forked from appneta/tcpreplay
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathFAQ.lyx
2108 lines (1576 loc) · 53.2 KB
/
FAQ.lyx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#LyX 1.3 created this file. For more info see http://www.lyx.org/
\lyxformat 221
\textclass article
\language english
\inputencoding latin1
\fontscheme times
\graphics default
\paperfontsize default
\spacing single
\papersize letterpaper
\paperpackage a4
\use_geometry 1
\use_amsmath 0
\use_natbib 0
\use_numerical_citations 0
\paperorientation portrait
\leftmargin 10mm
\topmargin 10mm
\rightmargin 10mm
\bottommargin 15mm
\secnumdepth 4
\tocdepth 3
\paragraph_separation skip
\defskip medskip
\quotes_language english
\quotes_times 2
\papercolumns 1
\papersides 1
\paperpagestyle default
\layout Title
Tcpreplay 2.1.x FAQ
\layout Author
Aaron Turner <aturner_AT_pobox.com>
\newline
http://tcpreplay.sourceforge.net/
\layout Date
Last Edited:
\newline
April 23, 2004
\layout Standard
\pagebreak_top \pagebreak_bottom
\begin_inset LatexCommand \tableofcontents{}
\end_inset
\layout Part
Before You Start
\layout Section
General Info
\layout Subsection
What is this FAQ for?
\layout Standard
Tcpreplay is a suite of powerful tools, but with that power comes complexity.
While we have done our best to write good man pages for tcpreplay and it's
associated utilities, we understand that many people may want more information
then we can provide in the man pages.
Additionally, this FAQ attempts to cover material which we feel will be
of use to people using tcpreplay, as well as common questions that occur
on the Tcpreplay-Users <[email protected]> mailing list.
\layout Subsection
What tools come with tcpreplay?
\layout Itemize
tcpreplay - replay ethernet packets stored in a pcap file as they were captured
\layout Itemize
tcpprep - a pcap pre-processor for tcpreplay
\layout Itemize
flowreplay
\begin_inset Foot
collapsed false
\layout Standard
Flowreplay is still
\begin_inset Quotes eld
\end_inset
alpha
\begin_inset Quotes erd
\end_inset
quality and is not usable for most situations.
Anyone interested in helping me develop flowreplay is encouraged to contact
me.
\end_inset
- connects to a server(s) and replays the client side of the connection
stored in a pcap file
\layout Itemize
pcapmerge - merges two or more pcap files into one
\layout Itemize
capinfo - displays basic information about a pcap file
\layout Subsection
How can I get tcpreplay's source?
\layout Standard
The source code is available in tarball format on the tcpreplay homepage:
\begin_inset LatexCommand \htmlurl{http://tcpreplay.sourceforge.net/}
\end_inset
I also encourage users familiar with CVS to try checking out the latest
code as it often has additional features not found in the tarballs.
\layout Standard
cvs -d:pserver:[email protected]:/cvsroot/tcpreplay login
\newline
Pass:
\emph on
<Enter>
\emph default
\newline
cvs -z3 -d:pserver:[email protected]:/cvsroot/tcpreplay co tcpreplay
\layout Subsection
What requirements does tcpreplay have?
\layout Enumerate
You'll need the libnet and libpcap libraries.
\layout Enumerate
To support the jump to offset feature, you'll need the libpcapnav
\begin_inset Foot
collapsed false
\layout Standard
http://netdude.sourceforge.net/
\end_inset
library.
\layout Enumerate
To support the packet decoding feature you'll need tcpdump
\begin_inset Foot
collapsed false
\layout Standard
http://www.tcpdump.org/
\end_inset
installed.
\layout Enumerate
You'll also need a compatible operating system.
Basically, any UNIX-like or UNIX-based operating system should work.
Linux, *BSD, Solaris, OS X and others should all work.
If you find any compatibility issues with any UNIX-like/based OS, please
let us know.
\layout Subsection
How do I compile tcpreplay?
\layout Standard
Two easy steps:
\layout Enumerate
As a normal user:
\emph on
./configure && make
\emph default
\layout Enumerate
As root:
\emph on
make test -i && make install
\layout Standard
There are some optional arguments which can be passed to the configure script
which may help in cases where your libnet, libpcap, libpcapnav or tcpdump
installation is not standard or if it can't determine the correct network
interface card to use for testing.
If you find that configure isn't completing correctly, run:
\emph on
./configure --help
\emph default
for more information.
\layout Standard
A few comments about 'make test':
\layout Itemize
make test is just a series of sanity checks which try to find serious bugs
(crashes) in tcpprep and tcpreplay.
\layout Itemize
make test requires at least one properly configured network interface.
If the configure script can't guess what a valid interface is you can specify
it with the --with-testnic and --with-testnic2 arguments.
\layout Itemize
If make test fails, often you can find details in test/test.log.
\layout Itemize
OpenBSD's make has a bug where it ignores the MAKEFLAGS variable in the
Makefile, hence you'll probably want to run:
\emph on
make -is test
\emph default
instead.
\layout Subsection
Are there binaries available?
\layout Standard
Occasionally.
And even when we do, generally only for one or two operating systems.
Generally speaking, we assume people who want to use a tool like this can
figure out how to compile it.
\layout Subsection
Is there a Microsoft Windows port?
\layout Standard
Not really.
We had one user port the code over for a slightly old version of tcpreplay
to Windows.
Now we're looking for someone to help merge and maintain the code in to
the main development tree.
If you're interested in helping with this please contact Aaron Turner or
the tcpreplay-users list.
\layout Subsection
How is tcpreplay licensed?
\layout Standard
Tcpreplay is licensed under a BSD-style license.
For details, see Appendix A.
\layout Subsection
What is tcpreplay?
\layout Standard
In the simplest terms, tcpreplay is a tool to send network traffic stored
in pcap format back onto the network; basically the exact opposite of tcpdump.
Tcpreplay is also a suite of tools: tcpreplay, tcpprep, pcapmerge, capinfo
and flowreplay.
\layout Subsection
What isn't tcpreplay?
\layout Standard
Tcpreplay is
\emph on
not
\emph default
a tool to replay captured traffic to a server or client.
Specifically, tcpreplay does not have the ability to rewrite IP addresses
to a user-specified value or synchronize TCP sequence and acknowledgment
numbers.
In other words, tcpreplay can't
\begin_inset Quotes eld
\end_inset
connect
\begin_inset Quotes erd
\end_inset
to a server or be used to emulate a server and have clients connect to
it.
If you're looking for that, check out flowreplay.
\layout Subsection
What are some uses for tcpreplay?
\layout Standard
Originally, tcpreplay was written to test network intrusion detection systems
(NIDS), however tcpreplay has been used to test firewalls, routers, and
other network devices.
\layout Subsection
What are some uses for flowreplay?
\layout Standard
A lot of people wanted a tool like tcpreplay, but wanted to be able to replay
traffic
\emph on
to
\emph default
a server.
Since tcpreplay was unable to do this, I developed flowreplay which replays
the data portion of the flow, but recreates the connection to the specified
server(s).
This makes flowreplay an ideal tool to test host intrusion detection systems
(HIDS) as well as captured exploits and security patches when the actual
exploit code is not available.
Please note that flowreplay is still alpha quality code and is currently
missing some important features.
\layout Subsection
What happened to version 1.5?
\layout Standard
After looking at all the changes that have happened over the last year or
so, I decided that it was finally time to graduate tcpreplay to 2.0 status.
Hence the 1.5 branch was renamed 2.0.
\layout Subsection
What is the history of tcpreplay?
\layout Standard
Tcpreplay has had quite a few authors over the past five or so years.
One of the advantages of the BSD and GPL licenses is that if someone becomes
unable or unwilling to continue development, anyone else can take over.
\layout Standard
Originally, Matt Undy of Anzen Computing wrote tcpreplay.
Matt released version 1.0.1 sometime in 1999.
Sometime after that, Anzen Computing was (at least partially) purchased
by NFR and development ceased.
\layout Standard
Then in 2001, two people independently started work on tcpreplay: Matt Bing
of NFR and Aaron Turner.
After developing a series of patches (the -adt branch), Aaron attempted
to send the patches in to be included in the main development tree.
\layout Standard
After some discussion between Aaron and Matt Bing, they decided to continue
development together.
Since then, over a dozen stable releases have been made and more then twenty
new features have been added, including the addition of a number of accessory
tools.
\layout Standard
Today, Aaron continues active development of the code.
\layout Section
Bugs, Feature Requests, and Patches
\layout Subsection
Where can I get help, report bugs or contact the developers?
\layout Standard
The best place to get help or report a bug is the Tcpreplay-Users mailing
list:
\newline
\begin_inset LatexCommand \htmlurl{http://lists.sourceforge.net/lists/listinfo/tcpreplay-users}
\end_inset
\layout Subsection
What information should I provide when I report a bug?
\layout Standard
One of the most frustrating things for any developer trying to help a user
with a problem is not enough information.
Please be sure to include
\emph on
at minimum
\emph default
the following information, however any additional information you feel
may be helpful will be appreciated.
\layout Itemize
Version information (output of -V)
\layout Itemize
Command line used (options and arguments)
\layout Itemize
Platform (Red Hat Linux 9 on Intel, Solaris 7 on SPARC, etc)
\layout Itemize
Error message (if available) and/or description of problem
\layout Itemize
If possible, attach the pcap file used (compressed with bzip2 or gzip preferred)
\layout Subsection
I have a feature request, what should I do?
\layout Standard
Let us know! Many of the features exist today because users like you asked
for them.
To make a feature request, you can either email the tcpreplay-users mailing
list (see above) or fill out the feature request form on the tcpreplay
SourceForge website.
\layout Subsection
I've written a patch for tcpreplay, how can I submit it?
\layout Standard
I'm always willing to include new features or bug fixes submitted by users.
You may email me directly or the tcpreplay-users mailing list.
Please
\emph on
do not
\emph default
use the Patch Tracker on the tcpreplay SourceForge web site.
\layout Subsection
Patch requirements
\layout Itemize
Be aware that submitting a patch,
\emph on
you are licensing it under the BSD License
\emph default
as written in Appendix A.
If this is not acceptable to you, then
\emph on
do not
\emph default
send me the patch!
\layout Itemize
If you wish to maintain the copyright over your code, be sure that your
patch contains the appropriate information.
\layout Itemize
Please provide a description of what your patch does!
\layout Itemize
Comment your code! I won't use code I can't understand.
\layout Itemize
Make sure you are patching a branch that is still being maintained.
Generally that means that most recent stable and development branches (1.4
and 2.0 at the time of this writing).
\layout Itemize
Make sure you are patching against the most recent release for that branch.
\layout Itemize
Please submit your patch in the unified diff format so I can better understand
what you're changing.
\layout Itemize
Please provide any relevant personal information you'd like listed in the
CREDITS file.
\layout Standard
Please note that while I'm always interested in patches, I may rewrite some
or all of your submission to maintain a consistent coding style.
\layout Part
Basics
\layout Section
Basic Tcpreplay Usage
\layout Subsection
Replaying the traffic
\layout Standard
To replay a given pcap as it was captured all you need to do is specify
the pcap file and the interface to send the traffic out of:
\layout Standard
\emph on
tcpreplay -i eth0 sample.pcap
\layout Subsection
Replaying at different speeds
\layout Standard
You can also replay the traffic at different speeds then it was originally
captured
\begin_inset Foot
collapsed false
\layout Standard
Tcpreplay makes a "best" effort to replay traffic at the given rate, but
due to limitations in hardware or the pcap file itself, it may not be possible.
Capture files with only a few packets in them are especially susceptible
to this.
\end_inset
.
To support this, tcpreplay supports four different flags: -R, -r, -m, and
-p
\layout Standard
Some examples:
\layout Itemize
To replay traffic as fast as possible:
\newline
\emph on
tcpreplay -R -i eth0 sample.pcap
\layout Itemize
To replay traffic at 10Mbps:
\newline
\emph on
tcpreplay -r 10.0 -i eth0 sample.pcap
\layout Itemize
To replay traffic 7.3 times as fast as it was captured:
\newline
\emph on
tcpreplay -m 7.3 -i eth0 sample.pcap
\layout Itemize
To replay traffic at half-speed:
\newline
\emph on
tcpreplay -m 0.5 -i eth0 sample.pcap
\layout Itemize
To replay at 25.5 packets per second:
\newline
\emph on
tcpreplay -p 25.5 -i eth0 sample.pcap
\layout Subsection
Replaying the same file over and over again
\layout Standard
Using the loop flag (-l) you can specify that a pcap file will be sent two
or more times
\begin_inset Foot
collapsed false
\layout Standard
Looping files resets internal counters which control the speed that the
file is replayed.
Also because the file has to be closed and re-opened, an added delay between
the last and first packet may occur.
\end_inset
:
\layout Itemize
To replay the sample.pcap file 10 times:
\newline
\emph on
tcpreplay -l 10 -i eth0 sample.pcap
\layout Itemize
To replay the sample.pcap an infinitely or until CTRL-C is pressed:
\newline
\emph on
tcpreplay -l 0 -i eth0 sample.pcap
\layout Subsection
Using Configuration Files
\layout Standard
Tcpreplay offers the options of specifying configuration options in a config
file in addition to the traditional command line.
Each configuration option has an equivalent config file option which is
listed in the tcpreplay man page.
To specify the configuration file you'd like to use, use the -f <filename>
option.
\layout Standard
Configuration files have one option per line, and lines beginning with the
pound sign (#) are considered comments and ignored.
An example config file follows:
\layout Standard
# send traffic out 'eth0'
\newline
intf eth0
\newline
\newline
# loop 5 times
\newline
loop 5
\newline
\newline
# send traffic 2x as fast
\newline
multiplier 2
\newline
\newline
# pad any packets out to their original size if they were truncated during
capture
\newline
untruncate pad
\newline
\newline
\newline
\layout Standard
You would then execute:
\newline
\emph on
tcpreplay -f myconfigfile sample.pcap
\layout Part
Advanced Usage
\layout Section
Output: Interfaces, Packets & Files
\layout Subsection
Replaying on multiple interfaces
\layout Standard
Tcpreplay can also split traffic so that each side of a connection is sent
out a different interface
\begin_inset Foot
collapsed false
\layout Standard
Note that you can also use the following options to split traffic into two
files using -w and -W which are described later on in this FAQ.
\end_inset
.
In order to do this, tcpreplay needs the name of the second interface (-j)
and a way to split the traffic.
Currently, there are two ways to split traffic:
\layout Enumerate
-C = split traffic by source IP address which is specified in CIDR notation
\layout Enumerate
-c = split traffic according to a tcpprep cachefile
\begin_inset Foot
collapsed false
\layout Standard
For information on generating tcpprep cache files, see the section on tcpprep.
\end_inset
\layout Standard
When splitting traffic, it is important to remember that traffic that matches
the filter is sent out the primary interface (-i).
In this case, when splitting traffic by source IP address, you provide
a list of networks in CIDR notation.
For example:
\layout Itemize
To send traffic from 10.0.0.0/8 out eth0 and everything else out eth1:
\newline
\emph on
tcpreplay -C 10.0.0.0/8 -i eth0 -j eth1 sample.pcap
\layout Itemize
To send traffic from 10.1.0.0/24 and 10.2.0.0/20 out eth0 and everything else
out eth1:
\newline
\emph on
tcpreplay -C 10.1.0.0/24,10.2.0.0/20 -i eth0 -j eth1 sample.pcap
\layout Itemize
After using tcpprep to generate a cache file, you can use it to split traffic
between two interfaces like this:
\newline
\emph on
tcpreplay -c sample.cache -i eth0 -j eth1 sample.pcap
\layout Subsection
Selectively sending or dropping packets
\layout Standard
Sometimes, you want to do some post-capture filtering of packets.
Tcpreplay let's you have some control over which packets get sent.
\layout Enumerate
-M = disables sending of martian packets.
By definition, martian packets have a source IP of 0.x.x.x, 127.x.x.x, or 255.x.x.x
\layout Enumerate
-x = send packets which match a specific pattern
\layout Enumerate
-X = send packets which do not match a specific pattern
\layout Standard
Both -x and -X support a variety of pattern matching types.
These types are specified by a single character, followed by a colon, followed
by the pattern.
The following pattern matching types are available:
\layout Enumerate
S - Source IP
\newline
Pattern is a comma delimited CIDR notation
\layout Enumerate
D - Destination IP
\newline
Pattern is a comma delimited CIDR notation
\layout Enumerate
B - Both source and destination IP must match
\newline
Pattern is a comma delimited CIDR notation
\layout Enumerate
E - Either source or destination IP must match
\newline
Pattern is a comma delimited CIDR notation
\layout Enumerate
P - A list of packet numbers from the pcap file.
\newline
Pattern is a series of numbers, separated by commas or dashes.
\layout Enumerate
F - BPF syntax (same as used in tcpdump).
\newline
Filter must be quoted and is only supported with -x
\begin_inset Foot
collapsed false
\layout Standard
Note that if you want to send all the packets which do not match a bpf filter,
all you have to do is negate the bpf filter.
See the tcpdump(1) man page for more info.
\end_inset
.
\layout Standard
Examples:
\layout Itemize
To only send traffic that is too and from a host in 10.0.0.0/8:
\newline
\emph on
tcpreplay -x B:10.0.0.0/8 -i eth0 sample.pcap
\layout Itemize
To not send traffic that is too or from a host in 10.0.0.0/8:
\newline
\emph on
tcpreplay -X E:10.0.0.0/8 -i eth0 sample.pcap
\layout Itemize
To send every packet except the first 10 packets:
\newline
\emph on
tcpreplay -X P:1-10 -i eth0 sample.pcap
\layout Itemize
To only send the first 50 packets followed by packets: 100, 150, 200 and
250:
\newline
\emph on
tcpreplay -x P:1-50,100,150,200,250 -i eth0 sample.pcap
\layout Itemize
To only send TCP packets from 10.0.0.1:
\newline
tcpreplay -x F:'tcp and host 10.0.0.1' -i eth0 sample.pcap
\layout Subsection
Replaying only a few packets
\layout Standard
Using the limit packets flag (-L) you can specify that tcpreplay will only
send at most a specified number of packets.
\layout Itemize
To send at most 100 packets:
\newline
\emph on
tcpreplay -i eth0 -L 100 sample.pcap
\layout Subsection
Skipping the first bytes in a pcap file
\layout Standard
If you want to skip the beginning of a pcap file, you can use the offset
flag (-o) to skip a specified number of bytes and start sending on the
next packet.
\layout Itemize
To skip 15Kb into the pcap file and start sending packets from there:
\newline
\emph on
tcpreplay -i eth0 -o 15000 sample.pcap
\layout Subsection
Replaying packets which are bigger then the MTU
\layout Standard
Occasionally, you might find yourself trying to replay a pcap file which
contains packets which are larger then the MTU for the sending interface.
This might be due to the packets being captured on the loopback interface
or on a 1000Mbps ethernet interface supporting
\begin_inset Quotes eld
\end_inset
jumbo frames
\begin_inset Quotes erd
\end_inset
.
I've even seen packets which are 1500 bytes but contain both an ethernet
header and trailer which bumps the total frame size to 1518 which is 4
bytes too large.
\layout Standard
By default, tcpreplay will skip these packets and not send them.
Alternatively, you can specify the -T flag to truncate these packets to
the MTU and then send them.
Of course this may invalidate your testing, but it has proven useful in
certain situations.
Also, when this feature is enabled, tcpreplay will automatically recalculate
the IP and TCP, UDP or ICMP checksums as needed.
Example:
\layout Standard
\emph on
tcpreplay -i eth0 -T sample.pcap
\layout Subsection
Writing packets to a file
\layout Standard
It's not always necessary to write packets to the network.
Since tcpreplay has so many features which modify and select which packets
are sent, it is occasionally useful to save these changes to another pcap
file for comparison.
Rather then running a separate tcpdump process to capture the packets,
tcpreplay now supports output directly to a file.
Example:
\layout Standard
\emph on
tcpreplay -i eth0 -w output.pcap -F -u pad -x E:10.0.0.0/8 input1.pcap input2.pcap
input3.pcap
\layout Standard
Notice that specifying an interface is still required (required for various
internal functions), but all the packets will be written to
\emph on
output.pcap
\emph default
.
\layout Standard
You can also split traffic into two files by using -W <2nd output file>.
\layout Subsection
Extracting Application Data (Layer 7)
\layout Standard
New to version 2.0 is the ability to extract the application layer data from
the packets and write them to a file.
In the man page, we call this
\begin_inset Quotes eld
\end_inset
data dump mode
\begin_inset Quotes erd
\end_inset
which is enabled with -D.
It's important to specify -D before -w (and -W if you're splitting data
into two files).
Example:
\layout Standard
\emph on
tcpreplay -D -i eth0 -j eth0 -w clientdata -W serverdata -C 10.0.0.0/24 sample.pcap
\layout Subsection
Replaying Live Traffic
\layout Standard
You can now replay live traffic sniffed on one network interface and replay
it on another interface using the -S flag to indicate sniff mode and the
appropriate snaplen in bytes (0 denotes the entire packet).
You can also enabling bi-directional traffic using the bridge mode flag:
-b.
\layout Standard
N
\noun on
ote:
\noun default
It is critical for your sanity (and to prevent your murder by your network
administrators) that the input interface and the output interface be on
separate networks and additionally that no other network devices (such
as bridges, switches, routers, etc) be connecting the two networks, else
you will surely get a networkstorm the likes that have not been seen for
years.
\layout Itemize
Send packets sniffed on eth0 out eth1:
\newline
\emph on
tcpreplay -i eth1 -S 0 eth0
\layout Itemize
Bridge two subnets connected to eth0 and eth1:
\newline
\emph on
tcpreplay -i eth0 -j eth1 -b -S 0
\layout Standard
By default, tcpreplay listens in promiscuous mode on the specified interface,
however if you only want to send unicasts directed for the local system
and broadcasts, you can specify the
\begin_inset Quotes eld
\end_inset
not_nosy
\begin_inset Quotes erd
\end_inset
option in the configuration file or -n on the command line.
Note that if another program has already placed the interface in promiscuous
mode, the -n flag will have no effect, so you may want to use the -x or
-X argument to limit packets.
\layout Subsection
Replaying Packet Capture Formats Other Than Libpcap
\layout Standard
There are about as many different capture file formats as there are sniffers.
In the interest of simplicity, tcpreplay only supports libpcap
\begin_inset Foot
collapsed false
\layout Standard
Note that some versions of tcpreplay prior to 1.4 also supported the Solaris
snoop format.
\end_inset
.
If you would like to replay a file in one of these multitude of formats,
the excellent open source tool Ethereal easily allows you to convert it
to libpcap.
For instance, to convert a file in Sun's snoop format to libpcap, issue
the command:
\layout Standard
\emph on
tethereal -r blah.snoop -w blah.pcap
\layout Standard
and replay the resulting file.
\layout Subsection
Replaying Client Traffic to a Server
\layout Standard