tcpreplay/src/tcpprep_opts.def

autogen definitions options;

copyright = {
    date        = "2000 - 2004";
    owner       = "Aaron Turner";
    type        = "bsd";
    author      = <<- EOText
Copyright 2000-2005 Aaron Turner

For support please use the tcpreplay-users@lists.sourceforge.net mailing list.
EOText;
};

package         = "tcpprep";
prog-name       = "tcpprep";
prog-title      = "Create a tcpreplay cache cache file from a pcap file.";
long-opts;
gnu-usage;
help-value      = "H";
save-opts-value = "";
load-opts-value = "";

config-header   = "config.h";
include         = "#include \"defines.h\"\n"
                "#include \"common.h\"\n"
                "#include \"tcpprep.h\"\n"
                "extern char pcap_version[];\n"
                "extern tcpprep_opt_t options;\n";

homerc          = "$$/";

explain = <<- EOExplain
tcpprep is a @file{pcap(3)} file pre-processor which creates a cache
file which provides "rules" for @file{tcprewrite(1)} and @file{tcpreplay(1)}
on how to process and send packets.
EOExplain;

detail = <<- EODetail
The basic operation of tcpreplay is to resend all packets from the
input file(s) out a single file.  Tcpprep processes a pcap file and 
applies a set of user-specified rules to create a cache file which 
tells tcpreplay wether or not to send each packet and which interface the
packet should be sent out of.
EODetail;

man-doc = <<- EOMan
.SH "SEE ALSO"
tcpdump(1), tcprewrite(1), tcpreplay(1)
EOMan;


flag = {
    name        = dbug;
    value       = d;
    arg-type    = number;
    max         = 1;
    immediate;
    arg-range   = "0->5";
    arg-default = 0;
    descrip     = "Enable debugging output";
    doc         = <<- EOText
If configured with --enable-debug, then you can specify a verbosity 
level for debugging output.  Higher numbers increase verbosity.
EOText;
};


/* Modes: -a bridge/router/client/server, -c (cidr) */
flag = {
    name        = auto;
    value       = a;
    descrip     = "Auto-split mode";
    arg-type    = string;
    max         = 1;
    flags-cant  = cidr;
    flags-cant  = port;
    flags-cant  = regex;
    flag-code   = <<- EOAuto
    
    options.mode = AUTO_MODE;
    if (strcmp(OPT_ARG(AUTO), "bridge") == 0) {
        options.automode = BRIDGE_MODE;
    }
    else if (strcmp(OPT_ARG(AUTO), "router") == 0) {
        options.automode = ROUTER_MODE;
    }
    else if (strcmp(OPT_ARG(AUTO), "client") == 0) {
        options.automode = CLIENT_MODE;
    }
    else if (strcmp(OPT_ARG(AUTO), "server") == 0) {
        options.automode = SERVER_MODE;
    }
    else {
        errx(1, "Invalid auto mode type: %s", OPT_ARG(AUTO));
    }
EOAuto;
    doc         = <<- EOText
Tcpprep will try to automatically determine the primary function of hosts
based on the traffic captured and classify each host as client or server.
In order to do so, you must provide a hint to tcpprep as to how to search
for clients and servers.  Valid hints are:

@table @bullet
@item
@var{bridge}
Bridge mode processes each packet to try to determine if the sender is a 
client or server.  Once all the packets are processed, the results are weighed
according to the server/client ratio (@samp{--ratio}) and systems are assigned an
interface.  If tcpprep is unable to determine what role a system plays, tcpprep
will abort.
@item
@var{router}
Router mode works just like bridge mode, except that after weighing is done, 
systems which are undetermined are considered a server if they fall inside a 
network known to contain other servers.  Router has a greater chance of
successfully splitting clients and servers but is not 100% foolproof.
@item
@var{client}
Client mode works just like bridge mode, except that unclassified systems are
treated as clients.  Client mode should always complete successfully.
@item
@var{server}
Server mode works just like bridge mode, except that unclassified systems are
treated as servers.  Server mode should always complete successfully.
@end table
EOText;
};


flag = {
    name        = cidr;
    value       = c;
    descrip     = "CIDR-split mode";
    arg-type    = string;
    max         = 1;
    flags-cant  = auto;
    flags-cant  = port;
    flags-cant  = regex;
    flag-code   = <<- EOCidr
  
    char *cidr = safe_strdup(OPT_ARG(CIDR));
    options.mode = CIDR_MODE;
    if (!parse_cidr(&options.cidrdata, cidr, ","))
        errx(1, "Unable to parse CIDR map: %s", OPT_ARG(CIDR));
    free(cidr);

EOCidr;
    doc         = <<- EOText
Specify a comma delimited list of CIDR netblocks to match against
the source IP of each packet.  Packets matching any of the CIDR's
are classified as servers.
EOText;
};

flag = {
    name        = regex;
    value       = r;
    descrip     = "Regex-split mode";
    arg-type    = string;
    max         = 1;
    flags-cant  = auto;
    flags-cant  = port;
    flags-cant  = cidr;
    flag-code   = <<- EORegex
    
    int regex_error;
    char ebuf[EBUF_SIZE];
    
    options.mode = REGEX_MODE;
    if ((regex_error = regcomp(&options.preg, OPT_ARG(REGEX), 
        REG_EXTENDED|REG_NOSUB))) {
        regerror(regex_error, &options.preg, ebuf, EBUF_SIZE);
        errx(1, "Unable to compile regex: %s", ebuf);
    }
    
EORegex;
    doc         = <<- EOText
Specify a regular expression to match against the source IP of each
packet.  Packets matching the regex are classified as servers.
EOText;
};

flag = {
    name        = port;
    value       = p;
    descrip     = "Port-split mode";
    flags-cant  = auto;
    flags-cant  = regex;
    flags-cant  = cidr;
    flag-code   = <<- EOPort
    
    options.mode = PORT_MODE;
    
EOPort;
    doc         = <<- EOText
Specifies that TCP and UDP traffic should be classified as client
or server based upon the destination port of the header.
EOText;
};

flag = {
    name        = comment;
    value       = C;
    arg-type    = string;
    max         = 1;
    descrip     = "Embeded cache file comment";
    flag-code   = <<- EOComment

    /* our comment_len is only 16bit - myargs[] */
    if (strlen(OPT_ARG(COMMENT)) > ((1 << 16) - 1 - MYARGS_LEN))
                errx(1, "Comment length %d is longer then max allowed (%d)", 
                strlen(OPT_ARG(COMMENT)), (1 << 16) - 1 - MYARGS_LEN);
    
    /* save the comment */
    options.comment = (char *)safe_malloc(strlen(OPT_ARG(COMMENT)) + 1);
    strcpy(options.comment, OPT_ARG(COMMENT));
    
EOComment;
    doc         = <<- EOText
Specify a comment to be imbedded within the output cache file and later
viewed.
EOText;
};

flag = {
	name		= no-arg-comment;
	max			= 1;
	descrip		= "Do not embed any cache file comment";
	flag-code	= <<- EOCode

options.nocomment = 1;
EOCode;
	doc			= <<- EOText
By default, tcpprep includes the arguments passed on the command line
in the cache file comment (in addition to any user specified --comment).
If for some reason you do not wish to include this, specify this option.
EOText;
};


/* Include/Exclude */
flag = {
    name        = include;
    value       = x;
    arg-type    = string;
    max         = 1;
    descrip     = "Include only packets matching rule";
    flags-cant  = exclude;
    flag-code   = <<- EOInclude
    
    char *include;
    
    include = safe_strdup(OPT_ARG(INCLUDE));
    options.xX.mode = xX_MODE_INCLUDE;
        
    if ((options.xX.mode = parse_xX_str(&options.xX, include, &options.bpf)) == 0)
        errx(1, "Unable to parse include/exclude rule: %s", OPT_ARG(INCLUDE));

    free(include);
    
EOInclude;
    doc         = <<- EOText
Override default of sending all packets stored in the capture file and only
send packets which match the provided rule.  Rules can be one of:

@table @bullet
@item S:<CIDR1>,... 
- Source IP must match specified CIDR(s)
@item D:<CIDR1>,... 
- Destination IP must match specified CIDR(s)
@item B:<CIDR1>,... 
- Both source and destination IP must match specified CIDR(s)
@item E:<CIDR1>,... 
- Either IP must match specified CIDR(s)
@item P:<LIST>      
- Must be one of the listed packets where the list
corresponds to the packet number in the capture file.
@example
-x P:1-5,9,15,72-
@end example
would send packets 1 thru 5, the 9th and 15th packet, and packets 72 until the
end of the file
@item F:'<bpf>'
- BPF filter.  See the @file{tcpdump(8)} man page for syntax.
@end table
EOText;
};

flag = {
    name        = exclude;
    value       = X;
    arg-type    = string;
    max         = 1;
    descrip     = "Exclude any packet matching this rule";
    flags-cant  = include;
    flag-code   = <<- EOExclude
    
    char *exclude;
    
    exclude = safe_strdup(OPT_ARG(EXCLUDE));
    options.xX.mode = xX_MODE_EXCLUDE;
    
    if ((options.xX.mode = parse_xX_str(&options.xX, exclude, &options.bpf)) == 0)
        errx(1, "Unable to parse include/exclude rule: %s", OPT_ARG(EXCLUDE));
    
    free(exclude);
    
EOExclude;
    doc         = <<- EOText
Override default of sending all packets stored in the capture file and only
send packets which do not match the provided rule.  Rules can be one of:

@table @bullet
@item S:<CIDR1>,... 
- Source IP must not match specified CIDR(s)
@item D:<CIDR1>,... 
- Destination IP must not match specified CIDR(s)
@item B:<CIDR1>,... 
- Both source and destination IP must not match specified CIDR(s)
@item E:<CIDR1>,... 
- Either IP must not match specified CIDR(s)
@item P:<LIST>      
- Must not be one of the listed packets where the list
corresponds to the packet number in the capture file.
@example
-x P:1-5,9,15,72-
@end example
would drop packets 1 thru 5, the 9th and 15th packet, and packets 72 until the
end of the file
@end table
EOText;
};

flag = {
    name        = cachefile;
    value       = o;
    arg-type    = string;
    max         = 1;
    descrip     = "Output cache file";
    doc         = "";
};

flag = {
    name        = pcap;
    value       = i;
    descrip     = "Input pcap file to process";
    arg-type    = string;
    max         = 1;
    doc         = "";
};

flag = {
    name        = print-comment;
    value       = P;
    arg-type	= string;
    descrip     = "Print embedded comment in the specified cache file";
    doc         = "";
};

flag = {
    name        = print-info;
    value       = I;
    arg-type	= string;
    descrip     = "Print basic info from the specified cache file";
    doc         = "";
};

flag = {
    name        = services;
    value       = s;
    descrip     = "Load services file for server ports";
    flag-must   = port;
    arg-type    = string;
    flag-code   = <<- EOServices
    
    parse_services(OPT_ARG(SERVICES), &options.services);
    
EOServices;
};

flag = {
    name        = nonip;
    value       = N;
    descrip     = "Send non-IP traffic out server interface";
    flag-code   = <<- EONonip
 
    options.nonip = SERVER;
    
EONonip;
    doc         = <<- EOText
By default, non-IP traffic which can not be classified as client
or server is classified as "client".  Specifiying @samp{--nonip}
will reclassify non-IP traffic as "server".
EOText;
};


flag = {
    name        = ratio;
    value       = R;
    arg-type    = string;
    max         = 1;
    flags-must  = auto;
    descrip     = "Ratio of client to server packets";
    flag-code   = <<- EORatio
  
    options.ratio = atof(OPT_ARG(RATIO));
    
EORatio;
    doc         = <<- EOText
Since a given host may have both client and server traffic being sent
to/from it, tcpprep uses a ratio to weigh these packets.  If you would
like to override the default of 2:1 server to client packets required for
a host to be classified as a server, specify it as a floating point value.
EOText;
};


flag = {
    name        = minmask;
    value       = m;
    descrip     = "Minimum network mask length in auto mode";
    flags-must  = auto;
    max         = 1;
    arg-type    = number;
    arg-range   = "0->32";
    doc         = <<- EOText
By default, auto modes use a minimum network mask length of 30 bits
to build networks containing clients and servers.  This allows you
to override this value.  Larger values will increase performance but
may provide inaccurate results.
EOText;
};

flag = {
    name        = maxmask;
    value       = M;
    descrip     = "Maximum network mask length in auto mode";
    flags-must  = auto;
    max         = 1;
    arg-type    = number;
    arg-range   = "0->32";
    doc         = <<- EOText
By default, auto modes use a maximum network mask length of 8 bits
to build networks containing clients and servers.  This allows you
to override this value.  Larger values will decrease performance
and accuracy but will provide greater chance of success.
EOText;
};

flag = {
    ifdef       = HAVE_TCPDUMP;
    name        = verbose;
    value       = v;
    max         = 1;
    immediate;
    descrip     = "Print decoded packets via tcpdump to STDOUT";
    settable;
    doc         = "";
};

flag = {
    ifdef       = HAVE_TCPDUMP;
    name        = decode;
    flags-must  = verbose;
    value       = A;
    arg-type    = string;
    max         = 1;
    descrip     = "Arguments passed to tcpdump decoder";
    doc         = <<- EOText
When enabling verbose mode (@samp{-v}) you may also specify one or
more additional arguments to pass to @code{tcpdump} to modify
the way packets are decoded.  By default, -n and -l are used.
Be sure to quote the arguments so that they are not interpreted
by tcprewrite.  The following arguments are valid:
    [ -aAeNqRStuvxX ]
    [ -E spi@ipaddr algo:secret,... ]
    [ -s snaplen ]
EOText;
};


flag = {
    name        = version;
    value       = V;
    descrip     = "Print version information";
    flag-code   = <<- EOVersion
    
    fprintf(stderr, "tcpprep version: %s (build %s)", VERSION, svn_version());
#ifdef DEBUG
    fprintf(stderr, " (debug)");
#endif
    fprintf(stderr, "\n");
	fprintf(stderr, "Copyright 2001-2005 by Aaron Turner <aturner@pobox.com>\n");
    fprintf(stderr, "Cache file supported: %s\n", CACHEVERSION);
    fprintf(stderr, "Compiled against libnet: %s\n", LIBNET_VERSION);
    fprintf(stderr, "Compiled against libpcap: %s\n", pcap_version);
#ifdef ENABLE_64BITS
    fprintf(stderr, "64 bit packet counters: enabled\n");
#else
    fprintf(stderr, "64 bit packet counters: disabled\n");
#endif
#ifdef HAVE_TCPDUMP
    fprintf(stderr, "Verbose printing via tcpdump: enabled\n");
#else
    fprintf(stderr, "Verbose printing via tcpdump: disabled\n");
#endif
    exit(0);
    
EOVersion;
    doc         = "";
};

flag = {
    name        = less-help;
    value       = "h";
    immediate;
    descrip     = "Display less usage information and exit";
    flag-code   = <<- EOHelp
  
    USAGE(EXIT_FAILURE);

EOHelp;
};