1TCPREWRITE(1) Programmer's Manual TCPREWRITE(1)
2
6 tcprewrite - Rewrite the packets in a pcap file.
7
9 tcprewrite [-flag [value]]... [--opt-name [[=| ]value]]...
10 All arguments must be options.
12
14 This manual page briefly documents the tcprewrite command. Tcprewrite
15 is a tool to rewrite packets stored in pcap(3) file format, such as
16 crated by tools such as tcpdump(1) and ethereal(1). Once a pcap file
17 has had it's packets rewritten, they can be replayed back out on the
18 network using tcpreplay(1).
19 tcprewrite currently supports reading the following DLT types:
21 DLT_C_HDLC aka Cisco HDLC
23 DLT_EN10MB aka Ethernet
25 DLT_LINUX_SLL aka Linux Cooked Socket
27 DLT_RAW aka RAW IP
29 DLT_NULL aka BSD Loopback
31 DLT_LOOP aka OpenBSD Loopback
33 DLT_IEEE802_11 aka 802.11a/b/g
35 DLT_IEEE802_11_RADIO aka 802.11a/b/g with Radiotap headers
37 Please see the --dlt option for supported DLT types for writing.
39 The packet editing features of tcprewrite which distinguish between
41 "client" and "server" traffic requires a tcpprep(1) cache file.
42 For more details, please see the Tcpreplay Manual at: http://tcpre‐
44 play.synfin.net/trac/wiki/manual
45
47 -r string, --portmap=string
49 Rewrite TCP/UDP ports. This option may appear up to -1 times.
50 Specify a list of comma delimited port mappingings consisting of
52 colon delimited port number pairs. Each colon delimited port
53 pair consists of the port to match followed by the port number
54 to rewrite.
55 Examples:
57 --portmap=80:8000 --portmap=8080:80 # 80->8000 and 8080->80
58 --portmap=8000,8080,88888:80 # 3 different ports become 80
59 --portmap=8000-8999:80 # ports 8000 to 8999 become 80
60 -s number, --seed=number
62 Randomize src/dst IPv4/v6 addresses w/ given seed. This option
63 may appear up to 1 times. This option takes an integer number
64 as its argument.
65 Causes the source and destination IPv4/v6 addresses to be pseudo
67 randomized but still maintain client/server relationships.
68 Since the randomization is deterministic based on the seed, you
69 can reuse the same seed value to recreate the traffic.
70 -N string, --pnat=string
72 Rewrite IPv4/v6 addresses using pseudo-NAT. This option may
73 appear up to 2 times. This option must not appear in combina‐
74 tion with any of the following options: srcipmap.
75 Takes a comma delimited series of colon delimited CIDR netblock
77 pairs. Each netblock pair is evaluated in order against the IP
78 addresses. If the IP address in the packet matches the first
79 netblock, it is rewriten using the second netblock as a mask
80 against the high order bits.
81 IPv4 Example:
83 --pnat=192.168.0.0/16:10.77.0.0/16,172.16.0.0/12:10.1.0.0/24
84 IPv6 Example:
85 --pnat=[2001:db8::/32]:[dead::/16],[2001:db8::/32]:[::ffff:0:0/96]
86 -S string, --srcipmap=string
88 Rewrite source IPv4/v6 addresses using pseudo-NAT. This option
89 may appear up to 1 times. This option must not appear in combi‐
90 nation with any of the following options: pnat.
91 Works just like the --pnat option, but only affects the source
93 IP addresses in the IPv4/v6 header.
94 -D string, --dstipmap=string
96 Rewrite destination IPv4/v6 addresses using pseudo-NAT. This
97 option may appear up to 1 times. This option must not appear in
98 combination with any of the following options: pnat.
99 Works just like the --pnat option, but only affects the destina‐
101 tion IP addresses in the IPv4/v6 header.
102 -e string, --endpoints=string
104 Rewrite IP addresses to be between two endpoints. This option
105 may appear up to 1 times. This option must appear in combina‐
106 tion with the following options: cachefile.
107 Takes a pair of colon delimited IPv4/v6 addresses which will be
109 used to rewrite all traffic to appear to be between the two
110 IP's.
111 IPv4 Example:
113 --endpoints=172.16.0.1:172.16.0.2
114 IPv6 Example:
115 --endpoints=[2001:db8::dead:beef]:[::ffff:0:0:ac:f:0:2]
116 -b, --skipbroadcast
119 Skip rewriting broadcast/multicast IPv4/v6 addresses.
120 By default --seed, --pnat and --endpoints will rewrite broadcast
122 and multicast IPv4/v6 and MAC addresses. Setting this flag will
123 keep broadcast/multicast IPv4/v6 and MAC addresses from being
124 rewritten.
125 -C, --fixcsum
127 Force recalculation of IPv4/TCP/UDP header checksums.
128 Causes each IPv4/v6 packet to have it's checksums recalcualted
130 and fixed. Automatically enabled for packets modified with
131 --seed, --pnat, --endpoints or --fixlen.
132 -m number, --mtu=number
134 Override default MTU length (1500 bytes). This option may
135 appear up to 1 times. This option takes an integer number as
136 its argument. The value of number is constrained to being:
137 in the range 1 through MAXPACKET
138 Override the default 1500 byte MTU size for determining the max‐
140 imum padding length (--fixlen=pad) or when truncating (--mtu-
141 trunc).
142 --mtu-trunc
144 Truncate packets larger then specified MTU. This option may
145 appear up to 1 times.
146 Similar to --fixlen, this option will truncate data in packets
148 from Layer 3 and above to be no larger then the MTU.
149 -E, --efcs
151 Remove Ethernet checksums (FCS) from end of frames.
152 Note, this option is pretty dangerous! We don't actually check
154 to see if a FCS actually exists in the frame, we just blindly
155 delete the last two bytes. Hence, you should only use this if
156 you know know that your OS provides the FCS when reading raw
157 packets.
158 --ttl=string
160 Modify the IPv4/v6 TTL/Hop Limit.
161 Allows you to modify the TTL/Hop Limit of all the IPv4/v6 pack‐
163 ets. Specify a number to hard-code the value or +/-value to
164 increase or decrease by the value provided (limited to 1-255).
165 Examples:
167 --ttl=10
168 --ttl=+7
169 --ttl=-64
170 --tos=number
172 Set the IPv4 TOS/DiffServ/ECN byte. This option may appear up
173 to 1 times. This option takes an integer number as its argu‐
174 ment. The value of number is constrained to being:
175 in the range 0 through 255
176 Allows you to override the TOS (also known as DiffServ/ECN)
178 value in IPv4.
179 --tclass=number
181 Set the IPv6 Traffic Class byte. This option may appear up to 1
182 times. This option takes an integer number as its argument.
183 The value of number is constrained to being:
184 in the range 0 through 255
185 Allows you to override the IPv6 Traffic Class field.
187 --flowlabel=number
189 Set the IPv6 Flow Label. This option may appear up to 1 times.
190 This option takes an integer number as its argument. The value
191 of number is constrained to being:
192 in the range 0 through 1048575
193 Allows you to override the 20bit IPv6 Flow Label field. Has no
195 effect on IPv4 packets.
196 -F string, --fixlen=string
198 Pad or truncate packet data to match header length. This option
199 may appear up to 1 times.
200 Packets may be truncated during capture if the snaplen is
202 smaller then the packet. This option allows you to modify the
203 packet to pad the packet back out to the size stored in the
204 IPv4/v6 header or rewrite the IP header total length to reflect
205 the stored packet length.
206 pad Truncated packets will be padded out so that the packet
208 length matches the IPv4 total length
209 trunc Truncated packets will have their IPv4 total length field
211 rewritten to match the actual packet length
212 del Delete the packet
214 --skipl2broadcast
216 Skip rewriting broadcast/multicast Layer 2 addresses.
217 By default, editing Layer 2 addresses will rewrite broadcast and
219 multicast MAC addresses. Setting this flag will keep broad‐
220 cast/multicast MAC addresses from being rewritten.
221 --dlt=string
223 Override output DLT encapsulation. This option may appear up to
224 1 times.
225 By default, no DLT (data link type) conversion will be made. To
227 change the DLT type of the output pcap, select one of the fol‐
228 lowing values:
229 enet Ethernet aka DLT_EN10MB
231 hdlc Cisco HDLC aka DLT_C_HDLC
233 user User specified Layer 2 header and DLT type
235 --enet-dmac=string
237 Override destination ethernet MAC addresses. This option may
238 appear up to 1 times.
239 Takes a pair of comma deliminated ethernet MAC addresses which
241 will replace the destination MAC address of outbound packets.
242 The first MAC address will be used for the server to client
243 traffic and the optional second MAC address will be used for the
244 client to server traffic.
245 Example:
247 --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66
248 --enet-smac=string
250 Override source ethernet MAC addresses. This option may appear
251 up to 1 times.
252 Takes a pair of comma deliminated ethernet MAC addresses which
254 will replace the source MAC address of outbound packets. The
255 first MAC address will be used for the server to client traffic
256 and the optional second MAC address will be used for the client
257 to server traffic.
258 Example:
260 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66
261 --enet-vlan=string
263 Specify ethernet 802.1q VLAN tag mode. This option may appear
264 up to 1 times.
265 Allows you to rewrite ethernet frames to add a 802.1q header to
267 standard 802.3 ethernet headers or remove the 802.1q VLAN tag
268 information.
269 add Rewrites the existing 802.3 ethernet header as an 802.1q
271 VLAN header
272 del Rewrites the existing 802.1q VLAN header as an 802.3 ether‐
274 net header
275 --enet-vlan-tag=number
277 Specify the new ethernet 802.1q VLAN tag value. This option may
278 appear up to 1 times. This option must appear in combination
279 with the following options: enet-vlan. This option takes an
280 integer number as its argument. The value of number is con‐
281 strained to being:
282 in the range 0 through 4095
283 --enet-vlan-cfi=number
287 Specify the ethernet 802.1q VLAN CFI value. This option may
288 appear up to 1 times. This option must appear in combination
289 with the following options: enet-vlan. This option takes an
290 integer number as its argument. The value of number is con‐
291 strained to being:
292 in the range 0 through 1
293 --enet-vlan-pri=number
297 Specify the ethernet 802.1q VLAN priority. This option may
298 appear up to 1 times. This option must appear in combination
299 with the following options: enet-vlan. This option takes an
300 integer number as its argument. The value of number is con‐
301 strained to being:
302 in the range 0 through 7
303 --hdlc-control=number
307 Specify HDLC control value. This option may appear up to 1
308 times. This option takes an integer number as its argument.
309 The Cisco HDLC header has a 1 byte "control" field. Apparently
311 this should always be 0, but if you can use any 1 byte value.
312 --hdlc-address=number
314 Specify HDLC address. This option may appear up to 1 times.
315 This option takes an integer number as its argument.
316 The Cisco HDLC header has a 1 byte "address" field which has two
318 valid values:
319 0x0F Unicast
321 0xBF Broadcast
323 You can however specify any single byte value.
324 --user-dlt=number
326 Set output file DLT type. This option may appear up to 1 times.
327 This option takes an integer number as its argument.
328 Set the DLT value of the output pcap file.
330 --user-dlink=string
332 Rewrite Data-Link layer with user specified data. This option
333 may appear up to 2 times.
334 Provide a series of comma deliminated hex values which will be
336 used to rewrite or create the Layer 2 header of the packets.
337 The first instance of this argument will rewrite both server and
338 client traffic, but if this argument is specified a second time,
339 it will be used for the client traffic.
340 Example:
342 --user-dlink=01,02,03,04,05,06,00,1A,2B,3C,4D,5E,6F,08,00
343 -d number, --dbug=number
345 Enable debugging output. This option may appear up to 1 times.
346 This option takes an integer number as its argument. The value
347 of number is constrained to being:
348 in the range 0 through 5
349 The default number for this option is:
350 0
351 If configured with --enable-debug, then you can specify a ver‐
353 bosity level for debugging output. Higher numbers increase ver‐
354 bosity.
355 -i string, --infile=string
357 Input pcap file to be processed. This option may appear up to 1
358 times.
359 -o string, --outfile=string
363 Output pcap file. This option may appear up to 1 times.
364 -c string, --cachefile=string
368 Split traffic via tcpprep cache file. This option may appear up
369 to 1 times.
370 Use tcpprep cache file to split traffic based upon client/server
372 relationships.
373 -v, --verbose
375 Print decoded packets via tcpdump to STDOUT. This option may
376 appear up to 1 times.
377 -A string, --decode=string
381 Arguments passed to tcpdump decoder. This option may appear up
382 to 1 times. This option must appear in combination with the
383 following options: verbose.
384 When enabling verbose mode (-v) you may also specify one or more
386 additional arguments to pass to tcpdump to modify the way pack‐
387 ets are decoded. By default, -n and -l are used. Be sure to
388 quote the arguments so that they are not interpreted by
389 tcprewrite. Please see the tcpdump(1) man page for a complete
390 list of options.
391 --fragroute=string
393 Parse fragroute configuration file. This option may appear up
394 to 1 times.
395 Enable advanced evasion techniques using the built-in fra‐
397 groute(8) engine. See the fragroute(8) man page for more
398 details. Important: tcprewrite does not support the delay, echo
399 or print commands.
400 --fragdir=string
402 Which flows to apply fragroute to: c2s, s2c, both. This option
403 may appear up to 1 times. This option must appear in combina‐
404 tion with the following options: cachefile.
405 Apply the fragroute engine to packets going c2s, s2c or both
407 when using a cache file.
408 --skip-soft-errors
410 Skip writing packets with soft errors. This option may appear
411 up to 1 times.
412 In some cases, packets can't be decoded or the requested editing
414 is not possible. Normally these packets are written to the out‐
415 put file unedited so that tcpprep cache files can still be used,
416 but if you wish, these packets can be suppressed.
417 One example of this is 802.11 management frames which contain no
419 data.
420 -V, --version
422 Print version information.
423 -h, --less-help
427 Display less usage information and exit.
428 -H, --help
432 Display usage information and exit.
433 -!, --more-help
435 Extended usage information passed thru pager.
436 - [rcfile], --save-opts[=rcfile]
438 Save the option state to rcfile. The default is the last con‐
439 figuration file listed in the OPTION PRESETS section, below.
440 - rcfile, --load-opts=rcfile, --no-load-opts
442 Load options from rcfile. The no-load-opts form will disable
443 the loading of earlier RC/INI files. --no-load-opts is handled
444 early, out of order.
445
447 Any option that is not marked as not presettable may be preset by load‐
448 ing values from configuration ("RC" or ".INI") file(s). The homerc
449 file is "$$/", unless that is a directory. In that case, the file
450 ".tcprewriterc" is searched for within that directory.
451
453 tcpdump(1), tcpprep(1), tcpreplay(1)
454
456 Copyright 2000-2010 Aaron Turner
457 For support please use the tcpreplay-users@lists.sourceforge.net mail‐
459 ing list.
460 The latest version of this software is always available from:
462 http://tcpreplay.synfin.net/
463 Released under the Free BSD License.
465 This manual page was AutoGen-erated from the tcprewrite option defini‐
467 tions.
468(tcprewrite ) 2010-04-04 TCPREWRITE(1)