1TCPREWRITE(1) Programmer's Manual TCPREWRITE(1)
2
6 tcprewrite - Rewrite the packets in a pcap file.
7
9 tcprewrite [-flag [value]]... [--opt-name [[=| ]value]]...
10 All arguments must be options.
12
14 This manual page documents, briefly, the tcprewrite command.
15 Tcprewrite is a tool to rewrite packets stored in pcap(3) file format,
16 such as crated by tools such as tcpdump(1) and ethereal(1). Once a
17 pcap file has had it's packets rewritten, they can be replayed back out
18 on the network using tcpreplay(1).
19 tcprewrite currently supports reading the following DLT types:
21 DLT_C_HDLC aka Cisco HDLC
23 DLT_EN10MB aka Ethernet
25 DLT_LINUX_SLL aka Linux Cooked Socket
27 DLT_RAW aka RAW IP
29 DLT_NULL aka BSD Loopback
31 DLT_LOOP aka OpenBSD Loopback
33 DLT_IEEE802_11 aka 802.11a/b/g
35 DLT_IEEE802_11_RADIO aka 802.11a/b/g with Radiotap headers
37 Please see the --dlt option for supported DLT types for writing.
39 The packet editing features of tcprewrite which distinguish between
41 "client" and "server" traffic requires a tcpprep(1) cache file.
42 For more details, please see the Tcpreplay Manual at: http://tcpre‐
44 play.synfin.net/trac/wiki/manual
45
47 -r string, --portmap=string
49 Rewrite TCP/UDP ports. This option may appear up to 1 times.
50 Specify a list of comma delimited port mappingings consisting of
52 colon delimited port number pairs. Each colon delimited port
53 pair consists of the port to match followed by the port number
54 to rewrite.
55 Example:
57 --portmap=80:8000,8080:80
58 -s number, --seed=number
60 Randomize src/dst IP addresses w/ given seed. This option may
61 appear up to 1 times. This option takes an integer number as
62 its argument.
63 Causes the source and destination IP addresses to be pseudo ran‐
65 domized but still maintain client/server relationships. Since
66 the randomization is deterministic based on the seed, you can
67 reuse the same seed value to recreate the traffic.
68 -N string, --pnat=string
70 Rewrite IP addresses using pseudo-NAT. This option may appear
71 up to 2 times. This option must not appear in combination with
72 any of the following options: srcipmap.
73 Takes a comma delimited series of colon delimited CIDR netblock
75 pairs. Each netblock pair is evaluated in order against the IP
76 addresses. If the IP address in the packet matches the first
77 netblock, it is rewriten using the second netblock as a mask
78 against the high order bits.
79 Example:
81 --pnat=192.168.0.0/16:10.77.0.0/16,172.16.0.0/12:10.1.0.0/24
82 -S string, --srcipmap=string
84 Rewrite source IP addresses using pseudo-NAT. This option may
85 appear up to 1 times. This option must not appear in combina‐
86 tion with any of the following options: pnat.
87 Works just like the --pnat option, but only affects the source
89 IP addresses in the IPv4 header.
90 -D string, --dstipmap=string
92 Rewrite destination IP addresses using pseudo-NAT. This option
93 may appear up to 1 times. This option must not appear in combi‐
94 nation with any of the following options: pnat.
95 Works just like the --pnat option, but only affects the destina‐
97 tion IP addresses in the IPv4 header.
98 -e string, --endpoints=string
100 Rewrite IP addresses to be between two endpoints. This option
101 may appear up to 1 times. This option must appear in combina‐
102 tion with the following options: cachefile.
103 Takes a pair of colon delimited IP addresses which will be used
105 to rewrite all traffic to appear to be between the two IP's.
106 Example:
108 --endpoints=172.16.0.1:172.16.0.2
109 -b, --skipbroadcast
111 Skip rewriting broadcast/multicast IP's.
112 By default --seed, --pnat and --endpoints will rewrite broadcast
114 and multicast IP and MAC addresses. Setting this flag will keep
115 broadcast/multicast IP and MAC addresses from being rewritten.
116 -C, --fixcsum
118 Force recalculation of IP/TCP/UDP checksums.
119 Causes each IP packet to have it's checksums recalcualted and
121 fixed. Automatically enabled for packets modified with --seed,
122 --pnat, --endpoints or --fixlen.
123 -m number, --mtu=number
125 Override default MTU length (1500 bytes). This option may
126 appear up to 1 times. This option takes an integer number as
127 its argument. The value of number is constrained to being:
128 in the range 1 through MAXPACKET
129 Override the default 1500 byte MTU size for determining the max‐
131 imum padding length.
132 -E, --efcs
134 Remove Ethernet checksums (FCS) from end of frames.
135 Note, this option is pretty dangerous! We don't actually check
137 to see if a FCS actually exists in the frame, we just blindly
138 delete the last two bytes. Hence, you should only use this if
139 you know know that your OS provides the FCS when reading raw
140 packets.
141 --ttl=string
143 Modify the IPv4 TTL.
144 Allows you to modify the TTL of all the IPv4 packets. Specify a
146 number to hard-code the value or +/-value to increase or
147 decrease by the value provided (limited to 1-255).
148 Examples:
150 --ttl=10
151 --ttl=+7
152 --ttl=-64
153 -F string, --fixlen=string
155 Pad or truncate packet data to match header length. This option
156 may appear up to 1 times.
157 Packets may be truncated during capture if the snaplen is
159 smaller then the packet. This option allows you to modify the
160 packet to pad the packet back out to the size stored in the IPv4
161 header or rewrite the IP header total length to reflect the
162 stored packet length.
163 pad Truncated packets will be padded out so that the packet
165 length matches the IPv4 total length
166 trunc Truncated packets will have their IPv4 total length field
168 rewritten to match the actual packet length
169 del Delete the packet
171 --skipl2broadcast
173 Skip rewriting broadcast/multicast Layer 2 addresses.
174 By default, editing Layer 2 addresses will rewrite broadcast and
176 multicast MAC addresses. Setting this flag will keep broad‐
177 cast/multicast MAC addresses from being rewritten.
178 --dlt=string
180 Override output DLT encapsulation. This option may appear up to
181 1 times.
182 By default, no DLT (data link type) conversion will be made. To
184 change the DLT type of the output pcap, select one of the fol‐
185 lowing values:
186 enet Ethernet aka DLT_EN10MB
188 hdlc Cisco HDLC aka DLT_C_HDLC
190 user User specified Layer 2 header and DLT type
192 --enet-dmac=string
194 Override destination ethernet MAC addresses. This option may
195 appear up to 1 times.
196 Takes a pair of comma deliminated ethernet MAC addresses which
198 will replace the destination MAC address of outbound packets.
199 The first MAC address will be used for the server to client
200 traffic and the optional second MAC address will be used for the
201 client to server traffic.
202 Example:
204 --enet-dmac=00:12:13:14:15:16,00:22:33:44:55:66
205 --enet-smac=string
207 Override source ethernet MAC addresses. This option may appear
208 up to 1 times.
209 Takes a pair of comma deliminated ethernet MAC addresses which
211 will replace the source MAC address of outbound packets. The
212 first MAC address will be used for the server to client traffic
213 and the optional second MAC address will be used for the client
214 to server traffic.
215 Example:
217 --enet-smac=00:12:13:14:15:16,00:22:33:44:55:66
218 --enet-vlan=string
220 Specify ethernet 802.1q VLAN tag mode. This option may appear
221 up to 1 times.
222 Allows you to rewrite ethernet frames to add a 802.1q header to
224 standard 802.3 ethernet headers or remove the 802.1q VLAN tag
225 information.
226 add Rewrites the existing 802.3 ethernet header as an 802.1q
228 VLAN header
229 del Rewrites the existing 802.1q VLAN header as an 802.3 ether‐
231 net header
232 --enet-vlan-tag=number
234 Specify the new ethernet 802.1q VLAN tag value. This option may
235 appear up to 1 times. This option must appear in combination
236 with the following options: enet-vlan. This option takes an
237 integer number as its argument. The value of number is con‐
238 strained to being:
239 in the range 0 through 4095
240 --enet-vlan-cfi=number
244 Specify the ethernet 802.1q VLAN CFI value. This option may
245 appear up to 1 times. This option must appear in combination
246 with the following options: enet-vlan. This option takes an
247 integer number as its argument. The value of number is con‐
248 strained to being:
249 in the range 0 through 1
250 --enet-vlan-pri=number
254 Specify the ethernet 802.1q VLAN priority. This option may
255 appear up to 1 times. This option must appear in combination
256 with the following options: enet-vlan. This option takes an
257 integer number as its argument. The value of number is con‐
258 strained to being:
259 in the range 0 through 7
260 --hdlc-control=number
264 Specify HDLC control value. This option may appear up to 1
265 times. This option takes an integer number as its argument.
266 The Cisco HDLC header has a 1 byte "control" field. Apparently
268 this should always be 0, but if you can use any 1 byte value.
269 --hdlc-address=number
271 Specify HDLC address. This option may appear up to 1 times.
272 This option takes an integer number as its argument.
273 The Cisco HDLC header has a 1 byte "address" field which has two
275 valid values:
276 0x0F Unicast
278 0xBF Broadcast
280 You can however specify any single byte value.
281 --user-dlt=number
283 Set output file DLT type. This option may appear up to 1 times.
284 This option takes an integer number as its argument.
285 Set the DLT value of the output pcap file.
287 --user-dlink=string
289 Rewrite Data-Link layer with user specified data. This option
290 may appear up to 2 times.
291 Provide a series of comma deliminated hex values which will be
293 used to rewrite or create the Layer 2 header of the packets.
294 The first instance of this argument will rewrite both server and
295 client traffic, but if this argument is specified a second time,
296 it will be used for the client traffic.
297 Example:
299 --user-dlink=01,02,03,04,05,06,00,1A,2B,3C,4D,5E,6F,08,00
300 -d number, --dbug=number
302 Enable debugging output. This option may appear up to 1 times.
303 This option takes an integer number as its argument. The value
304 of number is constrained to being:
305 in the range 0 through 5
306 The default number for this option is:
307 0
308 If configured with --enable-debug, then you can specify a ver‐
310 bosity level for debugging output. Higher numbers increase ver‐
311 bosity.
312 -i string, --infile=string
314 Input pcap file to be processed. This option may appear up to 1
315 times.
316 -o string, --outfile=string
320 Output pcap file. This option may appear up to 1 times.
321 -c string, --cachefile=string
325 Split traffic via tcpprep cache file. This option may appear up
326 to 1 times.
327 Use tcpprep cache file to split traffic based upon client/server
329 relationships.
330 -v, --verbose
332 Print decoded packets via tcpdump to STDOUT. This option may
333 appear up to 1 times.
334 -A string, --decode=string
338 Arguments passed to tcpdump decoder. This option may appear up
339 to 1 times. This option must appear in combination with the
340 following options: verbose.
341 When enabling verbose mode (-v) you may also specify one or more
343 additional arguments to pass to tcpdump to modify the way pack‐
344 ets are decoded. By default, -n and -l are used. Be sure to
345 quote the arguments so that they are not interpreted by
346 tcprewrite. Please see the tcpdump(1) man page for a complete
347 list of options.
348 --fragroute=string
350 Parse fragroute configuration file. This option may appear up
351 to 1 times.
352 Enable advanced evasion techniques using the built-in fra‐
354 groute(8) engine. See the fragroute(8) man page for more
355 details. Important: tcprewrite does not support the delay, echo
356 or print commands.
357 --fragdir=string
359 Which flows to apply fragroute to: c2s, s2c, both. This option
360 may appear up to 1 times.
361 Apply the fragroute engine to packets going c2s, s2c or both
363 when using a cache file.
364 --skip-soft-errors
366 Skip writing packets with soft errors. This option may appear
367 up to 1 times.
368 In some cases, packets can't be decoded or the requested editing
370 is not possible. Normally these packets are written to the out‐
371 put file unedited so that tcpprep cache files can still be used,
372 but if you wish, these packets can be suppressed.
373 One example of this is 802.11 management frames which contain no
375 data.
376 -V, --version
378 Print version information.
379 -h, --less-help
383 Display less usage information and exit.
384 -H, --help
388 Display usage information and exit.
389 -!, --more-help
391 Extended usage information passed thru pager.
392 - [rcfile], --save-opts[=rcfile]
394 Save the option state to rcfile. The default is the last con‐
395 figuration file listed in the OPTION PRESETS section, below.
396 - rcfile, --load-opts=rcfile, --no-load-opts
398 Load options from rcfile. The no-load-opts form will disable
399 the loading of earlier RC/INI files. --no-load-opts is handled
400 early, out of order.
401
403 Any option that is not marked as not presettable may be preset by load‐
404 ing values from configuration ("RC" or ".INI") file(s). The homerc
405 file is "$$/", unless that is a directory. In that case, the file
406 ".tcprewriterc" is searched for within that directory.
407
409 tcpdump(1), tcpprep(1), tcpreplay(1)
410
412 Copyright 2004-2008 Aaron Turner
413 For support please use the tcpreplay-users@lists.sourceforge.net mail‐
415 ing list.
416 The latest version of this software is always available from:
418 http://tcpreplay.synfin.net/
419 Released under the Free BSD License.
421 This manual page was AutoGen-erated from the tcprewrite option defini‐
423 tions.
424(tcprewrite ) 2008-05-15 TCPREWRITE(1)