summaryrefslogtreecommitdiff
path: root/src/tcpprep.1
diff options
context:
space:
mode:
Diffstat (limited to 'src/tcpprep.1')
-rw-r--r--src/tcpprep.1403
1 files changed, 403 insertions, 0 deletions
diff --git a/src/tcpprep.1 b/src/tcpprep.1
new file mode 100644
index 0000000..c2f4de0
--- /dev/null
+++ b/src/tcpprep.1
@@ -0,0 +1,403 @@
+.TH TCPPREP 1 2010-04-04 "(tcpprep )" "Programmer's Manual"
+.\" DO NOT EDIT THIS FILE (tcpprep.1)
+.\"
+.\" It has been AutoGen-ed April 4, 2010 at 05:59:19 PM by AutoGen 5.9.9
+.\" From the definitions tcpprep_opts.def
+.\" and the template file agman1.tpl
+.\"
+.SH NAME
+tcpprep \- Create a tcpreplay cache cache file from a pcap file.
+.SH SYNOPSIS
+.B tcpprep
+.\" Mixture of short (flag) options and long options
+.RB [ \-\fIflag\fP " [\fIvalue\fP]]... [" \--\fIopt-name\fP " [[=| ]\fIvalue\fP]]..."
+.PP
+All arguments must be options.
+.PP
+tcpprep is a \fIpcap(3)\fP file pre-processor which creates a cache
+file which provides "rules" for \fItcprewrite(1)\fP and \fItcpreplay(1)\fP
+on how to process and send packets.
+.SH "DESCRIPTION"
+This manual page briefly documents the \fBtcpprep\fP command.
+The basic operation of tcpreplay is to resend all packets from the
+input file(s) out a single file. Tcpprep processes a pcap file and
+applies a set of user-specified rules to create a cache file which
+tells tcpreplay wether or not to send each packet and which interface the
+packet should be sent out of.
+
+For more details, please see the Tcpreplay Manual at:
+http://tcpreplay.synfin.net/trac/wiki/manual
+.SH OPTIONS
+.TP
+.BR \-d " \fInumber\fP, " \--dbug "=" \fInumber\fP
+Enable debugging output.
+This option may appear up to 1 times.
+This option takes an integer number as its argument.
+The value of \fInumber\fP is constrained to being:
+.in +4
+.nf
+.na
+in the range 0 through 5
+.fi
+.in -4
+The default \fInumber\fP for this option is:
+.ti +4
+ 0
+.sp
+If configured with \--enable-debug, then you can specify a verbosity
+level for debugging output. Higher numbers increase verbosity.
+.TP
+.BR \-a " \fIstring\fP, " \--auto "=" \fIstring\fP
+Auto-split mode.
+This option may appear up to 1 times.
+This option must not appear in combination with any of the following options:
+cidr, port, regex, mac.
+.sp
+Tcpprep will try to automatically determine the primary function of hosts
+based on the traffic captured and classify each host as client or server.
+In order to do so, you must provide a hint to tcpprep as to how to search
+for clients and servers. Valid hints are:
+
+.sp 1
+\fBbridge\fP
+Bridge mode processes each packet to try to determine if the sender is a
+client or server. Once all the packets are processed, the results are weighed
+according to the server/client ratio (\fB--ratio\fP) and systems are assigned an
+interface. If tcpprep is unable to determine what role a system plays, tcpprep
+will abort.
+.sp 1
+\fBrouter\fP
+Router mode works just like bridge mode, except that after weighing is done,
+systems which are undetermined are considered a server if they fall inside a
+network known to contain other servers. Router has a greater chance of
+successfully splitting clients and servers but is not 100% foolproof.
+.sp 1
+\fBclient\fP
+Client mode works just like bridge mode, except that unclassified systems are
+treated as clients. Client mode should always complete successfully.
+.sp 1
+\fBserver\fP
+Server mode works just like bridge mode, except that unclassified systems are
+treated as servers. Server mode should always complete successfully.
+.sp 1
+\fBfirst\fP
+First mode works by looking at the first time each IP is seen in the SRC and DST
+fields in the IP header. If the host is first seen in the SRC field, it is a
+client and if it's first seen in the DST field, it is marked as a server. This
+effectively replicates the processing of the tomahawk test tool. First
+mode should always complete successfully.
+.br
+.TP
+.BR \-c " \fIstring\fP, " \--cidr "=" \fIstring\fP
+CIDR-split mode.
+This option may appear up to 1 times.
+This option must not appear in combination with any of the following options:
+auto, port, regex, mac.
+.sp
+Specify a comma delimited list of CIDR netblocks to match against
+the source IP of each packet. Packets matching any of the CIDR's
+are classified as servers.
+
+IPv4 Example:
+.nf
+ \--cidr=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
+.fi
+IPv6 Example:
+.nf
+ \--cidr=[::ffff:0:0/96],[fe80::/16]
+.fi
+.TP
+.BR \-r " \fIstring\fP, " \--regex "=" \fIstring\fP
+Regex-split mode.
+This option may appear up to 1 times.
+This option must not appear in combination with any of the following options:
+auto, port, cidr, mac.
+.sp
+Specify a regular expression to match against the source IP of each
+packet. Packets matching the regex are classified as servers.
+.TP
+.BR \-p ", " \--port
+Port-split mode.
+This option may appear up to 1 times.
+This option must not appear in combination with any of the following options:
+auto, regex, cidr, mac.
+.sp
+Specifies that TCP and UDP traffic over IPv4 and IPv6 should be classified
+as client or server based upon the destination port of the header.
+.TP
+.BR \-e " \fIstring\fP, " \--mac "=" \fIstring\fP
+Source MAC split mode.
+This option may appear up to 1 times.
+This option must not appear in combination with any of the following options:
+auto, regex, cidr, port.
+.sp
+Specify a list of MAC addresses to match against the source MAC
+of each packet. Packets matching one of the values are classified
+as servers.
+.TP
+.BR \--reverse
+Matches to be client instead of server.
+This option may appear up to 1 times.
+.sp
+Normally the \fB--mac\fP, \fB--regex\fP and \fB--cidr\fP flags specify are used to specify
+the servers and non-IP packets are classified as clients. By using \fB--reverse\fP, these
+features are reversed so that the flags specify clients and non-IP packets are classified as
+servers.
+.TP
+.BR \-C " \fIstring\fP, " \--comment "=" \fIstring\fP
+Embeded cache file comment.
+This option may appear up to 1 times.
+.sp
+Specify a comment to be imbedded within the output cache file and later
+viewed.
+.TP
+.BR \--no-arg-comment
+Do not embed any cache file comment.
+This option may appear up to 1 times.
+.sp
+By default, tcpprep includes the arguments passed on the command line
+in the cache file comment (in addition to any user specified \--comment).
+If for some reason you do not wish to include this, specify this option.
+.TP
+.BR \-x " \fIstring\fP, " \--include "=" \fIstring\fP
+Include only packets matching rule.
+This option may appear up to 1 times.
+This option must not appear in combination with any of the following options:
+exclude.
+.sp
+Override default of processing all packets stored in the capture file and only
+send/edit packets which match the provided rule. Rules can be one of:
+
+.sp
+.IR "S:<CIDR1>,..."
+- Source IP must match specified IPv4/v6 CIDR(s)
+.sp
+.IR "D:<CIDR1>,..."
+- Destination IP must match specified IPv4/v6 CIDR(s)
+.sp
+.IR "B:<CIDR1>,..."
+- Both source and destination IP must match specified IPv4/v6 CIDR(s)
+.sp
+.IR "E:<CIDR1>,..."
+- Either IP must match specified IPv4/v6 CIDR(s)
+.sp
+.IR "P:<LIST>"
+- Must be one of the listed packets where the list
+corresponds to the packet number in the capture file.
+.nf
+ \-x P:1-5,9,15,72-
+.fi
+would process packets 1 thru 5, the 9th and 15th packet, and packets 72 until the
+end of the file
+.sp
+.IR "F:'<bpf>'"
+- BPF filter. See the \fItcpdump(8)\fP man page for syntax.
+.br
+.TP
+.BR \-X " \fIstring\fP, " \--exclude "=" \fIstring\fP
+Exclude any packet matching this rule.
+This option may appear up to 1 times.
+This option must not appear in combination with any of the following options:
+include.
+.sp
+Override default of processing all packets stored in the capture file and only
+send/edit packets which do NOT match the provided rule. Rules can be one of:
+
+.sp
+.IR "S:<CIDR1>,..."
+- Source IP must not match specified IPv4/v6 CIDR(s)
+.sp
+.IR "D:<CIDR1>,..."
+- Destination IP must not match specified IPv4/v6 CIDR(s)
+.sp
+.IR "B:<CIDR1>,..."
+- Both source and destination IP must not match specified IPv4/v6 CIDR(s)
+.sp
+.IR "E:<CIDR1>,..."
+- Either IP must not match specified IPv4/v6 CIDR(s)
+.sp
+.IR "P:<LIST>"
+- Must not be one of the listed packets where the list
+corresponds to the packet number in the capture file.
+.nf
+ \-x P:1-5,9,15,72-
+.fi
+would skip packets 1 thru 5, the 9th and 15th packet, and packets 72 until the
+end of the file
+.br
+.TP
+.BR \-o " \fIstring\fP, " \--cachefile "=" \fIstring\fP
+Output cache file.
+This option may appear up to 1 times.
+.sp
+
+.TP
+.BR \-i " \fIstring\fP, " \--pcap "=" \fIstring\fP
+Input pcap file to process.
+This option may appear up to 1 times.
+.sp
+
+.TP
+.BR \-P " \fIstring\fP, " \--print-comment "=" \fIstring\fP
+Print embedded comment in the specified cache file.
+This option may appear up to 1 times.
+.sp
+
+.TP
+.BR \-I " \fIstring\fP, " \--print-info "=" \fIstring\fP
+Print basic info from the specified cache file.
+This option may appear up to 1 times.
+.sp
+
+.TP
+.BR \-S " \fIstring\fP, " \--print-stats "=" \fIstring\fP
+Print statistical information about the specified cache file.
+This option may appear up to 1 times.
+.sp
+
+.TP
+.BR \-s " \fIstring\fP, " \--services "=" \fIstring\fP
+Load services file for server ports.
+This option may appear up to 1 times.
+This option must appear in combination with the following options:
+port.
+.sp
+Uses a list of ports used by servers in the same format as of /etc/services:
+<service_name> <port>/<protocol> # comment
+
+Example:
+http 80/tcp
+.TP
+.BR \-N ", " \--nonip
+Send non-IP traffic out server interface.
+This option may appear up to 1 times.
+.sp
+By default, non-IP traffic which can not be classified as client
+or server is classified as "client". Specifiying \fB--nonip\fP
+will reclassify non-IP traffic as "server". Note that the meaning
+of this flag is reversed if \fB--reverse\fP is used.
+.TP
+.BR \-R " \fIstring\fP, " \--ratio "=" \fIstring\fP
+Ratio of client to server packets.
+This option may appear up to 1 times.
+This option must appear in combination with the following options:
+auto.
+The default \fIstring\fP for this option is:
+.ti +4
+ 2.0
+.sp
+Since a given host may have both client and server traffic being sent
+to/from it, tcpprep uses a ratio to weigh these packets. If you would
+like to override the default of 2:1 server to client packets required for
+a host to be classified as a server, specify it as a floating point value.
+.TP
+.BR \-m " \fInumber\fP, " \--minmask "=" \fInumber\fP
+Minimum network mask length in auto mode.
+This option may appear up to 1 times.
+This option must appear in combination with the following options:
+auto.
+This option takes an integer number as its argument.
+The value of \fInumber\fP is constrained to being:
+.in +4
+.nf
+.na
+in the range 0 through 32
+.fi
+.in -4
+The default \fInumber\fP for this option is:
+.ti +4
+ 30
+.sp
+By default, auto modes use a minimum network mask length of 30 bits
+to build networks containing clients and servers. This allows you
+to override this value. Larger values will increase performance but
+may provide inaccurate results.
+.TP
+.BR \-M " \fInumber\fP, " \--maxmask "=" \fInumber\fP
+Maximum network mask length in auto mode.
+This option may appear up to 1 times.
+This option must appear in combination with the following options:
+auto.
+This option takes an integer number as its argument.
+The value of \fInumber\fP is constrained to being:
+.in +4
+.nf
+.na
+in the range 0 through 32
+.fi
+.in -4
+The default \fInumber\fP for this option is:
+.ti +4
+ 8
+.sp
+By default, auto modes use a maximum network mask length of 8 bits
+to build networks containing clients and servers. This allows you
+to override this value. Larger values will decrease performance
+and accuracy but will provide greater chance of success.
+.TP
+.BR \-v ", " \--verbose
+Print decoded packets via tcpdump to STDOUT.
+This option may appear up to 1 times.
+.sp
+
+.TP
+.BR \-A " \fIstring\fP, " \--decode "=" \fIstring\fP
+Arguments passed to tcpdump decoder.
+This option may appear up to 1 times.
+This option must appear in combination with the following options:
+verbose.
+.sp
+When enabling verbose mode (\fB-v\fP) you may also specify one or
+more additional arguments to pass to \fBtcpdump\fP to modify
+the way packets are decoded. By default, \-n and \-l are used.
+Be sure to quote the arguments so that they are not interpreted
+by tcprewrite. The following arguments are valid:
+ [ \-aAeNqRStuvxX ]
+ [ \-E spi@ipaddr algo:secret,... ]
+ [ \-s snaplen ]
+.TP
+.BR \-V ", " \--version
+Print version information.
+.sp
+
+.TP
+.BR \-h ", " \--less-help
+Display less usage information and exit.
+.sp
+This option has not been fully documented.
+.TP
+.BR \-H , " \--help"
+Display usage information and exit.
+.TP
+.BR \-! , " \--more-help"
+Extended usage information passed thru pager.
+.TP
+.BR \- " [\fIrcfile\fP]," " \--save-opts" "[=\fIrcfile\fP]"
+Save the option state to \fIrcfile\fP. The default is the \fIlast\fP
+configuration file listed in the \fBOPTION PRESETS\fP section, below.
+.TP
+.BR \- " \fIrcfile\fP," " \--load-opts" "=\fIrcfile\fP," " \--no-load-opts"
+Load options from \fIrcfile\fP.
+The \fIno-load-opts\fP form will disable the loading
+of earlier RC/INI files. \fI--no-load-opts\fP is handled early,
+out of order.
+.SH OPTION PRESETS
+Any option that is not marked as \fInot presettable\fP may be preset
+by loading values from configuration ("RC" or ".INI") file(s).
+The \fIhomerc\fP file is "\fI$$/\fP", unless that is a directory.
+In that case, the file "\fI.tcppreprc\fP"
+is searched for within that directory.
+.SH "SEE ALSO"
+tcpdump(1), tcprewrite(1), tcpreplay(1)
+.SH AUTHOR
+Copyright 2000-2010 Aaron Turner
+
+For support please use the [email protected] mailing list.
+
+The latest version of this software is always available from:
+http://tcpreplay.synfin.net/
+.PP
+Released under the Free BSD License.
+.PP
+This manual page was \fIAutoGen\fP-erated from the \fBtcpprep\fP
+option definitions.
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 17:33:40 +0000