1tcprewrite(1) User Commands tcprewrite(1)
2
6 tcprewrite - Rewrite the packets in a pcap file.
7
9 tcprewrite [-flags] [-flag [value]] [--option-name[[=| ]value]]
10 All arguments must be options.
12
15 Tcprewrite is a tool to rewrite packets stored in pcap(3) file format,
16 such as created by tools such as tcpdump(1) and wireshark(1). Once a
17 pcap file has had it's packets rewritten, they can be replayed back out
18 on the network using tcpreplay(1).
19 tcprewrite currently supports reading the following DLT types:
21 DLT_C_HDLC aka Cisco HDLC
23 DLT_EN10MB aka Ethernet
25 DLT_LINUX_SLL aka Linux Cooked Socket
27 DLT_RAW aka RAW IP
29 DLT_NULL aka BSD Loopback
31 DLT_LOOP aka OpenBSD Loopback
33 DLT_IEEE802_11 aka 802.11a/b/g
35 DLT_IEEE802_11_RADIO aka 802.11a/b/g with Radiotap headers
37 DLT_JUNIPER_ETHER aka Juniper Encapsulated Ethernet
39 DLT_PPP_SERIAL aka PPP over Serial
41 Please see the --dlt option for supported DLT types for writing.
43 The packet editing features of tcprewrite which distinguish between
45 "client" and "server" traffic requires a tcpprep(1) cache file.
46 For more details, please see the Tcpreplay Manual at: http://tcpre‐
48 play.appneta.com
49
51 -r string, --portmap=string
53 Rewrite TCP/UDP ports. This option may appear up to 9999 times.
54 Specify a list of comma delimited port mappings consisting of
56 colon delimited port number pairs. Each colon delimited port
57 pair consists of the port to match followed by the port number
58 to rewrite.
59 Examples:
61 --portmap=80:8000 --portmap=8080:80 # 80->8000 and 8080->80
62 --portmap=8000,8080,88888:80 # 3 different ports become 80
63 --portmap=8000-8999:80 # ports 8000 to 8999 become 80
64 -s number, --seed=number
66 Randomize src/dst IPv4/v6 addresses w/ given seed. This option
67 may appear up to 1 times. This option must not appear in combi‐
68 nation with any of the following options: fuzz-seed. This op‐
69 tion takes an integer number as its argument.
70 Causes the source and destination IPv4/v6 addresses to be pseudo
72 randomized but still maintain client/server relationships.
73 Since the randomization is deterministic based on the seed, you
74 can reuse the same seed value to recreate the traffic.
75 -N string, --pnat=string
77 Rewrite IPv4/v6 addresses using pseudo-NAT. This option may ap‐
78 pear up to 2 times. This option must not appear in combination
79 with any of the following options: srcipmap.
80 Takes a comma delimited series of colon delimited CIDR netblock
82 pairs. Each netblock pair is evaluated in order against the IP
83 addresses. If the IP address in the packet matches the first
84 netblock, it is rewritten using the second netblock as a mask
85 against the high order bits.
86 IPv4 Example:
88 --pnat=192.168.0.0/16:10.77.0.0/16,172.16.0.0/12:10.1.0.0/24
89 IPv6 Example:
90 --pnat=[2001:db8::/32]:[dead::/16],[2001:db8::/32]:[::ffff:0:0/96]
91 -S string, --srcipmap=string
93 Rewrite source IPv4/v6 addresses using pseudo-NAT. This option
94 may appear up to 1 times. This option must not appear in combi‐
95 nation with any of the following options: pnat.
96 Works just like the --pnat option, but only affects the source
98 IP addresses in the IPv4/v6 header.
99 -D string, --dstipmap=string
101 Rewrite destination IPv4/v6 addresses using pseudo-NAT. This
102 option may appear up to 1 times. This option must not appear in
103 combination with any of the following options: pnat.
104 Works just like the --pnat option, but only affects the destina‐
106 tion IP addresses in the IPv4/v6 header.
107 -e string, --endpoints=string
109 Rewrite IP addresses to be between two endpoints. This option
110 may appear up to 1 times. This option must appear in combina‐
111 tion with the following options: cachefile.
112 Takes a pair of colon delimited IPv4/v6 addresses which will be
114 used to rewrite all traffic to appear to be between the two IP
115 addresses.
116 IPv4 Example:
118 --endpoints=172.16.0.1:172.16.0.2
119 IPv6 Example:
120 --endpoints=[2001:db8::dead:beef]:[::ffff:0:0:ac:f:0:2]
121 --tcp-sequence=number
123 Change TCP Sequence (and ACK) numbers /w given seed. This op‐
124 tion takes an integer number as its argument. The value of num‐
125 ber is constrained to being:
126 greater than or equal to 1
127 The default number for this option is:
128 0
129 Change all TCP sequence numbers, and related sequence-acknowl‐
131 edgement numbers. They will be shifted by a random amount based
132 on the provided seed.
133 -b, --skipbroadcast
135 Skip rewriting broadcast/multicast IPv4/v6 addresses.
136 By default --seed, --pnat and --endpoints will rewrite broadcast
138 and multicast IPv4/v6 and MAC addresses. Setting this flag will
139 keep broadcast/multicast IPv4/v6 and MAC addresses from being
140 rewritten.
141 -C, --fixcsum
143 Force recalculation of IPv4/TCP/UDP header checksums.
144 Causes each IPv4/v6 packet to have their checksums recalculated
146 and fixed. Automatically enabled for packets modified with
147 --seed, --pnat, --endpoints or --fixlen.
148 -m number, --mtu=number
150 Override default MTU length (1500 bytes). This option may ap‐
151 pear up to 1 times. This option takes an integer number as its
152 argument. The value of number is constrained to being:
153 in the range 1 through MAX_SNAPLEN
154 Override the default 1500 byte MTU size for determining the max‐
156 imum padding length (--fixlen=pad) or when truncating (--mtu-
157 trunc).
158 --mtu-trunc
160 Truncate packets larger then specified MTU. This option may ap‐
161 pear up to 1 times.
162 Similar to --fixlen, this option will truncate data in packets
164 from Layer 3 and above to be no larger then the MTU.
165 -E, --efcs
167 Remove Ethernet checksums (FCS) from end of frames.
168 Note, this option is pretty dangerous! We do not actually check
170 to see if a FCS actually exists in the frame, we just blindly
171 delete the last 4 bytes. Hence, you should only use this if you
172 know know that your OS provides the FCS when reading raw pack‐
173 ets.
174 --ttl=string
176 Modify the IPv4/v6 TTL/Hop Limit.
177 Allows you to modify the TTL/Hop Limit of all the IPv4/v6 pack‐
179 ets. Specify a number to hard-code the value or +/-value to in‐
180 crease or decrease by the value provided (limited to 1-255).
181 Examples:
183 --ttl=10
184 --ttl=+7
185 --ttl=-64
186 --tos=number
188 Set the IPv4 TOS/DiffServ/ECN byte. This option may appear up
189 to 1 times. This option takes an integer number as its argu‐
190 ment. The value of number is constrained to being:
191 in the range 0 through 255
192 Allows you to override the TOS (also known as DiffServ/ECN)
194 value in IPv4.
195 --tclass=number
197 Set the IPv6 Traffic Class byte. This option may appear up to 1
198 times. This option takes an integer number as its argument.
199 The value of number is constrained to being:
200 in the range 0 through 255
201 Allows you to override the IPv6 Traffic Class field.
203 --flowlabel=number
205 Set the IPv6 Flow Label. This option may appear up to 1 times.
206 This option takes an integer number as its argument. The value
207 of number is constrained to being:
208 in the range 0 through 1048575
209 Allows you to override the 20bit IPv6 Flow Label field. Has no
211 effect on IPv4 packets.
212 -F string, --fixlen=string
214 Pad or truncate packet data to match header length. This option
215 may appear up to 1 times.
216 Packets may be truncated during capture if the snaplen is
218 smaller then the packet. This option allows you to modify the
219 packet to pad the packet back out to the size stored in the
220 IPv4/v6 header or rewrite the IP header total length to reflect
221 the stored packet length.
222 pad Truncated packets will be padded out so that the packet
224 length matches the IPv4 total length
225 trunc Truncated packets will have their IPv4 total length field
227 rewritten to match the actual packet length
228 del Delete the packet
230 --fuzz-seed=number
232 Fuzz 1 in X packets. Edit bytes, length, or emulate packet drop.
233 This option takes an integer number as its argument. The value
234 of number is constrained to being:
235 greater than or equal to 0
236 The default number for this option is:
237 0
238 This fuzzing was designed as to test layer 7 protocols such as
240 voip protocols. It modifies randomly 1 out of X packets (where
241 X = --fuzz-factor) in order for stateful protocols to cover more
242 of their code. The random fuzzing actions focus on data start
243 and end because it often is the part of the data application
244 protocols base their decisions on.
245 Possible fuzzing actions list:
247 * drop packet
248 * reduce packet size
249 * edit packet Bytes:
250 * Not all Bytes have the same probability of appearance in
251 real life.
252 Replace with 0x00, 0xFF, or a random byte with equal like‐
253 lihood.
254 * Not all Bytes have the same significance in a packet.
255 Replace the start, the end, or the middle of the packet
256 with equal likelihood.
257 * do nothing (7 out of 8 packets)
258 --fuzz-factor=number
260 Set the Fuzz 1 in X packet ratio (default 1 in 8 packets). This
261 option must appear in combination with the following options:
262 fuzz-seed. This option takes an integer number as its argument.
263 The value of number is constrained to being:
264 greater than or equal to 1
265 The default number for this option is:
266 8
267 Sets the ratio of for --fuzz-seed option. By default this value
269 is 8, which means 1 in 8 packets are modified by fuzzing. Note
270 that this ratio is based on the random number generated by the
271 supplied fuzz seed. Therefore by default you cannot expect that
272 exactly every eighth packet will be modified.
273 --skipl2broadcast
275 Skip rewriting broadcast/multicast Layer 2 addresses.
276 By default, editing Layer 2 addresses will rewrite broadcast and
278 multicast MAC addresses. Setting this flag will keep broad‐
279 cast/multicast MAC addresses from being rewritten.
280 --dlt=string
282 Override output DLT encapsulation. This option may appear up to
283 1 times.
284 By default, no DLT (data link type) conversion will be made. To
286 change the DLT type of the output pcap, select one of the fol‐
287 lowing values:
288 enet Ethernet aka DLT_EN10MB
290 hdlc Cisco HDLC aka DLT_C_HDLC
292 jnpr_eth Juniper Ethernet DLT_C_JNPR_ETHER
294 pppserial PPP Serial aka DLT_PPP_SERIAL
296 user User specified Layer 2 header and DLT type
298 --enet-dmac=string
300 Override destination ethernet MAC addresses. This option may
301 appear up to 1 times.
302 Takes a pair of comma deliminated ethernet MAC addresses which
304 will replace the destination MAC address of outbound packets.
305 The first MAC address will be used for the server to client
306 traffic and the optional second MAC address will be used for the
307 client to server traffic.
308 Example:
310 --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66
311 --enet-smac=string
313 Override source ethernet MAC addresses. This option may appear
314 up to 1 times.
315 Takes a pair of comma deliminated ethernet MAC addresses which
317 will replace the source MAC address of outbound packets. The
318 first MAC address will be used for the server to client traffic
319 and the optional second MAC address will be used for the client
320 to server traffic.
321 Example:
323 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66
324 --enet-subsmac=string
326 Substitute MAC addresses. This option may appear up to 9999
327 times.
328 Allows you to rewrite ethernet MAC addresses of packets. It
330 takes comma delimited pair or MACs address and rewrites all oc‐
331 currences of the first MAC with the value of the second MAC.
332 Example:
333 --enet-subsmac=00:12:13:14:15:16,00:22:33:44:55:66
334 --enet-mac-seed=number
336 Randomize MAC addresses. This option may appear up to 1 times.
337 This option must not appear in combination with any of the fol‐
338 lowing options: enet-smac, enet-dmac, enet-subsmac. This option
339 takes an integer number as its argument.
340 Allows you to randomize ethernet MAC addresses of packets,
342 mostly like what --seed option does for IPv4/IPv6 addresses.
343 --enet-mac-seed-keep-bytes=number
345 Randomize MAC addresses. This option may appear up to 1 times.
346 This option must appear in combination with the following op‐
347 tions: enet-mac-seed. This option takes an integer number as
348 its argument. The value of number is constrained to being:
349 in the range 1 through 6
350 Keep some bytes untouched when usinging --enet-mac-seed option.
352 --enet-vlan=string
354 Specify ethernet 802.1q VLAN tag mode. This option may appear
355 up to 1 times.
356 Allows you to rewrite ethernet frames to add a 802.1q header to
358 standard 802.3 ethernet headers or remove the 802.1q VLAN tag
359 information.
360 add Adds an 802.1q VLAN header to the existing 802.3 ethernet
362 header. If a VLAN header already exists, a new VLAN header is
363 added outside of the existing header.
364 Note that you will be allowed to run this option multiple times
366 to create more than 2 VLAN headers, however those packets will
367 be valid. At most you should have 2 X 802.1q VLAN tags, or outer
368 an 802.1ad and an inner 802.1q VLAN tag.
369 del Rewrites the existing 802.1q VLAN header as an 802.3 ether‐
371 net header
372 --enet-vlan-tag=number
374 Specify the new ethernet 802.1q VLAN tag value. This option may
375 appear up to 1 times. This option must appear in combination
376 with the following options: enet-vlan. This option takes an in‐
377 teger number as its argument. The value of number is con‐
378 strained to being:
379 in the range 0 through 4095
380 --enet-vlan-cfi=number
383 Specify the ethernet 802.1q VLAN CFI value. This option may ap‐
384 pear up to 1 times. This option must appear in combination with
385 the following options: enet-vlan. This option takes an integer
386 number as its argument. The value of number is constrained to
387 being:
388 in the range 0 through 1
389 --enet-vlan-pri=number
392 Specify the ethernet 802.1q VLAN priority. This option may ap‐
393 pear up to 1 times. This option must appear in combination with
394 the following options: enet-vlan. This option takes an integer
395 number as its argument. The value of number is constrained to
396 being:
397 in the range 0 through 7
398 --enet-vlan-proto=string
401 Specify VLAN tag protocol 802.1q or 802.1ad. This option may
402 appear up to 1 times.
403 Allows you to specify the protocol of the added VLAN tags.
405 802.1q Specifies that 802.1q VLAN headers are to be added. This
407 is the default.
408 802.1ad Specifies that 802.1ad Q-in-Q VLAN headers are to be
410 added. To make valid packets, input packets must already have
411 802.1q VLAN headers.
412 --hdlc-control=number
414 Specify HDLC control value. This option may appear up to 1
415 times. This option takes an integer number as its argument.
416 The Cisco HDLC header has a 1 byte "control" field. Apparently
418 this should always be 0, but if you can use any 1 byte value.
419 --hdlc-address=number
421 Specify HDLC address. This option may appear up to 1 times.
422 This option takes an integer number as its argument.
423 The Cisco HDLC header has a 1 byte "address" field which has two
425 valid values:
426 0x0F Unicast
428 0xBF Broadcast
430 You can however specify any single byte value.
431 --user-dlt=number
433 Set output file DLT type. This option may appear up to 1 times.
434 This option takes an integer number as its argument.
435 Set the DLT value of the output pcap file.
437 --user-dlink=string
439 Rewrite Data-Link layer with user specified data. This option
440 may appear up to 2 times.
441 Provide a series of comma deliminated hex values which will be
443 used to rewrite or create the Layer 2 header of the packets.
444 The first instance of this argument will rewrite both server and
445 client traffic, but if this argument is specified a second time,
446 it will be used for the client traffic.
447 Example:
449 --user-dlink=01,02,03,04,05,06,00,1A,2B,3C,4D,5E,6F,08,00
450 -d number, --dbug=number
452 Enable debugging output. This option may appear up to 1 times.
453 This option takes an integer number as its argument. The value
454 of number is constrained to being:
455 in the range 0 through 5
456 The default number for this option is:
457 0
458 If configured with --enable-debug, then you can specify a ver‐
460 bosity level for debugging output. Higher numbers increase ver‐
461 bosity.
462 -i string, --infile=string
464 Input pcap file to be processed. This option may appear up to 1
465 times.
466 -o string, --outfile=string
469 Output pcap file. This option may appear up to 1 times.
470 -c string, --cachefile=string
473 Split traffic via tcpprep cache file. This option may appear up
474 to 1 times.
475 Use tcpprep cache file to split traffic based upon client/server
477 relationships.
478 -v, --verbose
480 Print decoded packets via tcpdump to STDOUT. This option may
481 appear up to 1 times.
482 -A string, --decode=string
485 Arguments passed to tcpdump decoder. This option may appear up
486 to 1 times. This option must appear in combination with the
487 following options: verbose.
488 When enabling verbose mode (-v) you may also specify one or more
490 additional arguments to pass to tcpdump to modify the way pack‐
491 ets are decoded. By default, -n and -l are used. Be sure to
492 quote the arguments so that they are not interpreted by
493 tcprewrite. Please see the tcpdump(1) man page for a complete
494 list of options.
495 --fragroute=string
497 Parse fragroute configuration file. This option may appear up
498 to 1 times.
499 Enable advanced evasion techniques using the built-in fra‐
501 groute(8) engine. See the fragroute(8) man page for more de‐
502 tails. Important: tcprewrite does not support the delay, echo
503 or print commands.
504 --fragdir=string
506 Which flows to apply fragroute to: c2s, s2c, both. This option
507 may appear up to 1 times. This option must appear in combina‐
508 tion with the following options: cachefile.
509 Apply the fragroute engine to packets going c2s, s2c or both
511 when using a cache file.
512 --skip-soft-errors
514 Skip writing packets with soft errors. This option may appear
515 up to 1 times.
516 In some cases, packets can not be decoded or the requested edit‐
518 ing is not possible. Normally these packets are written to the
519 output file unedited so that tcpprep cache files can still be
520 used, but if you wish, these packets can be suppressed.
521 One example of this is 802.11 management frames which contain no
523 data.
524 -V, --version
526 Print version information.
527 -h, --less-help
530 Display less usage information and exit.
531 -H, --help
534 Display usage information and exit.
535 -!, --more-help
537 Pass the extended usage information through a pager.
538 --save-opts [=cfgfile]
540 Save the option state to cfgfile. The default is the last con‐
541 figuration file listed in the OPTION PRESETS section, below.
542 The command will exit after updating the config file.
543 --load-opts=cfgfile, --no-load-opts
545 Load options from cfgfile. The no-load-opts form will disable
546 the loading of earlier config/rc/ini files. --no-load-opts is
547 handled early, out of order.
548
550 Any option that is not marked as not presettable may be preset by load‐
551 ing values from configuration ("RC" or ".INI") file(s). The homerc
552 file is "$$/", unless that is a directory. In that case, the file
553 ".tcprewriterc" is searched for within that directory.
554
556 See OPTION PRESETS for configuration files.
557
559 One of the following exit values will be returned:
560 0 (EXIT_SUCCESS)
562 Successful program execution.
563 1 (EXIT_FAILURE)
565 The operation failed or the command syntax was not valid.
566 66 (EX_NOINPUT)
568 A specified configuration file could not be loaded.
569 70 (EX_SOFTWARE)
571 libopts had an internal operational error. Please report it to
572 autogen-users@lists.sourceforge.net. Thank you.
573
575 Copyright 2013-2022 Fred Klassen - AppNeta Copyright 2000-2012 Aaron
576 Turner For support please use the tcpreplay-users@lists.sourceforge.net
577 mailing list. The latest version of this software is always available
578 from: http://tcpreplay.appneta.com/
579
581 Copyright (C) 2000-2022 Aaron Turner and Fred Klassen all rights re‐
582 served. This program is released under the terms of the GNU General
583 Public License, version 3 or later.
584
586 Please send bug reports to: tcpreplay-users@lists.sourceforge.net
587
589 This manual page was AutoGen-erated from the tcprewrite option defini‐
590 tions.
591tcprewrite 01 Jan 2023 tcprewrite(1)