the command line arguments passed to tcpprep.
- <P>
- <I>tcpprep -C ``this is my comment'' -i sample.pcap -o sample.cache
- <other args></I>
- <P>
- Or for no user comment, but still embed the command arguments:
- <P>
- <I>tcpprep -C ``'' -i sample.pcap -o sample.cache <other args></I>
- <P>
- You can then later on print out the comments by running:
- <P>
- <I>tcpprep -P sample.cache</I>
- <P>
- <H1><A NAME="SECTION04040000000000000000">
- 7 Flowreplay Usage</A>
- </H1>
- <P>
- While tcpreplay is a great way to test NIDS and firewalls, it can't
- be used to test servers or HIDS since tcpreplay can't connect to a
- service running on a device. The solution to this problem is flowreplay
- which instead of sending packets at Layer 2 (ethernet header and up),
- it can actually connect via TCP or UDP to server and then sends and
- receives data based upon a pcap capture file created with a tool like
- Ethereal or tcpdump.
- <P>
- Please note that flowreplay is currently alpha quality and is missing
- a number of key features.
- <P>
- <H2><A NAME="SECTION04041000000000000000">
- 7.1 How flowreplay works</A>
- </H2>
- <P>
- Put simply, flowreplay opens a socket connection to a service on a
- target system(s) and sends data over that socket based on the packet
- capture. Flowreplay has no understanding of the application protocol
- (like HTTP or FTP) so it is somewhat limited in how it can deal with
- complicated exchanges between client and server.
- <P>
- Some of these limitations are:
- <P>
- <UL>
- <LI>Flowreplay only plays the client side<A NAME="tex2html10"
- HREF="#foot237"><SUP>10</SUP></A> of the connection.
- </LI>
- <LI>Flowreplay doesn't understand the application protocols. Hence it
- can't always deal with the case when the server sends a different
- response then what was originally captured in the pcap file.
- </LI>
- <LI>Flowreplay only sends TCP and UDP traffic.
- </LI>
- <LI>Flowreplay doesn't know about multi-flow protocols like FTP.
- </LI>
- <LI>Flowreplay can't listen on a port and wait for a client to connect
- to it.
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION04042000000000000000">
- 7.2 Running flowreplay</A>
- </H2>
- <P>
- See the flowreplay(8) man page for details.
- <P>
- <H1><A NAME="SECTION04050000000000000000">
- 8 Tuning OS's for high performance</A>
- </H1>
- <P>
- Regardless of the size of physical memory, UNIX kernels will only
- allocate a static amount for network buffers. This includes packets
- sent via the "raw" interface, like with tcpreplay.
- Most kernels will allow you to tweak the size of these buffers, drastically
- increasing performance and accuracy.
- <P>
- N<SMALL>OTE:</SMALL> The following information is provided based upon our
- own experiences or the reported experiences of others. Depending on
- your hardware and specific hardware, it may or may not work for you.
- It may even make your system horribly unstable, corrupt your harddrive,
- or worse.
- <P>
- N<SMALL>OTE</SMALL>: Different operating systems, network card drivers,
- and even hardware can have an effect on the accuracy of packet timestamps
- that tcpdump or other capture utilities generate. And as you know:
- garbage in, garbage out.
- <P>
- N<SMALL>OTE:</SMALL> If you have information on tuning the kernel of an
- operating system not listed here, please send it to me so I can include
- it.
- <P>
- <H2><A NAME="SECTION04051000000000000000">
- 8.1 Linux 2.4.x</A>
- </H2>
- <P>
- The following is known to apply to the 2.4.x series of kernels. If
- anyone has any information regarding other kernel versions, please
- let us know. By default Linux's tcpreplay performance isn't all that
- stellar. However, with a simple tweak, relatively decent performance
- can be had on the right hardware. By default, Linux specifies a 64K
- buffer for sending packets. Increasing this buffer to about half a
- megabyte does a good job:
- <P>
- <I>echo 524287 >/proc/sys/net/core/wmem_default </I>
- <BR><I>echo 524287 >/proc/sys/net/core/wmem_max </I>
- <BR><I>echo 524287 >/proc/sys/net/core/rmem_max </I>
- <BR><I>echo 524287 >/proc/sys/net/core/rmem_default </I>
- <P>
- On one system, we've seen a jump from 23.02 megabits/sec (5560 packets/sec)
- to 220.30 megabits/sec (53212 packets/sec) which is nearly a 10x increase
- in performance. Depending on your system and capture file, different
- numbers may provide different results.
- <P>
- <H2><A NAME="SECTION04052000000000000000">
- 8.2 *BSD</A>
- </H2>
- <P>
- *BSD systems typically allow you to specify the size of network
- buffers with the NMBCLUSTERS option in the kernel config file. Experiment
- with different sizes to see which yields the best performance. See
- the options(4) man page for more details.
- <P>
- <H1><A NAME="SECTION04060000000000000000">
- 9 Understanding Common Error and Warning Messages</A>
- </H1>
- <P>
- <H2><A NAME="SECTION04061000000000000000">
- 9.1 Can't open eth0: libnet_select_device(): Can't find interface eth0</A>
- </H2>
- <P>
- Generally this occurs when the interface (eth0 in this example) is
- not up or doesn't have an IP address assigned to it.
- <P>
- <H2><A NAME="SECTION04062000000000000000">
- 9.2 Can't open lo: libnet_select_device(): Can't find interface lo</A>
- </H2>
- <P>
- Version 1.1.0 of Libnet is unable to send traffic on the loopback
- device. Upgrade to a later release of the Libnet library to solve
- this problem.
- <P>
- <H2><A NAME="SECTION04063000000000000000">
- 9.3 Can't open eth0: UID != 0</A>
- </H2>
- <P>
- Tcpreplay requires that you run it as root.
- <P>
- <H2><A NAME="SECTION04064000000000000000">
- 9.4 100000 write attempts failed from full buffers and were repeated</A>
- </H2>
- <P>
- When tcpreplay displays a message like "100000 write attempts
- failed from full buffers and were repeated", this usually
- means the kernel buffers were full and it had to wait until memory
- was available. This is quite common when replaying files as fast as
- possible with the "-R" option. See the tuning OS
- section in this document for suggestions on solving this problem.
- <P>
- <H2><A NAME="SECTION04065000000000000000">
- 9.5 Invalid mac address: 00:00:00:00:00:00</A>
- </H2>
- <P>
- Currently tcpreplay reserves the MAC address of 00:00:00:00:00:00
- as reserved for internal use. Hence you can't rewrite the MAC address
- of packets to be all zeros. While we intend to fix this someday it's
- not currently high on our priority list, so let us know if we should
- re-prioritize things.
- <P>
- <H2><A NAME="SECTION04066000000000000000">
- 9.6 Unable to process test.cache: cache file version missmatch</A>
- </H2>
- <P>
- Cache files generated by tcpprep and read by tcpreplay are versioned
- to allow enhancements to the cache file format. Anytime the cache
- file format changes, the version is incremented. Since this occurs
- on a very rare basis, this is generally not an issue; however anytime
- there is a change, it breaks compatibility with previously created
- cache files. The solution for this problem is to use the same version
- of tcpreplay and tcpprep to read/write the cache files. Cache file
- versions match the following versions of tcpprep/tcpreplay:
- <P>
- <UL>
- <LI>Version 1:
- <BR>
- Prior to 1.3.beta1
- </LI>
- <LI>Version 2:
- <BR>
- 1.3.beta2 to 1.3.1/1.4.beta1
- </LI>
- <LI>Version 3:
- <BR>
- 1.3.2/1.4.beta2 to 2.0.3
- </LI>
- <LI>Version 4:
- <BR>
- 2.1.0 and above. Note that prior to version 2.3.0, tcpprep had a bug
- which broke cache file compatibility between big and little endian
- systems.
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION04067000000000000000">
- 9.7 Skipping SLL loopback packet.</A>
- </H2>
- <P>
- Your capture file was created on Linux with the 'any' parameter which
- then captured a packet on the loopback interface. However, tcpreplay
- doesn't have enough information to actual send the packet, so it skips
- it. Specifying a source and destination MAC address (-I, -k, -J, -K)
- will allow tcpreplay to send these packets.
- <P>
- <H2><A NAME="SECTION04068000000000000000">
- 9.8 Packet length (8892) is greater then MTU; skipping packet.</A>
- </H2>
- <P>
- The packet length (in this case 8892 bytes) is greater then the maximum
- transmition unit (MTU) on the outgoing interface. Tcpreplay must skip
- the packet. Alternatively, you can specify the -T option and tcpreplay
- will truncate the packet to the MTU size, fix the checksums and send
- it.
- <P>
- <H2><A NAME="SECTION04069000000000000000">
- 9.9 Why is tcpreplay not sending all the packets?</A>
- </H2>
- <P>
- Every now and then, someone emails the tcpreplay-users list, asking
- if there is a bug in tcpreplay which causes it not to send all the
- packets. This usually happens when the user uses the -R flag or is
- replaying a high-speed pcap file (> 50Mbps, although this number is
- dependant on the hardware in use).
- <P>
- The short version of the answer is: no, we are not aware of any bugs
- which might cause a few packets to not be sent.
- <P>
- The longer version goes something like this:
- <P>
- If you are running tcpreplay multiple times and are using tcpdump
- or other packet sniffer to count the number packets sent and are getting
- different numbers, it's not tcpreplay's fault. The problem lies in
- one of two places:
- <P>
- <OL>
- <LI>It is well known that tcpdump and other sniffers have a problem keeping
- up with high-speed traffic. Furthermore, the OS in many cases <I>lies</I>
- about how many packets were dropped. Tcpdump will repeat this lie
- to you. In other words, tcpdump isn't seeing all the packets. Usually
- this is a problem with the network card or driver which may or may
- not be fixable. Try another network card/driver.
- </LI>
- <LI>When tcpreplay sends a packet, it actually gets copied to a send buffer
- in the kernel. If this buffer is full, the kernel is supposed to tell
- tcpreplay that it didn't copy the packet to this buffer. If the kernel
- has a bug which squelches this error, tcpreplay will not keep trying
- to send the packet and will move on to the next one. Currently I am
- not aware of any OS kernels with this bug, but it is possible that
- it exists. If you find out that your OS has this problem, please let
- me know so I can list it here.
- </LI>
- </OL>
- If for some reason, you still think its a bug in tcpreplay, by all
- means read the code and tell me how stupid I am. The do_packets()
- function in do_packets.c is where tcpreplay processes the pcap file
- and sends all of the packets.
- <P>
- <H1><A NAME="SECTION04070000000000000000">
- 10 Required Libraries and Tools</A>
- </H1>
- <P>
- <H2><A NAME="SECTION04071000000000000000">
- 10.1 Libpcap</A>
- </H2>
- <P>
- As of tcpreplay v1.4, you'll need to have libpcap installed on your
- system. As of v2.0, you'll need at least version 0.6.0 or better,
- but I only test our code with the latest version. Libpcap can be obtained
- on the tcpdump homepage<A NAME="tex2html11"
- HREF="#foot317"><SUP>11</SUP></A>.
- <P>
- <H2><A NAME="SECTION04072000000000000000">
- 10.2 Libnet</A>
- </H2>
- <P>
- Tcpreplay v1.3 is the last version to support the old libnet API (everything
- before 1.1.x). As of v1.4 you will need to use Libnet 1.1.0 or better
- which can be obtained from the Libnet homepage<A NAME="tex2html12"
- HREF="#foot318"><SUP>12</SUP></A>.
- <P>
- <H2><A NAME="SECTION04073000000000000000">
- 10.3 Libpcapnav</A>
- </H2>
- <P>
- Starting with v2.0, tcpreplay can use libpcapnav to support the jump
- offset feature. If libpcapnav is not found on the system, that feature
- will be disabled. Libpcapnav can be found on the NetDude homepage<A NAME="tex2html13"
- HREF="#foot319"><SUP>13</SUP></A>.
- <P>
- <H2><A NAME="SECTION04074000000000000000">
- 10.4 Tcpdump</A>
- </H2>
- <P>
- As of 2.0, tcpreplay uses tcpdump (the binary, not code) to decode
- packets to STDOUT in a human readable (with practice) format as it
- sends them. If you would like this feature, tcpdump must be installed
- on your system.
- <P>
- N<SMALL>OTE:</SMALL> The location of the tcpdump binary is hardcoded in
- tcpreplay at compile time. If tcpdump gets renamed or moved, the feature
- will become disabled.
- <P>
- <H1><A NAME="SECTION05000000000000000000">
- 4 Other Resources</A>
- </H1>
- <P>
- <H1><A NAME="SECTION05010000000000000000">
- 11 Other pcap tools available</A>
- </H1>
- <P>
- <H2><A NAME="SECTION05011000000000000000">
- 11.1 Tools to capture network traffic or decode pcap files</A>
- </H2>
- <P>
- <UL>
- <LI>tcpdump
- <BR>
- http://www.tcpdump.org/
- </LI>
- <LI>ethereal
- <BR>
- http://www.ethereal.com/
- </LI>
- <LI>ettercap
- <BR>
- http://ettercap.sourceforge.net/
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION05012000000000000000">
- 11.2 Tools to edit pcap files</A>
- </H2>
- <P>
- <UL>
- <LI>tcpslice
- <BR>
- Splits pcap files into smaller files
- <BR>
- http://www.tcpdump.org/
- </LI>
- <LI>mergecap
- <BR>
- Merges two pcap capture files into one
- <BR>
- http://www.ethreal.com/
- </LI>
- <LI>pcapmerge
- <BR>
- Merges two or more pcap capture files into one
- <BR>
- http://tcpreplay.sourceforge.net/
- </LI>
- <LI>editcap
- <BR>
- Converts capture file formats (pcap, snoop, etc)
- <BR>
- http://www.ethreal.com/
- </LI>
- <LI>netdude
- <BR>
- GTK based pcap capture file editor. Allows editing most anything in
- the packet.
- <BR>
- http://netdude.sourceforge.net/
- </LI>
- </UL>
- <P>
- <H2><A NAME="SECTION05013000000000000000">
- 11.3 Other useful tools</A>
- </H2>
- <P>
- <UL>
- <LI>capinfo
- <BR>
- Prints statistics and basic information about a pcap file
- <BR>
- http://tcpreplay.sourceforge.net/
- </LI>
- <LI>text2pcap
- <BR>
- Generates a pcap capture file from a hex dump
- <BR>
- http://www.ethreal.com/
- </LI>
- <LI>tcpflow
- <BR>
- Extracts and reassembles the data portion on a per-flow basis on live
- traffic or pcap capture files
- <BR>
- http://www.circlemud.org/ jelson/software/tcpflow/
- </LI>
- </UL>
- <P>
- <H1><A NAME="SECTION06000000000000000000">
- Appendix</A>
- </H1>
- <P>
- <H1><A NAME="SECTION06010000000000000000">
- 1 BSD License</A>
- </H1>
- <P>
- <BR>
- <PRE>Copyright (c) 2001-2004 Aaron Turner, Matt Bing. All rights reserved.
- Some portions of code are:
- Copyright(c) 1999 Anzen Computing. All rights reserved.
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
- 3. Neither the names of the copyright owners nor the names of its
- contributors may be used to endorse or promote products derived from
- this software without specific prior written permission.
- 4. All advertising materials mentioning features or use of this software
- must display the following acknowledgement:
- This product includes software developed by Anzen Computing, Inc.
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
- GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
- IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- </PRE>
- <H1><A NAME="SECTION07000000000000000000">
- About this document ...</A>
- </H1>
- <STRONG>Tcpreplay 2.x FAQ</STRONG><P>
- This document was generated using the
- <A HREF="http://www.latex2html.org/"><STRONG>LaTeX</STRONG>2<tt>HTML</tt></A> translator Version 2002-2-1 (1.70)
- <P>
- Copyright © 1993, 1994, 1995, 1996,
- <A HREF="http://cbl.leeds.ac.uk/nikos/personal.html">Nikos Drakos</A>,
- Computer Based Learning Unit, University of Leeds.
- <BR>
- Copyright © 1997, 1998, 1999,
- <A HREF="http://www.maths.mq.edu.au/~ross/">Ross Moore</A>,
- Mathematics Department, Macquarie University, Sydney.
- <P>
- The command line arguments were: <BR>
- <STRONG>latex2html</STRONG> <TT>-nonavigation -no_subdir -split 0 -show_section_numbers FAQ.tex</TT>
- <P>
- The translation was initiated by Aaron Turner on 2005-02-24
- <BR><HR><H4>Footnotes</H4>
- <DL>
- <DT><A NAME="foot310">... flowreplay</A><A
- HREF="FAQ.html#tex2html1"><SUP>1</SUP></A></DT>
- <DD>Flowreplay is still ``alpha'' quality and is not usable for most
- situations. Anyone interested in helping me develop flowreplay is
- encouraged to contact me.
- </DD>
- <DT><A NAME="foot38">... libpcapnav</A><A
- HREF="FAQ.html#tex2html2"><SUP>2</SUP></A></DT>
- <DD>http://netdude.sourceforge.net/
- </DD>
- <DT><A NAME="foot39">... tcpdump</A><A
- HREF="FAQ.html#tex2html3"><SUP>3</SUP></A></DT>
- <DD>http://www.tcpdump.org/
- </DD>
- <DT><A NAME="foot311">...
- captured</A><A
- HREF="FAQ.html#tex2html4"><SUP>4</SUP></A></DT>
- <DD>Tcpreplay makes a "best" effort to replay traffic
- at the given rate, but due to limitations in hardware or the pcap
- file itself, it may not be possible. Capture files with only a few
- packets in them are especially susceptible to this.
- </DD>
- <DT><A NAME="foot93">... times</A><A
- HREF="FAQ.html#tex2html5"><SUP>5</SUP></A></DT>
- <DD>Looping files resets internal counters which control the speed that
- the file is replayed. Also because the file has to be closed and re-opened,
- an added delay between the last and first packet may occur.
- </DD>
- <DT><A NAME="foot103">... interface</A><A
- HREF="FAQ.html#tex2html6"><SUP>6</SUP></A></DT>
- <DD>Note that you can also use the following options to split traffic
- into two files using -w and -W which are described later on in this
- FAQ.
- </DD>
- <DT><A NAME="foot105">... cachefile</A><A
- HREF="FAQ.html#tex2html7"><SUP>7</SUP></A></DT>
- <DD>For information on generating tcpprep cache files, see the section
- on tcpprep.
- </DD>
- <DT><A NAME="foot116">... -x</A><A
- HREF="FAQ.html#tex2html8"><SUP>8</SUP></A></DT>
- <DD>Note that if you want to send all the packets which do not match a
- bpf filter, all you have to do is negate the bpf filter. See the tcpdump(1)
- man page for more info.
- </DD>
- <DT><A NAME="foot149">... libpcap</A><A
- HREF="FAQ.html#tex2html9"><SUP>9</SUP></A></DT>
- <DD>Note that some versions of tcpreplay prior to 1.4 also supported the
- Solaris snoop format.
- </DD>
- <DT><A NAME="foot237">... side</A><A
- HREF="FAQ.html#tex2html10"><SUP>10</SUP></A></DT>
- <DD>Flowreplay assumes the first UDP packet on a given 4-tuple is the
- client
- </DD>
- <DT><A NAME="foot317">... homepage</A><A
- HREF="FAQ.html#tex2html11"><SUP>11</SUP></A></DT>
- <DD>http://www.tcpdump.org/
- </DD>
- <DT><A NAME="foot318">... homepage</A><A
- HREF="FAQ.html#tex2html12"><SUP>12</SUP></A></DT>
- <DD>http://www.packetfactory.net/Projects/Libnet/
- </DD>
- <DT><A NAME="foot319">... homepage</A><A
- HREF="FAQ.html#tex2html13"><SUP>13</SUP></A></DT>
- <DD>http://netdude.sourceforge.net/
- </DD>
- </DL>
- <BR><HR>
- <ADDRESS>
- Aaron Turner
- 2005-02-24
- </ADDRESS>
- </BODY>
- </HTML>
|