1TCPPREP(1) Programmer's Manual TCPPREP(1)
2
6 tcpprep - Create a tcpreplay cache cache file from a pcap file.
7
9 tcpprep [-flag [value]]... [--opt-name [[=| ]value]]...
10 All arguments must be options.
12 tcpprep is a pcap(3) file pre-processor which creates a cache file
14 which provides "rules" for tcprewrite(1) and tcpreplay(1) on how to
15 process and send packets.
16
18 This manual page documents, briefly, the tcpprep command. The basic
19 operation of tcpreplay is to resend all packets from the input file(s)
20 out a single file. Tcpprep processes a pcap file and applies a set of
21 user-specified rules to create a cache file which tells tcpreplay
22 wether or not to send each packet and which interface the packet should
23 be sent out of.
24 For more details, please see the Tcpreplay Manual at: http://tcpre‐
26 play.synfin.net/trac/wiki/manual
27
29 -d number, --dbug=number
30 Enable debugging output. This option may appear up to 1 times.
31 This option takes an integer number as its argument. The value
32 of number is constrained to being:
33 in the range 0 through 5
34 The default number for this option is:
35 0
36 If configured with --enable-debug, then you can specify a ver‐
38 bosity level for debugging output. Higher numbers increase ver‐
39 bosity.
40 -a string, --auto=string
42 Auto-split mode. This option may appear up to 1 times. This
43 option must not appear in combination with any of the following
44 options: cidr, port, regex, mac.
45 Tcpprep will try to automatically determine the primary function
47 of hosts based on the traffic captured and classify each host as
48 client or server. In order to do so, you must provide a hint to
49 tcpprep as to how to search for clients and servers. Valid
50 hints are:
51 bridge Bridge mode processes each packet to try to determine if
54 the sender is a client or server. Once all the packets are pro‐
55 cessed, the results are weighed according to the server/client
56 ratio (--ratio) and systems are assigned an interface. If tcp‐
57 prep is unable to determine what role a system plays, tcpprep
58 will abort.
59 router Router mode works just like bridge mode, except that
61 after weighing is done, systems which are undetermined are con‐
62 sidered a server if they fall inside a network known to contain
63 other servers. Router has a greater chance of successfully
64 splitting clients and servers but is not 100% foolproof.
65 client Client mode works just like bridge mode, except that
67 unclassified systems are treated as clients. Client mode should
68 always complete successfully.
69 server Server mode works just like bridge mode, except that
71 unclassified systems are treated as servers. Server mode should
72 always complete successfully.
73 first First mode works by looking at the first time each IP is
75 seen in the SRC and DST fields in the IP header. If the host is
76 first seen in the SRC field, it is a client and if it's first
77 seen in the DST field, it is marked as a server. This effec‐
78 tively replicates the processing of the tomahawk test tool.
79 First mode should always complete successfully.
80 -c string, --cidr=string
82 CIDR-split mode. This option may appear up to 1 times. This
83 option must not appear in combination with any of the following
84 options: auto, port, regex, mac.
85 Specify a comma delimited list of CIDR netblocks to match
87 against the source IP of each packet. Packets matching any of
88 the CIDR's are classified as servers.
89 -r string, --regex=string
91 Regex-split mode. This option may appear up to 1 times. This
92 option must not appear in combination with any of the following
93 options: auto, port, cidr, mac.
94 Specify a regular expression to match against the source IP of
96 each packet. Packets matching the regex are classified as
97 servers.
98 -p, --port
100 Port-split mode. This option may appear up to 1 times. This
101 option must not appear in combination with any of the following
102 options: auto, regex, cidr, mac.
103 Specifies that TCP and UDP traffic should be classified as
105 client or server based upon the destination port of the header.
106 -e string, --mac=string
108 Source MAC split mode. This option may appear up to 1 times.
109 This option must not appear in combination with any of the fol‐
110 lowing options: auto, regex, cidr, port.
111 Specify a list of MAC addresses to match against the source MAC
113 of each packet. Packets matching one of the values are classi‐
114 fied as servers.
115 --reverse
117 Matches to be client instead of server. This option may appear
118 up to 1 times.
119 Normally the --mac, --regex and --cidr flags specify are used to
121 specify the servers and non-IP packets are classified as
122 clients. By using --reverse, these features are reversed so
123 that the flags specify clients and non-IP packets are classified
124 as servers.
125 -C string, --comment=string
127 Embeded cache file comment. This option may appear up to 1
128 times.
129 Specify a comment to be imbedded within the output cache file
131 and later viewed.
132 --no-arg-comment
134 Do not embed any cache file comment. This option may appear up
135 to 1 times.
136 By default, tcpprep includes the arguments passed on the command
138 line in the cache file comment (in addition to any user speci‐
139 fied --comment). If for some reason you do not wish to include
140 this, specify this option.
141 -x string, --include=string
143 Include only packets matching rule. This option may appear up
144 to 1 times. This option must not appear in combination with any
145 of the following options: exclude.
146 Override default of processing all packets stored in the capture
148 file and only send/edit packets which match the provided rule.
149 Rules can be one of:
150 S:<CIDR1>,... - Source IP must match specified CIDR(s)
153 D:<CIDR1>,... - Destination IP must match specified CIDR(s)
155 B:<CIDR1>,... - Both source and destination IP must match spec‐
157 ified CIDR(s)
158 E:<CIDR1>,... - Either IP must match specified CIDR(s)
160 P:<LIST> - Must be one of the listed packets where the list cor‐
162 responds to the packet number in the capture file.
163 -x P:1-5,9,15,72-
164 would process packets 1 thru 5, the 9th and 15th packet, and
165 packets 72 until the end of the file
166 F:'<bpf>' - BPF filter. See the tcpdump(8) man page for syntax.
168 -X string, --exclude=string
170 Exclude any packet matching this rule. This option may appear
171 up to 1 times. This option must not appear in combination with
172 any of the following options: include.
173 Override default of processing all packets stored in the capture
175 file and only send/edit packets which do NOT match the provided
176 rule. Rules can be one of:
177 S:<CIDR1>,... - Source IP must not match specified CIDR(s)
180 D:<CIDR1>,... - Destination IP must not match specified CIDR(s)
182 B:<CIDR1>,... - Both source and destination IP must not match
184 specified CIDR(s)
185 E:<CIDR1>,... - Either IP must not match specified CIDR(s)
187 P:<LIST> - Must not be one of the listed packets where the list
189 corresponds to the packet number in the capture file.
190 -x P:1-5,9,15,72-
191 would skip packets 1 thru 5, the 9th and 15th packet, and pack‐
192 ets 72 until the end of the file
193 -o string, --cachefile=string
195 Output cache file. This option may appear up to 1 times.
196 -i string, --pcap=string
200 Input pcap file to process. This option may appear up to 1
201 times.
202 -P string, --print-comment=string
206 Print embedded comment in the specified cache file. This option
207 may appear up to 1 times.
208 -I string, --print-info=string
212 Print basic info from the specified cache file. This option may
213 appear up to 1 times.
214 -S string, --print-stats=string
218 Print statistical information about the specified cache file.
219 This option may appear up to 1 times.
220 -s string, --services=string
224 Load services file for server ports. This option may appear up
225 to 1 times. This option must appear in combination with the
226 following options: port.
227 Uses a list of ports used by servers in the same format as of
229 /etc/services: <service_name> <port>/<protocol> # comment
230 Example: http 80/tcp
232 -N, --nonip
234 Send non-IP traffic out server interface. This option may
235 appear up to 1 times.
236 By default, non-IP traffic which can not be classified as client
238 or server is classified as "client". Specifiying --nonip will
239 reclassify non-IP traffic as "server". Note that the meaning of
240 this flag is reversed if --reverse is used.
241 -R string, --ratio=string
243 Ratio of client to server packets. This option may appear up to
244 1 times. This option must appear in combination with the fol‐
245 lowing options: auto. The default string for this option is:
246 2.0
247 Since a given host may have both client and server traffic being
249 sent to/from it, tcpprep uses a ratio to weigh these packets.
250 If you would like to override the default of 2:1 server to
251 client packets required for a host to be classified as a server,
252 specify it as a floating point value.
253 -m number, --minmask=number
255 Minimum network mask length in auto mode. This option may
256 appear up to 1 times. This option must appear in combination
257 with the following options: auto. This option takes an integer
258 number as its argument. The value of number is constrained to
259 being:
260 in the range 0 through 32
261 The default number for this option is:
262 30
263 By default, auto modes use a minimum network mask length of 30
265 bits to build networks containing clients and servers. This
266 allows you to override this value. Larger values will increase
267 performance but may provide inaccurate results.
268 -M number, --maxmask=number
270 Maximum network mask length in auto mode. This option may
271 appear up to 1 times. This option must appear in combination
272 with the following options: auto. This option takes an integer
273 number as its argument. The value of number is constrained to
274 being:
275 in the range 0 through 32
276 The default number for this option is:
277 8
278 By default, auto modes use a maximum network mask length of 8
280 bits to build networks containing clients and servers. This
281 allows you to override this value. Larger values will decrease
282 performance and accuracy but will provide greater chance of suc‐
283 cess.
284 -v, --verbose
286 Print decoded packets via tcpdump to STDOUT. This option may
287 appear up to 1 times.
288 -A string, --decode=string
292 Arguments passed to tcpdump decoder. This option may appear up
293 to 1 times. This option must appear in combination with the
294 following options: verbose.
295 When enabling verbose mode (-v) you may also specify one or more
297 additional arguments to pass to tcpdump to modify the way pack‐
298 ets are decoded. By default, -n and -l are used. Be sure to
299 quote the arguments so that they are not interpreted by
300 tcprewrite. The following arguments are valid:
301 [ -aAeNqRStuvxX ]
302 [ -E spi@ipaddr algo:secret,... ]
303 [ -s snaplen ]
304 -V, --version
306 Print version information.
307 -h, --less-help
311 Display less usage information and exit.
312 This option has not been fully documented.
314 -H, --help
316 Display usage information and exit.
317 -!, --more-help
319 Extended usage information passed thru pager.
320 - [rcfile], --save-opts[=rcfile]
322 Save the option state to rcfile. The default is the last con‐
323 figuration file listed in the OPTION PRESETS section, below.
324 - rcfile, --load-opts=rcfile, --no-load-opts
326 Load options from rcfile. The no-load-opts form will disable
327 the loading of earlier RC/INI files. --no-load-opts is handled
328 early, out of order.
329
331 Any option that is not marked as not presettable may be preset by load‐
332 ing values from configuration ("RC" or ".INI") file(s). The homerc
333 file is "$$/", unless that is a directory. In that case, the file
334 ".tcppreprc" is searched for within that directory.
335
337 tcpdump(1), tcprewrite(1), tcpreplay(1)
338
340 Copyright 2000-2008 Aaron Turner
341 For support please use the tcpreplay-users@lists.sourceforge.net mail‐
343 ing list.
344 The latest version of this software is always available from:
346 http://tcpreplay.synfin.net/
347 Released under the Free BSD License.
349 This manual page was AutoGen-erated from the tcpprep option defini‐
351 tions.
352(tcpprep ) 2008-05-15 TCPPREP(1)