1TCPPREP(1) Programmer's Manual TCPPREP(1)
2
6 tcpprep - Create a tcpreplay cache cache file from a pcap file.
7
9 tcpprep [-flag [value]]... [--opt-name [[=| ]value]]...
10 All arguments must be options.
12 tcpprep is a pcap(3) file pre-processor which creates a cache file
14 which provides "rules" for tcprewrite(1) and tcpreplay(1) on how to
15 process and send packets.
16
18 This manual page briefly documents the tcpprep command. The basic
19 operation of tcpreplay is to resend all packets from the input file(s)
20 out a single file. Tcpprep processes a pcap file and applies a set of
21 user-specified rules to create a cache file which tells tcpreplay
22 wether or not to send each packet and which interface the packet should
23 be sent out of.
24 For more details, please see the Tcpreplay Manual at: http://tcpre‐
26 play.synfin.net/trac/wiki/manual
27
29 -d number, --dbug=number
30 Enable debugging output. This option may appear up to 1 times.
31 This option takes an integer number as its argument. The value
32 of number is constrained to being:
33 in the range 0 through 5
34 The default number for this option is:
35 0
36 If configured with --enable-debug, then you can specify a ver‐
38 bosity level for debugging output. Higher numbers increase ver‐
39 bosity.
40 -a string, --auto=string
42 Auto-split mode. This option may appear up to 1 times. This
43 option must not appear in combination with any of the following
44 options: cidr, port, regex, mac.
45 Tcpprep will try to automatically determine the primary function
47 of hosts based on the traffic captured and classify each host as
48 client or server. In order to do so, you must provide a hint to
49 tcpprep as to how to search for clients and servers. Valid
50 hints are:
51 bridge Bridge mode processes each packet to try to determine if
54 the sender is a client or server. Once all the packets are pro‐
55 cessed, the results are weighed according to the server/client
56 ratio (--ratio) and systems are assigned an interface. If tcp‐
57 prep is unable to determine what role a system plays, tcpprep
58 will abort.
59 router Router mode works just like bridge mode, except that
61 after weighing is done, systems which are undetermined are con‐
62 sidered a server if they fall inside a network known to contain
63 other servers. Router has a greater chance of successfully
64 splitting clients and servers but is not 100% foolproof.
65 client Client mode works just like bridge mode, except that
67 unclassified systems are treated as clients. Client mode should
68 always complete successfully.
69 server Server mode works just like bridge mode, except that
71 unclassified systems are treated as servers. Server mode should
72 always complete successfully.
73 first First mode works by looking at the first time each IP is
75 seen in the SRC and DST fields in the IP header. If the host is
76 first seen in the SRC field, it is a client and if it's first
77 seen in the DST field, it is marked as a server. This effec‐
78 tively replicates the processing of the tomahawk test tool.
79 First mode should always complete successfully.
80 -c string, --cidr=string
82 CIDR-split mode. This option may appear up to 1 times. This
83 option must not appear in combination with any of the following
84 options: auto, port, regex, mac.
85 Specify a comma delimited list of CIDR netblocks to match
87 against the source IP of each packet. Packets matching any of
88 the CIDR's are classified as servers.
89 IPv4 Example:
91 --cidr=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
92 IPv6 Example:
93 --cidr=[::ffff:0:0/96],[fe80::/16]
94 -r string, --regex=string
96 Regex-split mode. This option may appear up to 1 times. This
97 option must not appear in combination with any of the following
98 options: auto, port, cidr, mac.
99 Specify a regular expression to match against the source IP of
101 each packet. Packets matching the regex are classified as
102 servers.
103 -p, --port
105 Port-split mode. This option may appear up to 1 times. This
106 option must not appear in combination with any of the following
107 options: auto, regex, cidr, mac.
108 Specifies that TCP and UDP traffic over IPv4 and IPv6 should be
110 classified as client or server based upon the destination port
111 of the header.
112 -e string, --mac=string
114 Source MAC split mode. This option may appear up to 1 times.
115 This option must not appear in combination with any of the fol‐
116 lowing options: auto, regex, cidr, port.
117 Specify a list of MAC addresses to match against the source MAC
119 of each packet. Packets matching one of the values are classi‐
120 fied as servers.
121 --reverse
123 Matches to be client instead of server. This option may appear
124 up to 1 times.
125 Normally the --mac, --regex and --cidr flags specify are used to
127 specify the servers and non-IP packets are classified as
128 clients. By using --reverse, these features are reversed so
129 that the flags specify clients and non-IP packets are classified
130 as servers.
131 -C string, --comment=string
133 Embeded cache file comment. This option may appear up to 1
134 times.
135 Specify a comment to be imbedded within the output cache file
137 and later viewed.
138 --no-arg-comment
140 Do not embed any cache file comment. This option may appear up
141 to 1 times.
142 By default, tcpprep includes the arguments passed on the command
144 line in the cache file comment (in addition to any user speci‐
145 fied --comment). If for some reason you do not wish to include
146 this, specify this option.
147 -x string, --include=string
149 Include only packets matching rule. This option may appear up
150 to 1 times. This option must not appear in combination with any
151 of the following options: exclude.
152 Override default of processing all packets stored in the capture
154 file and only send/edit packets which match the provided rule.
155 Rules can be one of:
156 S:<CIDR1>,... - Source IP must match specified IPv4/v6 CIDR(s)
159 D:<CIDR1>,... - Destination IP must match specified IPv4/v6
161 CIDR(s)
162 B:<CIDR1>,... - Both source and destination IP must match spec‐
164 ified IPv4/v6 CIDR(s)
165 E:<CIDR1>,... - Either IP must match specified IPv4/v6 CIDR(s)
167 P:<LIST> - Must be one of the listed packets where the list cor‐
169 responds to the packet number in the capture file.
170 -x P:1-5,9,15,72-
171 would process packets 1 thru 5, the 9th and 15th packet, and
172 packets 72 until the end of the file
173 F:'<bpf>' - BPF filter. See the tcpdump(8) man page for syntax.
175 -X string, --exclude=string
177 Exclude any packet matching this rule. This option may appear
178 up to 1 times. This option must not appear in combination with
179 any of the following options: include.
180 Override default of processing all packets stored in the capture
182 file and only send/edit packets which do NOT match the provided
183 rule. Rules can be one of:
184 S:<CIDR1>,... - Source IP must not match specified IPv4/v6
187 CIDR(s)
188 D:<CIDR1>,... - Destination IP must not match specified IPv4/v6
190 CIDR(s)
191 B:<CIDR1>,... - Both source and destination IP must not match
193 specified IPv4/v6 CIDR(s)
194 E:<CIDR1>,... - Either IP must not match specified IPv4/v6
196 CIDR(s)
197 P:<LIST> - Must not be one of the listed packets where the list
199 corresponds to the packet number in the capture file.
200 -x P:1-5,9,15,72-
201 would skip packets 1 thru 5, the 9th and 15th packet, and pack‐
202 ets 72 until the end of the file
203 -o string, --cachefile=string
205 Output cache file. This option may appear up to 1 times.
206 -i string, --pcap=string
210 Input pcap file to process. This option may appear up to 1
211 times.
212 -P string, --print-comment=string
216 Print embedded comment in the specified cache file. This option
217 may appear up to 1 times.
218 -I string, --print-info=string
222 Print basic info from the specified cache file. This option may
223 appear up to 1 times.
224 -S string, --print-stats=string
228 Print statistical information about the specified cache file.
229 This option may appear up to 1 times.
230 -s string, --services=string
234 Load services file for server ports. This option may appear up
235 to 1 times. This option must appear in combination with the
236 following options: port.
237 Uses a list of ports used by servers in the same format as of
239 /etc/services: <service_name> <port>/<protocol> # comment
240 Example: http 80/tcp
242 -N, --nonip
244 Send non-IP traffic out server interface. This option may
245 appear up to 1 times.
246 By default, non-IP traffic which can not be classified as client
248 or server is classified as "client". Specifiying --nonip will
249 reclassify non-IP traffic as "server". Note that the meaning of
250 this flag is reversed if --reverse is used.
251 -R string, --ratio=string
253 Ratio of client to server packets. This option may appear up to
254 1 times. This option must appear in combination with the fol‐
255 lowing options: auto. The default string for this option is:
256 2.0
257 Since a given host may have both client and server traffic being
259 sent to/from it, tcpprep uses a ratio to weigh these packets.
260 If you would like to override the default of 2:1 server to
261 client packets required for a host to be classified as a server,
262 specify it as a floating point value.
263 -m number, --minmask=number
265 Minimum network mask length in auto mode. This option may
266 appear up to 1 times. This option must appear in combination
267 with the following options: auto. This option takes an integer
268 number as its argument. The value of number is constrained to
269 being:
270 in the range 0 through 32
271 The default number for this option is:
272 30
273 By default, auto modes use a minimum network mask length of 30
275 bits to build networks containing clients and servers. This
276 allows you to override this value. Larger values will increase
277 performance but may provide inaccurate results.
278 -M number, --maxmask=number
280 Maximum network mask length in auto mode. This option may
281 appear up to 1 times. This option must appear in combination
282 with the following options: auto. This option takes an integer
283 number as its argument. The value of number is constrained to
284 being:
285 in the range 0 through 32
286 The default number for this option is:
287 8
288 By default, auto modes use a maximum network mask length of 8
290 bits to build networks containing clients and servers. This
291 allows you to override this value. Larger values will decrease
292 performance and accuracy but will provide greater chance of suc‐
293 cess.
294 -v, --verbose
296 Print decoded packets via tcpdump to STDOUT. This option may
297 appear up to 1 times.
298 -A string, --decode=string
302 Arguments passed to tcpdump decoder. This option may appear up
303 to 1 times. This option must appear in combination with the
304 following options: verbose.
305 When enabling verbose mode (-v) you may also specify one or more
307 additional arguments to pass to tcpdump to modify the way pack‐
308 ets are decoded. By default, -n and -l are used. Be sure to
309 quote the arguments so that they are not interpreted by
310 tcprewrite. The following arguments are valid:
311 [ -aAeNqRStuvxX ]
312 [ -E spi@ipaddr algo:secret,... ]
313 [ -s snaplen ]
314 -V, --version
316 Print version information.
317 -h, --less-help
321 Display less usage information and exit.
322 This option has not been fully documented.
324 -H, --help
326 Display usage information and exit.
327 -!, --more-help
329 Extended usage information passed thru pager.
330 - [rcfile], --save-opts[=rcfile]
332 Save the option state to rcfile. The default is the last con‐
333 figuration file listed in the OPTION PRESETS section, below.
334 - rcfile, --load-opts=rcfile, --no-load-opts
336 Load options from rcfile. The no-load-opts form will disable
337 the loading of earlier RC/INI files. --no-load-opts is handled
338 early, out of order.
339
341 Any option that is not marked as not presettable may be preset by load‐
342 ing values from configuration ("RC" or ".INI") file(s). The homerc
343 file is "$$/", unless that is a directory. In that case, the file
344 ".tcppreprc" is searched for within that directory.
345
347 tcpdump(1), tcprewrite(1), tcpreplay(1)
348
350 Copyright 2000-2010 Aaron Turner
351 For support please use the tcpreplay-users@lists.sourceforge.net mail‐
353 ing list.
354 The latest version of this software is always available from:
356 http://tcpreplay.synfin.net/
357 Released under the Free BSD License.
359 This manual page was AutoGen-erated from the tcpprep option defini‐
361 tions.
362(tcpprep ) 2010-04-04 TCPPREP(1)