1TCPREPLAY(1) Programmer's Manual TCPREPLAY(1)
2
6 tcpreplay - Replay network traffic stored in pcap files
7
9 tcpreplay [-flag [value]]... [--opt-name [[=| ]value]]...
10 <pcap_file(s)>
11 tcpreplay is a tool for replaying network traffic from files saved with
13 tcpdump or other tools which write pcap(3) files.
14
16 This manual page briefly documents the tcpreplay command. The basic
17 operation of tcpreplay is to resend all packets from the input
18 file(s) at the speed at which they were recorded, or a specified data
19 rate, up to as fast as the hardware is capable.
20 Optionally, the traffic can be split between two interfaces, written to
22 files, filtered and edited in various ways, providing the means to test
23 firewalls, NIDS and other network devices.
24 For more details, please see the Tcpreplay Manual at: http://tcpre‐
26 play.synfin.net/trac/wiki/manual
27
29 -r string, --portmap=string
31 Rewrite TCP/UDP ports. This option may appear up to -1 times.
32 Specify a list of comma delimited port mappingings consisting of
34 colon delimited port number pairs. Each colon delimited port
35 pair consists of the port to match followed by the port number
36 to rewrite.
37 Examples:
39 --portmap=80:8000 --portmap=8080:80 # 80->8000 and 8080->80
40 --portmap=8000,8080,88888:80 # 3 different ports become 80
41 --portmap=8000-8999:80 # ports 8000 to 8999 become 80
42 -s number, --seed=number
44 Randomize src/dst IPv4/v6 addresses w/ given seed. This option
45 may appear up to 1 times. This option takes an integer number
46 as its argument.
47 Causes the source and destination IPv4/v6 addresses to be pseudo
49 randomized but still maintain client/server relationships.
50 Since the randomization is deterministic based on the seed, you
51 can reuse the same seed value to recreate the traffic.
52 -N string, --pnat=string
54 Rewrite IPv4/v6 addresses using pseudo-NAT. This option may
55 appear up to 2 times. This option must not appear in combina‐
56 tion with any of the following options: srcipmap.
57 Takes a comma delimited series of colon delimited CIDR netblock
59 pairs. Each netblock pair is evaluated in order against the IP
60 addresses. If the IP address in the packet matches the first
61 netblock, it is rewriten using the second netblock as a mask
62 against the high order bits.
63 IPv4 Example:
65 --pnat=192.168.0.0/16:10.77.0.0/16,172.16.0.0/12:10.1.0.0/24
66 IPv6 Example:
67 --pnat=[2001:db8::/32]:[dead::/16],[2001:db8::/32]:[::ffff:0:0/96]
68 -S string, --srcipmap=string
70 Rewrite source IPv4/v6 addresses using pseudo-NAT. This option
71 may appear up to 1 times. This option must not appear in combi‐
72 nation with any of the following options: pnat.
73 Works just like the --pnat option, but only affects the source
75 IP addresses in the IPv4/v6 header.
76 -D string, --dstipmap=string
78 Rewrite destination IPv4/v6 addresses using pseudo-NAT. This
79 option may appear up to 1 times. This option must not appear in
80 combination with any of the following options: pnat.
81 Works just like the --pnat option, but only affects the destina‐
83 tion IP addresses in the IPv4/v6 header.
84 -e string, --endpoints=string
86 Rewrite IP addresses to be between two endpoints. This option
87 may appear up to 1 times. This option must appear in combina‐
88 tion with the following options: cachefile.
89 Takes a pair of colon delimited IPv4/v6 addresses which will be
91 used to rewrite all traffic to appear to be between the two
92 IP's.
93 IPv4 Example:
95 --endpoints=172.16.0.1:172.16.0.2
96 IPv6 Example:
97 --endpoints=[2001:db8::dead:beef]:[::ffff:0:0:ac:f:0:2]
98 -b, --skipbroadcast
101 Skip rewriting broadcast/multicast IPv4/v6 addresses.
102 By default --seed, --pnat and --endpoints will rewrite broadcast
104 and multicast IPv4/v6 and MAC addresses. Setting this flag will
105 keep broadcast/multicast IPv4/v6 and MAC addresses from being
106 rewritten.
107 -C, --fixcsum
109 Force recalculation of IPv4/TCP/UDP header checksums.
110 Causes each IPv4/v6 packet to have it's checksums recalcualted
112 and fixed. Automatically enabled for packets modified with
113 --seed, --pnat, --endpoints or --fixlen.
114 -m number, --mtu=number
116 Override default MTU length (1500 bytes). This option may
117 appear up to 1 times. This option takes an integer number as
118 its argument. The value of number is constrained to being:
119 in the range 1 through MAXPACKET
120 Override the default 1500 byte MTU size for determining the max‐
122 imum padding length (--fixlen=pad) or when truncating (--mtu-
123 trunc).
124 --mtu-trunc
126 Truncate packets larger then specified MTU. This option may
127 appear up to 1 times.
128 Similar to --fixlen, this option will truncate data in packets
130 from Layer 3 and above to be no larger then the MTU.
131 -E, --efcs
133 Remove Ethernet checksums (FCS) from end of frames.
134 Note, this option is pretty dangerous! We don't actually check
136 to see if a FCS actually exists in the frame, we just blindly
137 delete the last two bytes. Hence, you should only use this if
138 you know know that your OS provides the FCS when reading raw
139 packets.
140 --ttl=string
142 Modify the IPv4/v6 TTL/Hop Limit.
143 Allows you to modify the TTL/Hop Limit of all the IPv4/v6 pack‐
145 ets. Specify a number to hard-code the value or +/-value to
146 increase or decrease by the value provided (limited to 1-255).
147 Examples:
149 --ttl=10
150 --ttl=+7
151 --ttl=-64
152 --tos=number
154 Set the IPv4 TOS/DiffServ/ECN byte. This option may appear up
155 to 1 times. This option takes an integer number as its argu‐
156 ment. The value of number is constrained to being:
157 in the range 0 through 255
158 Allows you to override the TOS (also known as DiffServ/ECN)
160 value in IPv4.
161 --tclass=number
163 Set the IPv6 Traffic Class byte. This option may appear up to 1
164 times. This option takes an integer number as its argument.
165 The value of number is constrained to being:
166 in the range 0 through 255
167 Allows you to override the IPv6 Traffic Class field.
169 --flowlabel=number
171 Set the IPv6 Flow Label. This option may appear up to 1 times.
172 This option takes an integer number as its argument. The value
173 of number is constrained to being:
174 in the range 0 through 1048575
175 Allows you to override the 20bit IPv6 Flow Label field. Has no
177 effect on IPv4 packets.
178 -F string, --fixlen=string
180 Pad or truncate packet data to match header length. This option
181 may appear up to 1 times.
182 Packets may be truncated during capture if the snaplen is
184 smaller then the packet. This option allows you to modify the
185 packet to pad the packet back out to the size stored in the
186 IPv4/v6 header or rewrite the IP header total length to reflect
187 the stored packet length.
188 pad Truncated packets will be padded out so that the packet
190 length matches the IPv4 total length
191 trunc Truncated packets will have their IPv4 total length field
193 rewritten to match the actual packet length
194 del Delete the packet
196 --skipl2broadcast
198 Skip rewriting broadcast/multicast Layer 2 addresses.
199 By default, editing Layer 2 addresses will rewrite broadcast and
201 multicast MAC addresses. Setting this flag will keep broad‐
202 cast/multicast MAC addresses from being rewritten.
203 --dlt=string
205 Override output DLT encapsulation. This option may appear up to
206 1 times.
207 By default, no DLT (data link type) conversion will be made. To
209 change the DLT type of the output pcap, select one of the fol‐
210 lowing values:
211 enet Ethernet aka DLT_EN10MB
213 hdlc Cisco HDLC aka DLT_C_HDLC
215 user User specified Layer 2 header and DLT type
217 --enet-dmac=string
219 Override destination ethernet MAC addresses. This option may
220 appear up to 1 times.
221 Takes a pair of comma deliminated ethernet MAC addresses which
223 will replace the destination MAC address of outbound packets.
224 The first MAC address will be used for the server to client
225 traffic and the optional second MAC address will be used for the
226 client to server traffic.
227 Example:
229 --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66
230 --enet-smac=string
232 Override source ethernet MAC addresses. This option may appear
233 up to 1 times.
234 Takes a pair of comma deliminated ethernet MAC addresses which
236 will replace the source MAC address of outbound packets. The
237 first MAC address will be used for the server to client traffic
238 and the optional second MAC address will be used for the client
239 to server traffic.
240 Example:
242 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66
243 --enet-vlan=string
245 Specify ethernet 802.1q VLAN tag mode. This option may appear
246 up to 1 times.
247 Allows you to rewrite ethernet frames to add a 802.1q header to
249 standard 802.3 ethernet headers or remove the 802.1q VLAN tag
250 information.
251 add Rewrites the existing 802.3 ethernet header as an 802.1q
253 VLAN header
254 del Rewrites the existing 802.1q VLAN header as an 802.3 ether‐
256 net header
257 --enet-vlan-tag=number
259 Specify the new ethernet 802.1q VLAN tag value. This option may
260 appear up to 1 times. This option must appear in combination
261 with the following options: enet-vlan. This option takes an
262 integer number as its argument. The value of number is con‐
263 strained to being:
264 in the range 0 through 4095
265 --enet-vlan-cfi=number
269 Specify the ethernet 802.1q VLAN CFI value. This option may
270 appear up to 1 times. This option must appear in combination
271 with the following options: enet-vlan. This option takes an
272 integer number as its argument. The value of number is con‐
273 strained to being:
274 in the range 0 through 1
275 --enet-vlan-pri=number
279 Specify the ethernet 802.1q VLAN priority. This option may
280 appear up to 1 times. This option must appear in combination
281 with the following options: enet-vlan. This option takes an
282 integer number as its argument. The value of number is con‐
283 strained to being:
284 in the range 0 through 7
285 --hdlc-control=number
289 Specify HDLC control value. This option may appear up to 1
290 times. This option takes an integer number as its argument.
291 The Cisco HDLC header has a 1 byte "control" field. Apparently
293 this should always be 0, but if you can use any 1 byte value.
294 --hdlc-address=number
296 Specify HDLC address. This option may appear up to 1 times.
297 This option takes an integer number as its argument.
298 The Cisco HDLC header has a 1 byte "address" field which has two
300 valid values:
301 0x0F Unicast
303 0xBF Broadcast
305 You can however specify any single byte value.
306 --user-dlt=number
308 Set output file DLT type. This option may appear up to 1 times.
309 This option takes an integer number as its argument.
310 Set the DLT value of the output pcap file.
312 --user-dlink=string
314 Rewrite Data-Link layer with user specified data. This option
315 may appear up to 2 times.
316 Provide a series of comma deliminated hex values which will be
318 used to rewrite or create the Layer 2 header of the packets.
319 The first instance of this argument will rewrite both server and
320 client traffic, but if this argument is specified a second time,
321 it will be used for the client traffic.
322 Example:
324 --user-dlink=01,02,03,04,05,06,00,1A,2B,3C,4D,5E,6F,08,00
325 -d number, --dbug=number
327 Enable debugging output. This option may appear up to 1 times.
328 This option takes an integer number as its argument. The value
329 of number is constrained to being:
330 in the range 0 through 5
331 The default number for this option is:
332 0
333 If configured with --enable-debug, then you can specify a ver‐
335 bosity level for debugging output. Higher numbers increase ver‐
336 bosity.
337 -q, --quiet
339 Quiet mode.
340 Print nothing except the statistics at the end of the run
342 -T string, --timer=string
344 Select packet timing mode: select, ioport, rdtsc, gtod, nano,
345 abstime. This option may appear up to 1 times. The default
346 string for this option is:
347 gtod
348 Allows you to select the packet timing method to use:
350 nano - Use nanosleep() API
352 select - Use select() API
354 ioport - Write to the i386 IO Port 0x80
356 rdtsc - Use the x86/x86_64/PPC RDTSC
358 gtod [default] - Use a gettimeofday() loop
360 abstime - Use OS X's AbsoluteTime API
362 --sleep-accel=number
365 Reduce the amount of time to sleep by specified usec. This
366 option takes an integer number as its argument. The default
367 number for this option is:
368 0
369 Reduce the amount of time we would normally sleep between two
371 packets by the specified number of usec. This provides a "fuzz
372 factor" to compensate for running on a non-RTOS and other pro‐
373 cesses using CPU time. Default is disabled.
374 --rdtsc-clicks=number
376 Specify the RDTSC clicks/usec. This option may appear up to 1
377 times. This option takes an integer number as its argument.
378 The default number for this option is:
379 0
380 Override the calculated number of RDTSC clicks/usec which is
382 often the speed of the CPU in Mhz. Only useful if you specified
383 --timer=rdtsc
384 -v, --verbose
386 Print decoded packets via tcpdump to STDOUT. This option may
387 appear up to 1 times.
388 -A string, --decode=string
392 Arguments passed to tcpdump decoder. This option may appear up
393 to 1 times. This option must appear in combination with the
394 following options: verbose.
395 When enabling verbose mode (-v) you may also specify one or more
397 additional arguments to pass to tcpdump to modify the way pack‐
398 ets are decoded. By default, -n and -l are used. Be sure to
399 quote the arguments like: -A "-axxx" so that they are not inter‐
400 preted by tcpreplay. Please see the tcpdump(1) man page for a
401 complete list of options.
402 -K, --enable-file-cache
404 Enable caching of packets to internal memory. This option must
405 appear in combination with the following options: loop.
406 Cache pcap file(s) the first time they are cached in RAM so that
408 subsequent loops don't incurr any disk I/O latency in order to
409 increase performance. Make sure you have enough free RAM to
410 store the entire pcap file(s) in memory or the system will swap
411 and performance will suffer.
412 --preload-pcap
414 Preloads packets into RAM before sending.
415 This option loads the specified pcap(s) into RAM before starting
417 to send in order to improve replay performance while introducing
418 a startup performance hit. Preloading can be used with or with‐
419 out --loop and implies --enable-file-cache.
420 -c string, --cachefile=string
422 Split traffic via a tcpprep cache file. This option may appear
423 up to 1 times.
424 -i string, --intf1=string
428 Server/primary traffic output interface. This option may appear
429 up to 1 times.
430 -I string, --intf2=string
434 Client/secondary traffic output interface. This option may
435 appear up to 1 times. This option must appear in combination
436 with the following options: cachefile.
437 --listnics
441 List available network interfaces and exit.
442 -l number, --loop=number
446 Loop through the capture file X times. This option may appear
447 up to 1 times. This option takes an integer number as its argu‐
448 ment. The value of number is constrained to being:
449 greater than or equal to 0
450 The default number for this option is:
451 1
452 --pktlen
456 Override the snaplen and use the actual packet len. This option
457 may appear up to 1 times.
458 By default, tcpreplay will send packets based on the size of the
460 "snaplen" stored in the pcap file which is usually the correct
461 thing to do. However, occasionally, tools will store more bytes
462 then told to. By specifying this option, tcpreplay will ignore
463 the snaplen field and instead try to send packets based on the
464 original packet length. Bad things may happen if you specify
465 this option.
466 -L number, --limit=number
468 Limit the number of packets to send. This option may appear up
469 to 1 times. This option takes an integer number as its argu‐
470 ment. The value of number is constrained to being:
471 greater than or equal to 1
472 The default number for this option is:
473 -1
474 By default, tcpreplay will send all the packets. Alternatively,
476 you can specify a maximum number of packets to send.
477 -x string, --multiplier=string
479 Modify replay speed to a given multiple. This option may appear
480 up to 1 times. This option must not appear in combination with
481 any of the following options: pps, mbps, oneatatime, topspeed.
482 Specify a floating point value to modify the packet replay
484 speed. Examples:
485 2.0 will replay traffic at twice the speed captured
486 0.7 will replay traffic at 70% the speed captured
487 -p number, --pps=number
489 Replay packets at a given packets/sec. This option may appear
490 up to 1 times. This option must not appear in combination with
491 any of the following options: multiplier, mbps, oneatatime, top‐
492 speed. This option takes an integer number as its argument.
493 -M string, --mbps=string
497 Replay packets at a given Mbps. This option may appear up to 1
498 times. This option must not appear in combination with any of
499 the following options: multiplier, pps, oneatatime, topspeed.
500 Specify a floating point value for the Mbps rate that tcpreplay
502 should send packets at.
503 -t, --topspeed
505 Replay packets as fast as possible. This option must not appear
506 in combination with any of the following options: mbps, multi‐
507 plier, pps, oneatatime.
508 -o, --oneatatime
512 Replay one packet at a time for each user input. This option
513 must not appear in combination with any of the following
514 options: mbps, pps, multiplier, topspeed.
515 Allows you to step through one or more packets at a time.
517 --pps-multi=number
519 Number of packets to send for each time interval. This option
520 must appear in combination with the following options: pps.
521 This option takes an integer number as its argument. The value
522 of number is constrained to being:
523 greater than or equal to 1
524 The default number for this option is:
525 1
526 When trying to send packets at very high rates, the time between
528 each packet can be so short that it is impossible to accurately
529 sleep for the required period of time. This option allows you
530 to send multiple packets at a time, thus allowing for longer
531 sleep times which can be more accurately implemented.
532 -P, --pid
534 Print the PID of tcpreplay at startup.
535 --stats=number
539 Print statistics every X seconds. This option takes an integer
540 number as its argument. The value of number is constrained to
541 being:
542 greater than or equal to 1
543 Note that this is very much a "best effort" and long delays
545 between sending packets may cause equally long delays between
546 printing statistics.
547 -V, --version
549 Print version information.
550 -h, --less-help
554 Display less usage information and exit.
555 -H, --help
559 Display usage information and exit.
560 -!, --more-help
562 Extended usage information passed thru pager.
563 - [rcfile], --save-opts[=rcfile]
565 Save the option state to rcfile. The default is the last con‐
566 figuration file listed in the OPTION PRESETS section, below.
567 - rcfile, --load-opts=rcfile, --no-load-opts
569 Load options from rcfile. The no-load-opts form will disable
570 the loading of earlier RC/INI files. --no-load-opts is handled
571 early, out of order.
572
574 Any option that is not marked as not presettable may be preset by load‐
575 ing values from configuration ("RC" or ".INI") file(s). The homerc
576 file is "$$/", unless that is a directory. In that case, the file
577 ".tcpreplayrc" is searched for within that directory.
578
580 tcpreplay understands the following signals:
581 SIGUSR1 Suspend tcpreplay
583 SIGCONT Restart tcpreplay
585
588 tcpreplay-edit(1), tcpdump(1), tcpprep(1), tcprewrite(1), libnet(3)
589
592 tcpreplay can only send packets as fast as your computer's interface,
593 processor, disk and system bus will allow.
594 Packet timing at high speeds is a black art and very OS/CPU dependent.
596 Replaying captured traffic may simulate odd or broken conditions on
598 your network and cause all sorts of problems.
599 In most cases, you can not replay traffic back to/at a server.
601 Some operating systems by default do not allow for forging source MAC
603 addresses. Please consult your operating system's documentation and
604 the tcpreplay FAQ if you experience this issue.
605
607 Copyright 2000-2010 Aaron Turner
608 For support please use the tcpreplay-users@lists.sourceforge.net mail‐
610 ing list.
611 The latest version of this software is always available from:
613 http://tcpreplay.synfin.net/
614 Released under the Free BSD License.
616 This manual page was AutoGen-erated from the tcpreplay option defini‐
618 tions.
619(tcpreplay ) 2010-04-04 TCPREPLAY(1)