1TCPREWRITE(1)                 Programmer's Manual                TCPREWRITE(1)
2
3
4

NAME

6       tcprewrite - Rewrite the packets in a pcap file.
7

SYNOPSIS

9       tcprewrite [-flag [value]]... [--opt-name [[=| ]value]]...
10
11       All arguments must be options.
12

DESCRIPTION

14       This   manual   page   documents,   briefly,  the  tcprewrite  command.
15       Tcprewrite is a tool to rewrite packets stored in pcap(3) file  format,
16       such  as  crated  by  tools such as tcpdump(1) and ethereal(1).  Once a
17       pcap file has had it's packets rewritten, they can be replayed back out
18       on the network using tcpreplay(1).
19
20       tcprewrite currently supports reading the following DLT types:
21
22       DLT_C_HDLC aka Cisco HDLC
23
24       DLT_EN10MB aka Ethernet
25
26       DLT_LINUX_SLL aka Linux Cooked Socket
27
28       DLT_RAW aka RAW IP
29
30       DLT_NULL aka BSD Loopback
31
32       DLT_LOOP aka OpenBSD Loopback
33
34       DLT_IEEE802_11 aka 802.11a/b/g
35
36       DLT_IEEE802_11_RADIO aka 802.11a/b/g with Radiotap headers
37
38       Please see the --dlt option for supported DLT types for writing.
39
40       The  packet  editing  features  of tcprewrite which distinguish between
41       "client" and "server" traffic requires a tcpprep(1) cache file.
42
43       For more details, please see the  Tcpreplay  Manual  at:  http://tcpre
44       play.synfin.net/trac/wiki/manual
45

OPTIONS

47
48       -r string, --portmap=string
49              Rewrite TCP/UDP ports.  This option may appear up to 1 times.
50
51              Specify a list of comma delimited port mappingings consisting of
52              colon delimited port number pairs.  Each  colon  delimited  port
53              pair  consists  of the port to match followed by the port number
54              to rewrite.
55
56              Example:
57                  --portmap=80:8000,8080:80
58
59       -s number, --seed=number
60              Randomize src/dst IP addresses w/ given seed.  This  option  may
61              appear  up  to  1 times.  This option takes an integer number as
62              its argument.
63
64              Causes the source and destination IP addresses to be pseudo ran‐
65              domized  but  still maintain client/server relationships.  Since
66              the randomization is deterministic based on the  seed,  you  can
67              reuse the same seed value to recreate the traffic.
68
69       -N string, --pnat=string
70              Rewrite  IP  addresses using pseudo-NAT.  This option may appear
71              up to 2 times.  This option must not appear in combination  with
72              any of the following options: srcipmap.
73
74              Takes  a comma delimited series of colon delimited CIDR netblock
75              pairs.  Each netblock pair is evaluated in order against the  IP
76              addresses.   If  the  IP address in the packet matches the first
77              netblock, it is rewriten using the second  netblock  as  a  mask
78              against the high order bits.
79
80              Example:
81                  --pnat=192.168.0.0/16:10.77.0.0/16,172.16.0.0/12:10.1.0.0/24
82
83       -S string, --srcipmap=string
84              Rewrite  source  IP addresses using pseudo-NAT.  This option may
85              appear up to 1 times.  This option must not appear  in  combina‐
86              tion with any of the following options: pnat.
87
88              Works  just  like the --pnat option, but only affects the source
89              IP addresses in the IPv4 header.
90
91       -D string, --dstipmap=string
92              Rewrite destination IP addresses using pseudo-NAT.  This  option
93              may appear up to 1 times.  This option must not appear in combi‐
94              nation with any of the following options: pnat.
95
96              Works just like the --pnat option, but only affects the destina‐
97              tion IP addresses in the IPv4 header.
98
99       -e string, --endpoints=string
100              Rewrite  IP  addresses to be between two endpoints.  This option
101              may appear up to 1 times.  This option must appear  in  combina‐
102              tion with the following options: cachefile.
103
104              Takes  a pair of colon delimited IP addresses which will be used
105              to rewrite all traffic to appear to be between the two IP's.
106
107              Example:
108                  --endpoints=172.16.0.1:172.16.0.2
109
110       -b, --skipbroadcast
111              Skip rewriting broadcast/multicast IP's.
112
113              By default --seed, --pnat and --endpoints will rewrite broadcast
114              and  multicast IP and MAC addresses. Setting this flag will keep
115              broadcast/multicast IP and MAC addresses from being rewritten.
116
117       -C, --fixcsum
118              Force recalculation of IP/TCP/UDP checksums.
119
120              Causes each IP packet to have it's  checksums  recalcualted  and
121              fixed.   Automatically enabled for packets modified with --seed,
122              --pnat, --endpoints or --fixlen.
123
124       -m number, --mtu=number
125              Override default MTU  length  (1500  bytes).   This  option  may
126              appear  up  to  1 times.  This option takes an integer number as
127              its argument.  The value of number is constrained to being:
128                  in the range  1 through MAXPACKET
129
130              Override the default 1500 byte MTU size for determining the max‐
131              imum padding length.
132
133       -E, --efcs
134              Remove Ethernet checksums (FCS) from end of frames.
135
136              Note, this option is pretty dangerous!  We don't actually check
137              to see if a FCS actually exists in the frame, we just blindly
138              delete the last two bytes.  Hence, you should only use this if
139              you know know that your OS provides the FCS when reading raw
140              packets.
141
142       --ttl=string
143              Modify the IPv4 TTL.
144
145              Allows you to modify the TTL of all the IPv4 packets.  Specify a
146              number to hard-code the value or +/-value to increase or
147              decrease by the value provided (limited to 1-255).
148
149              Examples:
150                  --ttl=10
151                  --ttl=+7
152                  --ttl=-64
153
154       -F string, --fixlen=string
155              Pad or truncate packet data to match header length.  This option
156              may appear up to 1 times.
157
158              Packets may be truncated during capture if the snaplen is
159              smaller then the packet.  This option allows you to modify the
160              packet to pad the packet back out to the size stored in the IPv4
161              header or rewrite the IP header total length to reflect the
162              stored packet length.
163
164              pad Truncated packets will be padded out so that the packet
165              length matches the IPv4 total length
166
167              trunc Truncated packets will have their IPv4 total length field
168              rewritten to match the actual packet length
169
170              del Delete the packet
171
172       --skipl2broadcast
173              Skip rewriting broadcast/multicast Layer 2 addresses.
174
175              By default, editing Layer 2 addresses will rewrite broadcast and
176              multicast MAC addresses.   Setting this flag will keep broad‐
177              cast/multicast MAC addresses from being rewritten.
178
179       --dlt=string
180              Override output DLT encapsulation.  This option may appear up to
181              1 times.
182
183              By default, no DLT (data link type) conversion will be made.  To
184              change the DLT type of the output pcap, select one of the fol‐
185              lowing values:
186
187              enet Ethernet aka DLT_EN10MB
188
189              hdlc Cisco HDLC aka DLT_C_HDLC
190
191              user User specified Layer 2 header and DLT type
192
193       --enet-dmac=string
194              Override destination ethernet MAC addresses.  This option may
195              appear up to 1 times.
196
197              Takes a pair of comma deliminated ethernet MAC addresses which
198              will replace the destination MAC address of outbound packets.
199              The first MAC address will be used for the server to client
200              traffic and the optional second MAC address will be used for the
201              client to server traffic.
202
203              Example:
204                  --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66
205
206       --enet-smac=string
207              Override source ethernet MAC addresses.  This option may appear
208              up to 1 times.
209
210              Takes a pair of comma deliminated ethernet MAC addresses which
211              will replace the source MAC address of outbound packets.  The
212              first MAC address will be used for the server to client traffic
213              and the optional second MAC address will be used for the client
214              to server traffic.
215
216              Example:
217                  --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66
218
219       --enet-vlan=string
220              Specify ethernet 802.1q VLAN tag mode.  This option may appear
221              up to 1 times.
222
223              Allows you to rewrite ethernet frames to add a 802.1q header to
224              standard 802.3 ethernet headers or remove the 802.1q VLAN tag
225              information.
226
227              add Rewrites the existing 802.3 ethernet header as an 802.1q
228              VLAN header
229
230              del Rewrites the existing 802.1q VLAN header as an 802.3 ether‐
231              net header
232
233       --enet-vlan-tag=number
234              Specify the new ethernet 802.1q VLAN tag value.  This option may
235              appear up to 1 times.  This option must appear in combination
236              with the following options: enet-vlan.  This option takes an
237              integer number as its argument.  The value of number is con‐
238              strained to being:
239                  in the range  0 through 4095
240
241
242
243       --enet-vlan-cfi=number
244              Specify the ethernet 802.1q VLAN CFI value.  This option may
245              appear up to 1 times.  This option must appear in combination
246              with the following options: enet-vlan.  This option takes an
247              integer number as its argument.  The value of number is con‐
248              strained to being:
249                  in the range  0 through 1
250
251
252
253       --enet-vlan-pri=number
254              Specify the ethernet 802.1q VLAN priority.  This option may
255              appear up to 1 times.  This option must appear in combination
256              with the following options: enet-vlan.  This option takes an
257              integer number as its argument.  The value of number is con‐
258              strained to being:
259                  in the range  0 through 7
260
261
262
263       --hdlc-control=number
264              Specify HDLC control value.  This option may appear up to 1
265              times.  This option takes an integer number as its argument.
266
267              The Cisco HDLC header has a 1 byte "control" field.  Apparently
268              this should always be 0, but if you can use any 1 byte value.
269
270       --hdlc-address=number
271              Specify HDLC address.  This option may appear up to 1 times.
272              This option takes an integer number as its argument.
273
274              The Cisco HDLC header has a 1 byte "address" field which has two
275              valid values:
276
277              0x0F Unicast
278
279              0xBF Broadcast
280              You can however specify any single byte value.
281
282       --user-dlt=number
283              Set output file DLT type.  This option may appear up to 1 times.
284              This option takes an integer number as its argument.
285
286              Set the DLT value of the output pcap file.
287
288       --user-dlink=string
289              Rewrite Data-Link layer with user specified data.  This option
290              may appear up to 2 times.
291
292              Provide a series of comma deliminated hex values which will be
293              used to rewrite or create the Layer 2 header of the packets.
294              The first instance of this argument will rewrite both server and
295              client traffic, but if this argument is specified a second time,
296              it will be used for the client traffic.
297
298              Example:
299                  --user-dlink=01,02,03,04,05,06,00,1A,2B,3C,4D,5E,6F,08,00
300
301       -d number, --dbug=number
302              Enable debugging output.  This option may appear up to 1 times.
303              This option takes an integer number as its argument.  The value
304              of number is constrained to being:
305                  in the range  0 through 5
306              The default number for this option is:
307                   0
308
309              If configured with --enable-debug, then you can specify a ver‐
310              bosity level for debugging output.  Higher numbers increase ver‐
311              bosity.
312
313       -i string, --infile=string
314              Input pcap file to be processed.  This option may appear up to 1
315              times.
316
317
318
319       -o string, --outfile=string
320              Output pcap file.  This option may appear up to 1 times.
321
322
323
324       -c string, --cachefile=string
325              Split traffic via tcpprep cache file.  This option may appear up
326              to 1 times.
327
328              Use tcpprep cache file to split traffic based upon client/server
329              relationships.
330
331       -v, --verbose
332              Print decoded packets via tcpdump to STDOUT.  This option may
333              appear up to 1 times.
334
335
336
337       -A string, --decode=string
338              Arguments passed to tcpdump decoder.  This option may appear up
339              to 1 times.  This option must appear in combination with the
340              following options: verbose.
341
342              When enabling verbose mode (-v) you may also specify one or more
343              additional arguments to pass to tcpdump to modify the way pack‐
344              ets are decoded.  By default, -n and -l are used.  Be sure to
345              quote the arguments so that they are not interpreted by
346              tcprewrite.   Please see the tcpdump(1) man page for a complete
347              list of options.
348
349       --fragroute=string
350              Parse fragroute configuration file.  This option may appear up
351              to 1 times.
352
353              Enable advanced evasion techniques using the built-in fra‐
354              groute(8) engine.  See the fragroute(8) man page for more
355              details.  Important: tcprewrite does not support the delay, echo
356              or print commands.
357
358       --fragdir=string
359              Which flows to apply fragroute to: c2s, s2c, both.  This option
360              may appear up to 1 times.
361
362              Apply the fragroute engine to packets going c2s, s2c or both
363              when using a cache file.
364
365       --skip-soft-errors
366              Skip writing packets with soft errors.  This option may appear
367              up to 1 times.
368
369              In some cases, packets can't be decoded or the requested editing
370              is not possible.  Normally these packets are written to the out‐
371              put file unedited so that tcpprep cache files can still be used,
372              but if you wish, these packets can be suppressed.
373
374              One example of this is 802.11 management frames which contain no
375              data.
376
377       -V, --version
378              Print version information.
379
380
381
382       -h, --less-help
383              Display less usage information and exit.
384
385
386
387       -H, --help
388              Display usage information and exit.
389
390       -!, --more-help
391              Extended usage information passed thru pager.
392
393       - [rcfile], --save-opts[=rcfile]
394              Save the option state to rcfile.  The default is the last con‐
395              figuration file listed in the OPTION PRESETS section, below.
396
397       - rcfile, --load-opts=rcfile, --no-load-opts
398              Load options from rcfile.  The no-load-opts form will disable
399              the loading of earlier RC/INI files.  --no-load-opts is handled
400              early, out of order.
401

OPTION PRESETS

403       Any option that is not marked as not presettable may be preset by load‐
404       ing values from configuration ("RC" or ".INI") file(s).  The homerc
405       file is "$$/", unless that is a directory.  In that case, the file
406       ".tcprewriterc" is searched for within that directory.
407

SEE ALSO

409       tcpdump(1), tcpprep(1), tcpreplay(1)
410

AUTHOR

412       Copyright 2004-2008 Aaron Turner
413
414       For support please use the tcpreplay-users@lists.sourceforge.net mail‐
415       ing list.
416
417       The latest version of this software is always available from:
418       http://tcpreplay.synfin.net/
419
420       Released under the Free BSD License.
421
422       This manual page was AutoGen-erated from the tcprewrite option defini‐
423       tions.
424
425
426
427(tcprewrite )                     2008-05-15                     TCPREWRITE(1)
Impressum