1tcprewrite(1)                    User Commands                   tcprewrite(1)
2
3
4

NAME

6       tcprewrite - Rewrite the packets in a pcap file.
7

SYNOPSIS

9       tcprewrite [-flags] [-flag [value]] [--option-name[[=| ]value]]
10
11       All arguments must be options.
12
13

DESCRIPTION

15       Tcprewrite  is a tool to rewrite packets stored in pcap(3) file format,
16       such as created by tools such as tcpdump(1) and wireshark(1).   Once  a
17       pcap file has had it's packets rewritten, they can be replayed back out
18       on the network using tcpreplay(1).
19
20       tcprewrite currently supports reading the following DLT types:
21
22       DLT_C_HDLC aka Cisco HDLC
23
24       DLT_EN10MB aka Ethernet
25
26       DLT_LINUX_SLL aka Linux Cooked Socket
27
28       DLT_RAW aka RAW IP
29
30       DLT_NULL aka BSD Loopback
31
32       DLT_LOOP aka OpenBSD Loopback
33
34       DLT_IEEE802_11 aka 802.11a/b/g
35
36       DLT_IEEE802_11_RADIO aka 802.11a/b/g with Radiotap headers
37
38       DLT_JUNIPER_ETHER aka Juniper Encapsulated Ethernet
39
40       DLT_PPP_SERIAL aka PPP over Serial
41
42       Please see the --dlt option for supported DLT types for writing.
43
44       The packet editing features of  tcprewrite  which  distinguish  between
45       "client" and "server" traffic requires a tcpprep(1) cache file.
46
47       For  more  details,  please  see the Tcpreplay Manual at: http://tcpre
48       play.appneta.com
49

OPTIONS

51
52       -r string, --portmap=string
53              Rewrite TCP/UDP ports.  This option may appear up to 9999 times.
54
55              Specify a list of comma delimited port  mappings  consisting  of
56              colon  delimited  port  number pairs.  Each colon delimited port
57              pair consists of the port to match followed by the  port  number
58              to rewrite.
59
60              Examples:
61                  --portmap=80:8000 --portmap=8080:80    # 80->8000 and 8080->80
62                  --portmap=8000,8080,88888:80           # 3 different ports become 80
63                  --portmap=8000-8999:80                 # ports 8000 to 8999 become 80
64
65       -s number, --seed=number
66              Randomize  src/dst IPv4/v6 addresses w/ given seed.  This option
67              may appear up to 1 times.  This option must not appear in combi‐
68              nation  with  any of the following options: fuzz-seed.  This op‐
69              tion takes an integer number as its argument.
70
71              Causes the source and destination IPv4/v6 addresses to be pseudo
72              randomized   but  still  maintain  client/server  relationships.
73              Since the randomization is deterministic based on the seed,  you
74              can reuse the same seed value to recreate the traffic.
75
76       -N string, --pnat=string
77              Rewrite IPv4/v6 addresses using pseudo-NAT.  This option may ap‐
78              pear up to 2 times.  This option must not appear in  combination
79              with any of the following options: srcipmap.
80
81              Takes  a comma delimited series of colon delimited CIDR netblock
82              pairs.  Each netblock pair is evaluated in order against the  IP
83              addresses.   If  the  IP address in the packet matches the first
84              netblock, it is rewritten using the second netblock  as  a  mask
85              against the high order bits.
86
87              IPv4 Example:
88                  --pnat=192.168.0.0/16:10.77.0.0/16,172.16.0.0/12:10.1.0.0/24
89              IPv6 Example:
90                  --pnat=[2001:db8::/32]:[dead::/16],[2001:db8::/32]:[::ffff:0:0/96]
91
92       -S string, --srcipmap=string
93              Rewrite  source IPv4/v6 addresses using pseudo-NAT.  This option
94              may appear up to 1 times.  This option must not appear in combi‐
95              nation with any of the following options: pnat.
96
97              Works  just  like the --pnat option, but only affects the source
98              IP addresses in the IPv4/v6 header.
99
100       -D string, --dstipmap=string
101              Rewrite destination IPv4/v6 addresses  using  pseudo-NAT.   This
102              option may appear up to 1 times.  This option must not appear in
103              combination with any of the following options: pnat.
104
105              Works just like the --pnat option, but only affects the destina‐
106              tion IP addresses in the IPv4/v6 header.
107
108       -e string, --endpoints=string
109              Rewrite  IP  addresses to be between two endpoints.  This option
110              may appear up to 1 times.  This option must appear  in  combina‐
111              tion with the following options: cachefile.
112
113              Takes  a pair of colon delimited IPv4/v6 addresses which will be
114              used to rewrite all traffic to appear to be between the  two  IP
115              addresses.
116
117              IPv4 Example:
118                  --endpoints=172.16.0.1:172.16.0.2
119              IPv6 Example:
120                  --endpoints=[2001:db8::dead:beef]:[::ffff:0:0:ac:f:0:2]
121
122       --tcp-sequence=number
123              Change  TCP  Sequence (and ACK) numbers /w given seed.  This op‐
124              tion takes an integer number as its argument.  The value of num‐
125              ber is constrained to being:
126                  greater than or equal to 1
127              The default number for this option is:
128                   0
129
130              Change all TCP sequence numbers, and related sequence-acknowl‐
131              edgement numbers.  They will be shifted by a random amount based
132              on the provided seed.
133
134       -b, --skipbroadcast
135              Skip rewriting broadcast/multicast IPv4/v6 addresses.
136
137              By default --seed, --pnat and --endpoints will rewrite broadcast
138              and multicast IPv4/v6 and MAC addresses. Setting this flag will
139              keep broadcast/multicast IPv4/v6 and MAC addresses from being
140              rewritten.
141
142       -C, --fixcsum
143              Force recalculation of IPv4/TCP/UDP header checksums.
144
145              Causes each IPv4/v6 packet to have their checksums recalculated
146              and fixed.  Automatically enabled for packets modified with
147              --seed, --pnat, --endpoints or --fixlen.
148
149       -m number, --mtu=number
150              Override default MTU length (1500 bytes).  This option may ap‐
151              pear up to 1 times.  This option takes an integer number as its
152              argument.  The value of number is constrained to being:
153                  in the range  1 through MAX_SNAPLEN
154
155              Override the default 1500 byte MTU size for determining the max‐
156              imum padding length (--fixlen=pad) or when truncating (--mtu-
157              trunc).
158
159       --mtu-trunc
160              Truncate packets larger then specified MTU.  This option may ap‐
161              pear up to 1 times.
162
163              Similar to --fixlen, this option will truncate data in packets
164              from Layer 3 and above to be no larger then the MTU.
165
166       -E, --efcs
167              Remove Ethernet checksums (FCS) from end of frames.
168
169              Note, this option is pretty dangerous!  We do not actually check
170              to see if a FCS actually exists in the frame, we just blindly
171              delete the last 4 bytes.  Hence, you should only use this if you
172              know know that your OS provides the FCS when reading raw pack‐
173              ets.
174
175       --ttl=string
176              Modify the IPv4/v6 TTL/Hop Limit.
177
178              Allows you to modify the TTL/Hop Limit of all the IPv4/v6 pack‐
179              ets.  Specify a number to hard-code the value or +/-value to in‐
180              crease or decrease by the value provided (limited to 1-255).
181
182              Examples:
183                  --ttl=10
184                  --ttl=+7
185                  --ttl=-64
186
187       --tos=number
188              Set the IPv4 TOS/DiffServ/ECN byte.  This option may appear up
189              to 1 times.  This option takes an integer number as its argu‐
190              ment.  The value of number is constrained to being:
191                  in the range  0 through 255
192
193              Allows you to override the TOS (also known as DiffServ/ECN)
194              value in IPv4.
195
196       --tclass=number
197              Set the IPv6 Traffic Class byte.  This option may appear up to 1
198              times.  This option takes an integer number as its argument.
199              The value of number is constrained to being:
200                  in the range  0 through 255
201
202              Allows you to override the IPv6 Traffic Class field.
203
204       --flowlabel=number
205              Set the IPv6 Flow Label.  This option may appear up to 1 times.
206              This option takes an integer number as its argument.  The value
207              of number is constrained to being:
208                  in the range  0 through 1048575
209
210              Allows you to override the 20bit IPv6 Flow Label field.  Has no
211              effect on IPv4 packets.
212
213       -F string, --fixlen=string
214              Pad or truncate packet data to match header length.  This option
215              may appear up to 1 times.
216
217              Packets may be truncated during capture if the snaplen is
218              smaller then the packet.  This option allows you to modify the
219              packet to pad the packet back out to the size stored in the
220              IPv4/v6 header or rewrite the IP header total length to reflect
221              the stored packet length.
222
223              pad Truncated packets will be padded out so that the packet
224              length matches the IPv4 total length
225
226              trunc Truncated packets will have their IPv4 total length field
227              rewritten to match the actual packet length
228
229              del Delete the packet
230
231       --fuzz-seed=number
232              Fuzz 1 in X packets. Edit bytes, length, or emulate packet drop.
233              This option takes an integer number as its argument.  The value
234              of number is constrained to being:
235                  greater than or equal to 0
236              The default number for this option is:
237                   0
238
239              This fuzzing was designed as to test layer 7 protocols such as
240              voip protocols.  It modifies randomly 1 out of X packets (where
241              X = --fuzz-factor) in order for stateful protocols to cover more
242              of their code.  The random fuzzing actions focus on data start
243              and end because it often is the part of the data application
244              protocols base their decisions on.
245
246              Possible fuzzing actions list:
247               * drop packet
248               * reduce packet size
249               * edit packet Bytes:
250                 * Not all Bytes have the same probability of appearance in
251              real life.
252                   Replace with 0x00, 0xFF, or a random byte with equal like‐
253              lihood.
254                 * Not all Bytes have the same significance in a packet.
255                   Replace the start, the end, or the middle of the packet
256              with equal likelihood.
257               * do nothing (7 out of 8 packets)
258
259       --fuzz-factor=number
260              Set the Fuzz 1 in X packet ratio (default 1 in 8 packets).  This
261              option must appear in combination with the following options:
262              fuzz-seed.  This option takes an integer number as its argument.
263              The value of number is constrained to being:
264                  greater than or equal to 1
265              The default number for this option is:
266                   8
267
268              Sets the ratio of for --fuzz-seed option. By default this value
269              is 8, which means 1 in 8 packets are modified by fuzzing. Note
270              that this ratio is based on the random number generated by the
271              supplied fuzz seed. Therefore by default you cannot expect that
272              exactly every eighth packet will be modified.
273
274       --skipl2broadcast
275              Skip rewriting broadcast/multicast Layer 2 addresses.
276
277              By default, editing Layer 2 addresses will rewrite broadcast and
278              multicast MAC addresses.   Setting this flag will keep broad‐
279              cast/multicast MAC addresses from being rewritten.
280
281       --dlt=string
282              Override output DLT encapsulation.  This option may appear up to
283              1 times.
284
285              By default, no DLT (data link type) conversion will be made.  To
286              change the DLT type of the output pcap, select one of the fol‐
287              lowing values:
288
289              enet Ethernet aka DLT_EN10MB
290
291              hdlc Cisco HDLC aka DLT_C_HDLC
292
293              jnpr_eth Juniper Ethernet DLT_C_JNPR_ETHER
294
295              pppserial PPP Serial aka DLT_PPP_SERIAL
296
297              user User specified Layer 2 header and DLT type
298
299       --enet-dmac=string
300              Override destination ethernet MAC addresses.  This option may
301              appear up to 1 times.
302
303              Takes a pair of comma deliminated ethernet MAC addresses which
304              will replace the destination MAC address of outbound packets.
305              The first MAC address will be used for the server to client
306              traffic and the optional second MAC address will be used for the
307              client to server traffic.
308
309              Example:
310                  --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66
311
312       --enet-smac=string
313              Override source ethernet MAC addresses.  This option may appear
314              up to 1 times.
315
316              Takes a pair of comma deliminated ethernet MAC addresses which
317              will replace the source MAC address of outbound packets.  The
318              first MAC address will be used for the server to client traffic
319              and the optional second MAC address will be used for the client
320              to server traffic.
321
322              Example:
323                  --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66
324
325       --enet-subsmac=string
326              Substitute MAC addresses.  This option may appear up to 9999
327              times.
328
329              Allows you to rewrite ethernet MAC addresses of packets. It
330              takes comma delimited pair or MACs address and rewrites all oc‐
331              currences of the first MAC with the value of the second MAC.
332              Example:
333                  --enet-subsmac=00:12:13:14:15:16,00:22:33:44:55:66
334
335       --enet-mac-seed=number
336              Randomize MAC addresses.  This option may appear up to 1 times.
337              This option must not appear in combination with any of the fol‐
338              lowing options: enet-smac, enet-dmac, enet-subsmac.  This option
339              takes an integer number as its argument.
340
341              Allows you to randomize ethernet MAC addresses of packets,
342              mostly like what --seed option does for IPv4/IPv6 addresses.
343
344       --enet-mac-seed-keep-bytes=number
345              Randomize MAC addresses.  This option may appear up to 1 times.
346              This option must appear in combination with the following op‐
347              tions: enet-mac-seed.  This option takes an integer number as
348              its argument.  The value of number is constrained to being:
349                  in the range  1 through 6
350
351              Keep some bytes untouched when usinging --enet-mac-seed option.
352
353       --enet-vlan=string
354              Specify ethernet 802.1q VLAN tag mode.  This option may appear
355              up to 1 times.
356
357              Allows you to rewrite ethernet frames to add a 802.1q header to
358              standard 802.3 ethernet headers or remove the 802.1q VLAN tag
359              information.
360
361              add Adds an 802.1q VLAN header to the existing 802.3 ethernet
362              header. If a VLAN header already exists, a new VLAN header is
363              added outside of the existing header.
364
365              Note that you will be allowed to run this option multiple times
366              to create more than 2 VLAN headers, however those packets will
367              be valid. At most you should have 2 X 802.1q VLAN tags, or outer
368              an 802.1ad and an inner 802.1q VLAN tag.
369
370              del Rewrites the existing 802.1q VLAN header as an 802.3 ether‐
371              net header
372
373       --enet-vlan-tag=number
374              Specify the new ethernet 802.1q VLAN tag value.  This option may
375              appear up to 1 times.  This option must appear in combination
376              with the following options: enet-vlan.  This option takes an in‐
377              teger number as its argument.  The value of number is con‐
378              strained to being:
379                  in the range  0 through 4095
380
381
382       --enet-vlan-cfi=number
383              Specify the ethernet 802.1q VLAN CFI value.  This option may ap‐
384              pear up to 1 times.  This option must appear in combination with
385              the following options: enet-vlan.  This option takes an integer
386              number as its argument.  The value of number is constrained to
387              being:
388                  in the range  0 through 1
389
390
391       --enet-vlan-pri=number
392              Specify the ethernet 802.1q VLAN priority.  This option may ap‐
393              pear up to 1 times.  This option must appear in combination with
394              the following options: enet-vlan.  This option takes an integer
395              number as its argument.  The value of number is constrained to
396              being:
397                  in the range  0 through 7
398
399
400       --enet-vlan-proto=string
401              Specify VLAN tag protocol 802.1q or 802.1ad.  This option may
402              appear up to 1 times.
403
404              Allows you to specify the protocol of the added VLAN tags.
405
406              802.1q Specifies that 802.1q VLAN headers are to be added. This
407              is the default.
408
409              802.1ad Specifies that 802.1ad Q-in-Q VLAN headers are to be
410              added. To make valid packets, input packets must already have
411              802.1q VLAN headers.
412
413       --hdlc-control=number
414              Specify HDLC control value.  This option may appear up to 1
415              times.  This option takes an integer number as its argument.
416
417              The Cisco HDLC header has a 1 byte "control" field.  Apparently
418              this should always be 0, but if you can use any 1 byte value.
419
420       --hdlc-address=number
421              Specify HDLC address.  This option may appear up to 1 times.
422              This option takes an integer number as its argument.
423
424              The Cisco HDLC header has a 1 byte "address" field which has two
425              valid values:
426
427              0x0F Unicast
428
429              0xBF Broadcast
430              You can however specify any single byte value.
431
432       --user-dlt=number
433              Set output file DLT type.  This option may appear up to 1 times.
434              This option takes an integer number as its argument.
435
436              Set the DLT value of the output pcap file.
437
438       --user-dlink=string
439              Rewrite Data-Link layer with user specified data.  This option
440              may appear up to 2 times.
441
442              Provide a series of comma deliminated hex values which will be
443              used to rewrite or create the Layer 2 header of the packets.
444              The first instance of this argument will rewrite both server and
445              client traffic, but if this argument is specified a second time,
446              it will be used for the client traffic.
447
448              Example:
449                  --user-dlink=01,02,03,04,05,06,00,1A,2B,3C,4D,5E,6F,08,00
450
451       -d number, --dbug=number
452              Enable debugging output.  This option may appear up to 1 times.
453              This option takes an integer number as its argument.  The value
454              of number is constrained to being:
455                  in the range  0 through 5
456              The default number for this option is:
457                   0
458
459              If configured with --enable-debug, then you can specify a ver‐
460              bosity level for debugging output.  Higher numbers increase ver‐
461              bosity.
462
463       -i string, --infile=string
464              Input pcap file to be processed.  This option may appear up to 1
465              times.
466
467
468       -o string, --outfile=string
469              Output pcap file.  This option may appear up to 1 times.
470
471
472       -c string, --cachefile=string
473              Split traffic via tcpprep cache file.  This option may appear up
474              to 1 times.
475
476              Use tcpprep cache file to split traffic based upon client/server
477              relationships.
478
479       -v, --verbose
480              Print decoded packets via tcpdump to STDOUT.  This option may
481              appear up to 1 times.
482
483
484       -A string, --decode=string
485              Arguments passed to tcpdump decoder.  This option may appear up
486              to 1 times.  This option must appear in combination with the
487              following options: verbose.
488
489              When enabling verbose mode (-v) you may also specify one or more
490              additional arguments to pass to tcpdump to modify the way pack‐
491              ets are decoded.  By default, -n and -l are used.  Be sure to
492              quote the arguments so that they are not interpreted by
493              tcprewrite.   Please see the tcpdump(1) man page for a complete
494              list of options.
495
496       --fragroute=string
497              Parse fragroute configuration file.  This option may appear up
498              to 1 times.
499
500              Enable advanced evasion techniques using the built-in fra‐
501              groute(8) engine.  See the fragroute(8) man page for more de‐
502              tails.  Important: tcprewrite does not support the delay, echo
503              or print commands.
504
505       --fragdir=string
506              Which flows to apply fragroute to: c2s, s2c, both.  This option
507              may appear up to 1 times.  This option must appear in combina‐
508              tion with the following options: cachefile.
509
510              Apply the fragroute engine to packets going c2s, s2c or both
511              when using a cache file.
512
513       --skip-soft-errors
514              Skip writing packets with soft errors.  This option may appear
515              up to 1 times.
516
517              In some cases, packets can not be decoded or the requested edit‐
518              ing is not possible.  Normally these packets are written to the
519              output file unedited so that tcpprep cache files can still be
520              used, but if you wish, these packets can be suppressed.
521
522              One example of this is 802.11 management frames which contain no
523              data.
524
525       -V, --version
526              Print version information.
527
528
529       -h, --less-help
530              Display less usage information and exit.
531
532
533       -H, --help
534              Display usage information and exit.
535
536       -!, --more-help
537              Pass the extended usage information through a pager.
538
539       --save-opts [=cfgfile]
540              Save the option state to cfgfile.  The default is the last con‐
541              figuration file listed in the OPTION PRESETS section, below.
542              The command will exit after updating the config file.
543
544       --load-opts=cfgfile, --no-load-opts
545              Load options from cfgfile.  The no-load-opts form will disable
546              the loading of earlier config/rc/ini files.  --no-load-opts is
547              handled early, out of order.
548

OPTION PRESETS

550       Any option that is not marked as not presettable may be preset by load‐
551       ing values from configuration ("RC" or ".INI") file(s).  The homerc
552       file is "$$/", unless that is a directory.  In that case, the file
553       ".tcprewriterc" is searched for within that directory.
554

FILES

556       See OPTION PRESETS for configuration files.
557

EXIT STATUS

559       One of the following exit values will be returned:
560
561       0  (EXIT_SUCCESS)
562              Successful program execution.
563
564       1  (EXIT_FAILURE)
565              The operation failed or the command syntax was not valid.
566
567       66  (EX_NOINPUT)
568              A specified configuration file could not be loaded.
569
570       70  (EX_SOFTWARE)
571              libopts had an internal operational error.  Please report it to
572              autogen-users@lists.sourceforge.net.  Thank you.
573

AUTHORS

575       Copyright 2013-2022 Fred Klassen - AppNeta Copyright 2000-2012 Aaron
576       Turner For support please use the tcpreplay-users@lists.sourceforge.net
577       mailing list.  The latest version of this software is always available
578       from: http://tcpreplay.appneta.com/
579
581       Copyright (C) 2000-2022 Aaron Turner and Fred Klassen all rights re‐
582       served.  This program is released under the terms of the GNU General
583       Public License, version 3 or later.
584

BUGS

586       Please send bug reports to: tcpreplay-users@lists.sourceforge.net
587

NOTES

589       This manual page was AutoGen-erated from the tcprewrite option defini‐
590       tions.
591
592
593
594tcprewrite                        11 Jun 2023                    tcprewrite(1)
Impressum