1TCPPREP(1)                    Programmer's Manual                   TCPPREP(1)
2
3
4

NAME

6       tcpprep - Create a tcpreplay cache cache file from a pcap file.
7

SYNOPSIS

9       tcpprep [-flag [value]]... [--opt-name [[=| ]value]]...
10
11       All arguments must be options.
12
13       tcpprep  is  a  pcap(3)  file  pre-processor which creates a cache file
14       which provides "rules" for tcprewrite(1) and  tcpreplay(1)  on  how  to
15       process and send packets.
16

DESCRIPTION

18       This  manual  page  documents, briefly, the tcpprep command.  The basic
19       operation of tcpreplay is to resend all packets from the input  file(s)
20       out  a single file.  Tcpprep processes a pcap file and applies a set of
21       user-specified rules to create  a  cache  file  which  tells  tcpreplay
22       wether or not to send each packet and which interface the packet should
23       be sent out of.
24
25       For more details, please see the  Tcpreplay  Manual  at:  http://tcpre
26       play.synfin.net/trac/wiki/manual
27

OPTIONS

29       -d number, --dbug=number
30              Enable  debugging output.  This option may appear up to 1 times.
31              This option takes an integer number as its argument.  The  value
32              of number is constrained to being:
33                  in the range  0 through 5
34              The default number for this option is:
35                   0
36
37              If configured with --enable-debug, then you can specify a ver‐
38              bosity level for debugging output.  Higher numbers increase ver‐
39              bosity.
40
41       -a string, --auto=string
42              Auto-split mode.  This option may appear up to 1 times.  This
43              option must not appear in combination with any of the following
44              options: cidr, port, regex, mac.
45
46              Tcpprep will try to automatically determine the primary function
47              of hosts based on the traffic captured and classify each host as
48              client or server.  In order to do so, you must provide a hint to
49              tcpprep as to how to search for clients and servers.  Valid
50              hints are:
51
52
53              bridge Bridge mode processes each packet to try to determine if
54              the sender is a client or server.  Once all the packets are pro‐
55              cessed, the results are weighed according to the server/client
56              ratio (--ratio) and systems are assigned an interface.  If tcp‐
57              prep is unable to determine what role a system plays, tcpprep
58              will abort.
59
60              router Router mode works just like bridge mode, except that
61              after weighing is done, systems which are undetermined are con‐
62              sidered a server if they fall inside a network known to contain
63              other servers.  Router has a greater chance of successfully
64              splitting clients and servers but is not 100% foolproof.
65
66              client Client mode works just like bridge mode, except that
67              unclassified systems are treated as clients.  Client mode should
68              always complete successfully.
69
70              server Server mode works just like bridge mode, except that
71              unclassified systems are treated as servers.  Server mode should
72              always complete successfully.
73
74              first First mode works by looking at the first time each IP is
75              seen in the SRC and DST fields in the IP header.  If the host is
76              first seen in the SRC field, it is a client and if it's first
77              seen in the DST field, it is marked as a server.   This effec‐
78              tively replicates the processing of the tomahawk test tool.
79              First mode should always complete successfully.
80
81       -c string, --cidr=string
82              CIDR-split mode.  This option may appear up to 1 times.  This
83              option must not appear in combination with any of the following
84              options: auto, port, regex, mac.
85
86              Specify a comma delimited list of CIDR netblocks to match
87              against the source IP of each packet.  Packets matching any of
88              the CIDR's are classified as servers.
89
90       -r string, --regex=string
91              Regex-split mode.  This option may appear up to 1 times.  This
92              option must not appear in combination with any of the following
93              options: auto, port, cidr, mac.
94
95              Specify a regular expression to match against the source IP of
96              each packet.  Packets matching the regex are classified as
97              servers.
98
99       -p, --port
100              Port-split mode.  This option may appear up to 1 times.  This
101              option must not appear in combination with any of the following
102              options: auto, regex, cidr, mac.
103
104              Specifies that TCP and UDP traffic should be classified as
105              client or server based upon the destination port of the header.
106
107       -e string, --mac=string
108              Source MAC split mode.  This option may appear up to 1 times.
109              This option must not appear in combination with any of the fol‐
110              lowing options: auto, regex, cidr, port.
111
112              Specify a list of MAC addresses to match against the source MAC
113              of each packet.  Packets matching one of the values are classi‐
114              fied as servers.
115
116       --reverse
117              Matches to be client instead of server.  This option may appear
118              up to 1 times.
119
120              Normally the --mac, --regex and --cidr flags specify are used to
121              specify the servers and non-IP packets are classified as
122              clients.  By using --reverse, these features are reversed so
123              that the flags specify clients and non-IP packets are classified
124              as servers.
125
126       -C string, --comment=string
127              Embeded cache file comment.  This option may appear up to 1
128              times.
129
130              Specify a comment to be imbedded within the output cache file
131              and later viewed.
132
133       --no-arg-comment
134              Do not embed any cache file comment.  This option may appear up
135              to 1 times.
136
137              By default, tcpprep includes the arguments passed on the command
138              line in the cache file comment (in addition to any user speci‐
139              fied --comment).  If for some reason you do not wish to include
140              this, specify this option.
141
142       -x string, --include=string
143              Include only packets matching rule.  This option may appear up
144              to 1 times.  This option must not appear in combination with any
145              of the following options: exclude.
146
147              Override default of processing all packets stored in the capture
148              file and only send/edit packets which match the provided rule.
149              Rules can be one of:
150
151
152              S:<CIDR1>,...  - Source IP must match specified CIDR(s)
153
154              D:<CIDR1>,...  - Destination IP must match specified CIDR(s)
155
156              B:<CIDR1>,...  - Both source and destination IP must match spec‐
157              ified CIDR(s)
158
159              E:<CIDR1>,...  - Either IP must match specified CIDR(s)
160
161              P:<LIST> - Must be one of the listed packets where the list cor‐
162              responds to the packet number in the capture file.
163                  -x P:1-5,9,15,72-
164              would process packets 1 thru 5, the 9th and 15th packet, and
165              packets 72 until the end of the file
166
167              F:'<bpf>' - BPF filter.  See the tcpdump(8) man page for syntax.
168
169       -X string, --exclude=string
170              Exclude any packet matching this rule.  This option may appear
171              up to 1 times.  This option must not appear in combination with
172              any of the following options: include.
173
174              Override default of processing all packets stored in the capture
175              file and only send/edit packets which do NOT match the provided
176              rule.  Rules can be one of:
177
178
179              S:<CIDR1>,...  - Source IP must not match specified CIDR(s)
180
181              D:<CIDR1>,...  - Destination IP must not match specified CIDR(s)
182
183              B:<CIDR1>,...  - Both source and destination IP must not match
184              specified CIDR(s)
185
186              E:<CIDR1>,...  - Either IP must not match specified CIDR(s)
187
188              P:<LIST> - Must not be one of the listed packets where the list
189              corresponds to the packet number in the capture file.
190                  -x P:1-5,9,15,72-
191              would skip packets 1 thru 5, the 9th and 15th packet, and pack‐
192              ets 72 until the end of the file
193
194       -o string, --cachefile=string
195              Output cache file.  This option may appear up to 1 times.
196
197
198
199       -i string, --pcap=string
200              Input pcap file to process.  This option may appear up to 1
201              times.
202
203
204
205       -P string, --print-comment=string
206              Print embedded comment in the specified cache file.  This option
207              may appear up to 1 times.
208
209
210
211       -I string, --print-info=string
212              Print basic info from the specified cache file.  This option may
213              appear up to 1 times.
214
215
216
217       -S string, --print-stats=string
218              Print statistical information about the specified cache file.
219              This option may appear up to 1 times.
220
221
222
223       -s string, --services=string
224              Load services file for server ports.  This option may appear up
225              to 1 times.  This option must appear in combination with the
226              following options: port.
227
228              Uses a list of ports used by servers in the same format as of
229              /etc/services: <service_name>        <port>/<protocol> # comment
230
231              Example: http            80/tcp
232
233       -N, --nonip
234              Send non-IP traffic out server interface.  This option may
235              appear up to 1 times.
236
237              By default, non-IP traffic which can not be classified as client
238              or server is classified as "client".  Specifiying --nonip will
239              reclassify non-IP traffic as "server".  Note that the meaning of
240              this flag is reversed if --reverse is used.
241
242       -R string, --ratio=string
243              Ratio of client to server packets.  This option may appear up to
244              1 times.  This option must appear in combination with the fol‐
245              lowing options: auto.  The default string for this option is:
246                   2.0
247
248              Since a given host may have both client and server traffic being
249              sent to/from it, tcpprep uses a ratio to weigh these packets.
250              If you would like to override the default of 2:1 server to
251              client packets required for a host to be classified as a server,
252              specify it as a floating point value.
253
254       -m number, --minmask=number
255              Minimum network mask length in auto mode.  This option may
256              appear up to 1 times.  This option must appear in combination
257              with the following options: auto.  This option takes an integer
258              number as its argument.  The value of number is constrained to
259              being:
260                  in the range  0 through 32
261              The default number for this option is:
262                   30
263
264              By default, auto modes use a minimum network mask length of 30
265              bits to build networks containing clients and servers.  This
266              allows you to override this value.  Larger values will increase
267              performance but may provide inaccurate results.
268
269       -M number, --maxmask=number
270              Maximum network mask length in auto mode.  This option may
271              appear up to 1 times.  This option must appear in combination
272              with the following options: auto.  This option takes an integer
273              number as its argument.  The value of number is constrained to
274              being:
275                  in the range  0 through 32
276              The default number for this option is:
277                   8
278
279              By default, auto modes use a maximum network mask length of 8
280              bits to build networks containing clients and servers.  This
281              allows you to override this value.  Larger values will decrease
282              performance and accuracy but will provide greater chance of suc‐
283              cess.
284
285       -v, --verbose
286              Print decoded packets via tcpdump to STDOUT.  This option may
287              appear up to 1 times.
288
289
290
291       -A string, --decode=string
292              Arguments passed to tcpdump decoder.  This option may appear up
293              to 1 times.  This option must appear in combination with the
294              following options: verbose.
295
296              When enabling verbose mode (-v) you may also specify one or more
297              additional arguments to pass to tcpdump to modify the way pack‐
298              ets are decoded.  By default, -n and -l are used.  Be sure to
299              quote the arguments so that they are not interpreted by
300              tcprewrite.  The following arguments are valid:
301                  [ -aAeNqRStuvxX ]
302                  [ -E spi@ipaddr algo:secret,... ]
303                  [ -s snaplen ]
304
305       -V, --version
306              Print version information.
307
308
309
310       -h, --less-help
311              Display less usage information and exit.
312
313              This option has not been fully documented.
314
315       -H, --help
316              Display usage information and exit.
317
318       -!, --more-help
319              Extended usage information passed thru pager.
320
321       - [rcfile], --save-opts[=rcfile]
322              Save the option state to rcfile.  The default is the last con‐
323              figuration file listed in the OPTION PRESETS section, below.
324
325       - rcfile, --load-opts=rcfile, --no-load-opts
326              Load options from rcfile.  The no-load-opts form will disable
327              the loading of earlier RC/INI files.  --no-load-opts is handled
328              early, out of order.
329

OPTION PRESETS

331       Any option that is not marked as not presettable may be preset by load‐
332       ing values from configuration ("RC" or ".INI") file(s).  The homerc
333       file is "$$/", unless that is a directory.  In that case, the file
334       ".tcppreprc" is searched for within that directory.
335

SEE ALSO

337       tcpdump(1), tcprewrite(1), tcpreplay(1)
338

AUTHOR

340       Copyright 2000-2008 Aaron Turner
341
342       For support please use the tcpreplay-users@lists.sourceforge.net mail‐
343       ing list.
344
345       The latest version of this software is always available from:
346       http://tcpreplay.synfin.net/
347
348       Released under the Free BSD License.
349
350       This manual page was AutoGen-erated from the tcpprep option defini‐
351       tions.
352
353
354
355(tcpprep )                        2008-05-15                        TCPPREP(1)
Impressum