🌐tcpreplay

Packages and Binaries:

tcpreplay

Tcpreplay is aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. Tcpreplay allows you to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically-generated artificial traffic which doesn’t exercise the application/protocol inspection that a NIDS performs, and doesn’t reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks. It included the following executables tcpprep, tcprewrite, tcpreplay-edit, tcpbridge and pcap based captures are possible.

Installed size: 1.91 MB How to install: sudo apt install tcpreplay

Dependencies:
  • libc6

  • libdumbnet1

  • libpcap0.8

tcpbridge

Bridge network traffic across two interfaces

:~# tcpbridge --help
tcpbridge (tcpbridge) - Bridge network traffic across two interfaces
Usage:  tcpbridge [ -<flag> [<val>] | --<name>[{=| }<val>] ]...


:

   -r, --portmap=str          Rewrite TCP/UDP ports
				- may appear up to 9999 times
   -s, --seed=num             Randomize src/dst IPv4/v6 addresses w/ given seed
				- prohibits the option 'fuzz-seed'
   -N, --pnat=str             Rewrite IPv4/v6 addresses using pseudo-NAT
				- prohibits the option 'srcipmap'
				- may appear up to 2 times
   -S, --srcipmap=str         Rewrite source IPv4/v6 addresses using pseudo-NAT
				- prohibits the option 'pnat'
   -D, --dstipmap=str         Rewrite destination IPv4/v6 addresses using pseudo-NAT
				- prohibits the option 'pnat'
       --tcp-sequence=num     Change TCP Sequence (and ACK) numbers /w given seed
				- it must be in the range:
				  greater than or equal to 1
   -b, --skipbroadcast        Skip rewriting broadcast/multicast IPv4/v6 addresses
   -C, --fixcsum              Force recalculation of IPv4/TCP/UDP header checksums
   -m, --mtu=num              Override default MTU length (1500 bytes)
				- it must be in the range:
				  1 to 262144
       --mtu-trunc            Truncate packets larger then specified MTU
   -E, --efcs                 Remove Ethernet checksums (FCS) from end of frames
       --ttl=str              Modify the IPv4/v6 TTL/Hop Limit
       --tos=num              Set the IPv4 TOS/DiffServ/ECN byte
				- it must be in the range:
				  0 to 255
       --tclass=num           Set the IPv6 Traffic Class byte
				- it must be in the range:
				  0 to 255
       --flowlabel=num        Set the IPv6 Flow Label
				- it must be in the range:
				  0 to 1048575
   -F, --fixlen=str           Pad or truncate packet data to match header length
       --fuzz-seed=num        Fuzz 1 in X packets.  Edit bytes, length, or emulate packet drop
				- it must be in the range:
				  greater than or equal to 0
       --fuzz-factor=num      Set the Fuzz 1 in X packet ratio (default 1 in 8 packets)
				- requires the option 'fuzz-seed'
				- it must be in the range:
				  greater than or equal to 1
       --skipl2broadcast      Skip rewriting broadcast/multicast Layer 2 addresses
       --dlt=str              Override output DLT encapsulation
       --enet-dmac=str        Override destination ethernet MAC addresses
       --enet-smac=str        Override source ethernet MAC addresses
       --enet-subsmac=str     Substitute MAC addresses
				- may appear up to 9999 times
       --enet-mac-seed=num    Randomize MAC addresses
				- prohibits these options:
				enet-smac
				enet-dmac
				enet-subsmac
       --enet-mac-seed-keep-bytes=num Randomize MAC addresses
				- requires the option 'enet-mac-seed'
				- it must be in the range:
				  1 to 6
       --enet-vlan=str        Specify ethernet 802.1q VLAN tag mode
       --enet-vlan-tag=num    Specify the new ethernet 802.1q VLAN tag value
				- requires the option 'enet-vlan'
				- it must be in the range:
				  0 to 4095
       --enet-vlan-cfi=num    Specify the ethernet 802.1q VLAN CFI value
				- requires the option 'enet-vlan'
				- it must be in the range:
				  0 to 1
       --enet-vlan-pri=num    Specify the ethernet 802.1q VLAN priority
				- requires the option 'enet-vlan'
				- it must be in the range:
				  0 to 7
       --enet-vlan-proto=str  Specify VLAN tag protocol 802.1q or 802.1ad
       --hdlc-control=num     Specify HDLC control value
       --hdlc-address=num     Specify HDLC address
       --user-dlt=num         Set output file DLT type
       --user-dlink=str       Rewrite Data-Link layer with user specified data
				- may appear up to 2 times
   -d, --dbug=num             Enable debugging output
				- it must be in the range:
				  0 to 5
   -i, --intf1=str            Primary interface (listen in uni-directional mode)
   -I, --intf2=str            Secondary interface (send in uni-directional mode)
   -u, --unidir               Send and receive in only one direction
       --listnics             List available network interfaces and exit
   -L, --limit=num            Limit the number of packets to send
				- it must be in the range:
				  greater than or equal to 1
   -M, --mac=str              MAC addresses of local NIC's
				- may appear up to 2 times
   -x, --include=str          Include only packets matching rule
				- prohibits the option 'exclude'
   -X, --exclude=str          Exclude any packet matching this rule
				- prohibits the option 'include'
   -P, --pid                  Print the PID of tcpbridge at startup
   -v, --verbose              Print decoded packets via tcpdump to STDOUT
   -A, --decode=str           Arguments passed to tcpdump decoder
				- requires the option 'verbose'
   -V, --version              Print version information
   -h, --less-help            Display less usage information and exit

Version, usage and configuration options:

   -H, --help                 display extended usage information and exit
   -!, --more-help            extended usage information passed thru pager
       --save-opts[=arg]      save the option state to a config file
       --load-opts=str        load options from a config file
				- disabled as '--no-load-opts'
				- may appear multiple times

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
tcpbridge is a tool for selectively bridging network traffic across two
interfaces and optionally modifying the packets in between

The following option preset mechanisms are supported:
 - reading file /usr/bin/.tcpbridgerc
The basic operation of tcpbridge is to be a network bridge between two
subnets.  All packets received on one interface are sent via the other.

Optionally, packets can be edited in a variety of ways according to your
needs.

For more details, please see the Tcpreplay Manual at:
http://tcpreplay.appneta.com

Please send bug reports to:  <>

tcpcapinfo

Pcap file dissector for debugging broken pcap files

:~# tcpcapinfo --help
tcpcapinfo (Tcpreplay Suite) - Pcap file dissector for debugging broken pcap files
Usage:  tcpcapinfo [ -<flag> [<val>] | --<name>[{=| }<val>] ]... <pcap_file(s)>

   -d, --dbug=num             Enable debugging output
				- it must be in the range:
				  0 to 5
   -V, --version              Print version information
   -H, --help                 display extended usage information and exit
   -!, --more-help            extended usage information passed thru pager

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
tcpcapinfo is a tool for decoding the structure of a pcap(3) file with a
focus on finding broken pcap files and determining how two related pcap
files might differ.
tcpcapinfo will first print out the pcap_file_header_t in human readable
form followed by a per-packet summary including the pcap_pkthdr_t and
simple checksum value of the packet.

Please send bug reports to:  <>

tcpliveplay

Replays network traffic stored in a pcap file on live networks using new TCP connections

:~# tcpliveplay --help
tcpliveplay (tcpliveplay) - Replays network traffic stored in a pcap file on live networks using new TCP connections
Usage:  tcpliveplay [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \
		<eth0/eth1> <file.pcap> <Destination IP [1.2.3.4]> <Destination mac [0a:1b:2c:3d:4e:5f]> <'random' dst port OR specify dport #>

   -d, --dbug=num             Enable debugging output
				- it must be in the range:
				  0 to 5
   -V, --version              Print version information
   -h, --less-help            Display less usage information and exit
   -H, --help                 display extended usage information and exit
   -!, --more-help            extended usage information passed thru pager
       --save-opts[=arg]      save the option state to a config file
       --load-opts=str        load options from a config file
				- disabled as '--no-load-opts'
				- may appear multiple times

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
This program, 'tcpliveplay' replays a captured set of packets using new TCP
connections with the captured TCP payloads against a remote host in order
to do comprehensive vulnerability testing.

The following option preset mechanisms are supported:
 - reading file /usr/bin/.tcpliveplayrc
The basic operation of tcpliveplay is it rewrites the given pcap file in a
scheduled event format and responds with the appropriate packet if the
remote host meets tcp protocal's SEQ/ACK expectation.  Once expectations
are met, then the local packets are sent with the same payload except with
new tcp SEQ & ACK numbers meeting the response from the remote hose.

The input pcap file are rewritten to start at the first encounter of the
SYN packet for correct operation making this packet be the first action in
the event schedule of local host doing the replay.

For more details, please see the Tcpreplay Manual at:
http://tcpreplay.appneta.com

tcpprep

Create a tcpreplay cache cache file from a pcap file.

:~# tcpprep --help
tcpprep (tcpprep) - Create a tcpreplay cache cache file from a pcap file.
Usage:  tcpprep [ -<flag> [<val>] | --<name>[{=| }<val>] ]...

   -d, --dbug=num             Enable debugging output
				- it must be in the range:
				  0 to 5
   -a, --auto=str             Auto-split mode
				- prohibits these options:
				cidr
				port
				regex
				mac
   -c, --cidr=str             CIDR-split mode
				- prohibits these options:
				auto
				port
				regex
				mac
   -r, --regex=str            Regex-split mode
				- prohibits these options:
				auto
				port
				cidr
				mac
   -p, --port                 Port-split mode
				- prohibits these options:
				auto
				regex
				cidr
				mac
   -e, --mac=str              Source MAC split mode
				- prohibits these options:
				auto
				regex
				cidr
				port
       --reverse              Matches to be client instead of server
   -C, --comment=str          Embedded cache file comment
       --no-arg-comment       Do not embed any cache file comment
   -x, --include=str          Include only packets matching rule
				- prohibits the option 'exclude'
   -X, --exclude=str          Exclude any packet matching this rule
				- prohibits the option 'include'
   -o, --cachefile=str        Output cache file
   -i, --pcap=str             Input pcap file to process
   -P, --print-comment=str    Print embedded comment in the specified cache file
   -I, --print-info=str       Print basic info from the specified cache file
   -S, --print-stats=str      Print statistical information about the specified cache file
   -s, --services=str         Load services file for server ports
				- requires the option 'port'
   -N, --nonip                Send non-IP traffic out server interface
   -R, --ratio=str            Ratio of client to server packets
				- requires the option 'auto'
   -m, --minmask=num          Minimum network mask length in auto mode
				- requires the option 'auto'
				- it must be in the range:
				  0 to 32
   -M, --maxmask=num          Maximum network mask length in auto mode
				- requires the option 'auto'
				- it must be in the range:
				  0 to 32
   -v, --verbose              Print decoded packets via tcpdump to STDOUT
   -A, --decode=str           Arguments passed to tcpdump decoder
				- requires the option 'verbose'
   -V, --version              Print version information
   -h, --less-help            Display less usage information and exit
   -H, --help                 display extended usage information and exit
   -!, --more-help            extended usage information passed thru pager
       --save-opts[=arg]      save the option state to a config file
       --load-opts=str        load options from a config file
				- disabled as '--no-load-opts'
				- may appear multiple times

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
tcpprep is a 'pcap(3)' file pre-processor which creates a cache file which
provides "rules" for 'tcprewrite(1)' and 'tcpreplay(1)' on how to process
and send packets.

The following option preset mechanisms are supported:
 - reading file /usr/bin/.tcppreprc
The basic operation of tcpreplay is to resend all packets from the input
file(s) out a single file.  Tcpprep processes a pcap file and applies a set
of user-specified rules to create a cache file which tells tcpreplay
whether or not to send each packet and which interface the packet should be
sent out of.

For more details, please see the Tcpreplay Manual at:
http://tcpreplay.appneta.com

Please send bug reports to:  <>

tcpreplay

Replay network traffic stored in pcap files

:~# tcpreplay --help
tcpreplay (tcpreplay) - Replay network traffic stored in pcap files
Usage:  tcpreplay [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \
		<pcap_file(s)> | <pcap_dir(s)>

   -d, --dbug=num             Enable debugging output
				- it must be in the range:
				  0 to 5
   -q, --quiet                Quiet mode
   -T, --timer=str            Select packet timing mode: select, ioport, gtod, nano
       --maxsleep=num         Sleep for no more then X milliseconds between packets
   -v, --verbose              Print decoded packets via tcpdump to STDOUT
   -A, --decode=str           Arguments passed to tcpdump decoder
				- requires the option 'verbose'
   -K, --preload-pcap         Preloads packets into RAM before sending
   -c, --cachefile=str        Split traffic via a tcpprep cache file
				- requires the option 'intf2'
				-- and prohibits the option 'dualfile'
   -2, --dualfile             Replay two files at a time from a network tap
				- requires the option 'intf2'
				-- and prohibits the option 'cachefile'
   -i, --intf1=str            Client to server/RX/primary traffic output interface
   -I, --intf2=str            Server to client/TX/secondary traffic output interface
       --listnics             List available network interfaces and exit
   -l, --loop=num             Loop through the capture file X times
				- it must be in the range:
				  greater than or equal to 0
       --loopdelay-ms=num     Delay between loops in milliseconds
				- requires the option 'loop'
				- it must be in the range:
				  greater than or equal to 0
       --pktlen               Override the snaplen and use the actual packet len
   -L, --limit=num            Limit the number of packets to send
				- it must be in the range:
				  greater than or equal to 1
       --duration=num         Limit the number of seconds to send
				- it must be in the range:
				  greater than or equal to 1
   -x, --multiplier=str       Modify replay speed to a given multiple
				- prohibits these options:
				pps
				mbps
				oneatatime
				topspeed
   -p, --pps=str              Replay packets at a given packets/sec
				- prohibits these options:
				multiplier
				mbps
				oneatatime
				topspeed
   -M, --mbps=str             Replay packets at a given Mbps
				- prohibits these options:
				multiplier
				pps
				oneatatime
				topspeed
   -t, --topspeed             Replay packets as fast as possible
				- prohibits these options:
				mbps
				multiplier
				pps
				oneatatime
   -o, --oneatatime           Replay one packet at a time for each user input
				- prohibits these options:
				mbps
				pps
				multiplier
				topspeed
       --pps-multi=num        Number of packets to send for each time interval
				- requires the option 'pps'
				- it must be in the range:
				  greater than or equal to 1
       --unique-ip            Modify IP addresses each loop iteration to generate unique flows
				- requires the option 'loop'
       --unique-ip-loops=str  Number of times to loop before assigning new unique ip
				- requires the option 'unique-ip'
       --no-flow-stats        Suppress printing and tracking flow count, rates and expirations
       --flow-expiry=num      Number of inactive seconds before a flow is considered expired
				- prohibits the option 'no-flow-stats'
				- it must be in the range:
				  greater than or equal to 0
   -P, --pid                  Print the PID of tcpreplay at startup
       --stats=num            Print statistics every X seconds, or every loop if '0'
				- it must be in the range:
				  greater than or equal to 0
   -V, --version              Print version information
   -h, --less-help            Display less usage information and exit
   -H, --help                 display extended usage information and exit
   -!, --more-help            extended usage information passed thru pager
       --save-opts[=arg]      save the option state to a config file
       --load-opts=str        load options from a config file
				- disabled as '--no-load-opts'
				- may appear multiple times

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
tcpreplay is a tool for replaying network traffic from files saved with
tcpdump or other tools which write pcap(3) files.

The following option preset mechanisms are supported:
 - reading file /usr/bin/.tcpreplayrc
The basic operation of tcpreplay is to resend all packets from the input
file(s) at the speed at which they were recorded, or a specified data rate,
up to as fast as the hardware is capable.

Optionally, the traffic can be split between two interfaces, written to
files, filtered and edited in various ways, providing the means to test
firewalls, NIDS and other network devices.

For more details, please see the Tcpreplay Manual at:
http://tcpreplay.appneta.com

Please send bug reports to:  <>

tcpreplay-edit

Replay network traffic stored in pcap files

:~# tcpreplay-edit --help
tcpreplay (tcpreplay) - Replay network traffic stored in pcap files
Usage:  tcpreplay-edit [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \
		<pcap_file(s)> | <pcap_dir(s)>


:

   -r, --portmap=str          Rewrite TCP/UDP ports
				- may appear up to 9999 times
   -s, --seed=num             Randomize src/dst IPv4/v6 addresses w/ given seed
				- prohibits the option 'fuzz-seed'
   -N, --pnat=str             Rewrite IPv4/v6 addresses using pseudo-NAT
				- prohibits the option 'srcipmap'
				- may appear up to 2 times
   -S, --srcipmap=str         Rewrite source IPv4/v6 addresses using pseudo-NAT
				- prohibits the option 'pnat'
   -D, --dstipmap=str         Rewrite destination IPv4/v6 addresses using pseudo-NAT
				- prohibits the option 'pnat'
   -e, --endpoints=str        Rewrite IP addresses to be between two endpoints
				- requires the option 'cachefile'
       --tcp-sequence=num     Change TCP Sequence (and ACK) numbers /w given seed
				- it must be in the range:
				  greater than or equal to 1
   -b, --skipbroadcast        Skip rewriting broadcast/multicast IPv4/v6 addresses
   -C, --fixcsum              Force recalculation of IPv4/TCP/UDP header checksums
   -m, --mtu=num              Override default MTU length (1500 bytes)
				- it must be in the range:
				  1 to 262144
       --mtu-trunc            Truncate packets larger then specified MTU
   -E, --efcs                 Remove Ethernet checksums (FCS) from end of frames
       --ttl=str              Modify the IPv4/v6 TTL/Hop Limit
       --tos=num              Set the IPv4 TOS/DiffServ/ECN byte
				- it must be in the range:
				  0 to 255
       --tclass=num           Set the IPv6 Traffic Class byte
				- it must be in the range:
				  0 to 255
       --flowlabel=num        Set the IPv6 Flow Label
				- it must be in the range:
				  0 to 1048575
   -F, --fixlen=str           Pad or truncate packet data to match header length
       --fuzz-seed=num        Fuzz 1 in X packets.  Edit bytes, length, or emulate packet drop
				- it must be in the range:
				  greater than or equal to 0
       --fuzz-factor=num      Set the Fuzz 1 in X packet ratio (default 1 in 8 packets)
				- requires the option 'fuzz-seed'
				- it must be in the range:
				  greater than or equal to 1
       --skipl2broadcast      Skip rewriting broadcast/multicast Layer 2 addresses
       --dlt=str              Override output DLT encapsulation
       --enet-dmac=str        Override destination ethernet MAC addresses
       --enet-smac=str        Override source ethernet MAC addresses
       --enet-subsmac=str     Substitute MAC addresses
				- may appear up to 9999 times
       --enet-mac-seed=num    Randomize MAC addresses
				- prohibits these options:
				enet-smac
				enet-dmac
				enet-subsmac
       --enet-mac-seed-keep-bytes=num Randomize MAC addresses
				- requires the option 'enet-mac-seed'
				- it must be in the range:
				  1 to 6
       --enet-vlan=str        Specify ethernet 802.1q VLAN tag mode
       --enet-vlan-tag=num    Specify the new ethernet 802.1q VLAN tag value
				- requires the option 'enet-vlan'
				- it must be in the range:
				  0 to 4095
       --enet-vlan-cfi=num    Specify the ethernet 802.1q VLAN CFI value
				- requires the option 'enet-vlan'
				- it must be in the range:
				  0 to 1
       --enet-vlan-pri=num    Specify the ethernet 802.1q VLAN priority
				- requires the option 'enet-vlan'
				- it must be in the range:
				  0 to 7
       --enet-vlan-proto=str  Specify VLAN tag protocol 802.1q or 802.1ad
       --hdlc-control=num     Specify HDLC control value
       --hdlc-address=num     Specify HDLC address
       --user-dlt=num         Set output file DLT type
       --user-dlink=str       Rewrite Data-Link layer with user specified data
				- may appear up to 2 times
   -d, --dbug=num             Enable debugging output
				- it must be in the range:
				  0 to 5
   -q, --quiet                Quiet mode
   -T, --timer=str            Select packet timing mode: select, ioport, gtod, nano
       --maxsleep=num         Sleep for no more then X milliseconds between packets
   -v, --verbose              Print decoded packets via tcpdump to STDOUT
   -A, --decode=str           Arguments passed to tcpdump decoder
				- requires the option 'verbose'
   -K, --preload-pcap         Preloads packets into RAM before sending
   -c, --cachefile=str        Split traffic via a tcpprep cache file
				- requires the option 'intf2'
				-- and prohibits the option 'dualfile'
   -2, --dualfile             Replay two files at a time from a network tap
				- requires the option 'intf2'
				-- and prohibits the option 'cachefile'
   -i, --intf1=str            Client to server/RX/primary traffic output interface
   -I, --intf2=str            Server to client/TX/secondary traffic output interface
       --listnics             List available network interfaces and exit
   -l, --loop=num             Loop through the capture file X times
				- it must be in the range:
				  greater than or equal to 0
       --loopdelay-ms=num     Delay between loops in milliseconds
				- requires the option 'loop'
				- it must be in the range:
				  greater than or equal to 0
       --pktlen               Override the snaplen and use the actual packet len
   -L, --limit=num            Limit the number of packets to send
				- it must be in the range:
				  greater than or equal to 1
       --duration=num         Limit the number of seconds to send
				- it must be in the range:
				  greater than or equal to 1
   -x, --multiplier=str       Modify replay speed to a given multiple
				- prohibits these options:
				pps
				mbps
				oneatatime
				topspeed
   -p, --pps=str              Replay packets at a given packets/sec
				- prohibits these options:
				multiplier
				mbps
				oneatatime
				topspeed
   -M, --mbps=str             Replay packets at a given Mbps
				- prohibits these options:
				multiplier
				pps
				oneatatime
				topspeed
   -t, --topspeed             Replay packets as fast as possible
				- prohibits these options:
				mbps
				multiplier
				pps
				oneatatime
   -o, --oneatatime           Replay one packet at a time for each user input
				- prohibits these options:
				mbps
				pps
				multiplier
				topspeed
       --pps-multi=num        Number of packets to send for each time interval
				- requires the option 'pps'
				- it must be in the range:
				  greater than or equal to 1
       --unique-ip            Modify IP addresses each loop iteration to generate unique flows
				- requires the option 'loop'
				-- and prohibits these options:
				seed
				fuzz-seed
       --unique-ip-loops=str  Number of times to loop before assigning new unique ip
				- requires the option 'unique-ip'
       --no-flow-stats        Suppress printing and tracking flow count, rates and expirations
       --flow-expiry=num      Number of inactive seconds before a flow is considered expired
				- prohibits the option 'no-flow-stats'
				- it must be in the range:
				  greater than or equal to 0
   -P, --pid                  Print the PID of tcpreplay at startup
       --stats=num            Print statistics every X seconds, or every loop if '0'
				- it must be in the range:
				  greater than or equal to 0
   -V, --version              Print version information
   -h, --less-help            Display less usage information and exit

Version, usage and configuration options:

   -H, --help                 display extended usage information and exit
   -!, --more-help            extended usage information passed thru pager
       --save-opts[=arg]      save the option state to a config file
       --load-opts=str        load options from a config file
				- disabled as '--no-load-opts'
				- may appear multiple times

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.
tcpreplay is a tool for replaying network traffic from files saved with
tcpdump or other tools which write pcap(3) files.

The following option preset mechanisms are supported:
 - reading file /usr/bin/.tcpreplayrc
The basic operation of tcpreplay is to resend all packets from the input
file(s) at the speed at which they were recorded, or a specified data rate,
up to as fast as the hardware is capable.

Optionally, the traffic can be split between two interfaces, written to
files, filtered and edited in various ways, providing the means to test
firewalls, NIDS and other network devices.

For more details, please see the Tcpreplay Manual at:
http://tcpreplay.appneta.com

Please send bug reports to:  <>

tcprewrite

Rewrite the packets in a pcap file.

root:~# tcprewrite --help
tcprewrite (tcprewrite) - Rewrite the packets in a pcap file.
Usage:  tcprewrite [ -<flag> [<val>] | --<name>[{=| }<val>] ]...


:

   -r, --portmap=str          Rewrite TCP/UDP ports
				- may appear up to 9999 times
   -s, --seed=num             Randomize src/dst IPv4/v6 addresses w/ given seed
				- prohibits the option 'fuzz-seed'
   -N, --pnat=str             Rewrite IPv4/v6 addresses using pseudo-NAT
				- prohibits the option 'srcipmap'
				- may appear up to 2 times
   -S, --srcipmap=str         Rewrite source IPv4/v6 addresses using pseudo-NAT
				- prohibits the option 'pnat'
   -D, --dstipmap=str         Rewrite destination IPv4/v6 addresses using pseudo-NAT
				- prohibits the option 'pnat'
   -e, --endpoints=str        Rewrite IP addresses to be between two endpoints
				- requires the option 'cachefile'
       --tcp-sequence=num     Change TCP Sequence (and ACK) numbers /w given seed
				- it must be in the range:
				  greater than or equal to 1
   -b, --skipbroadcast        Skip rewriting broadcast/multicast IPv4/v6 addresses
   -C, --fixcsum              Force recalculation of IPv4/TCP/UDP header checksums
   -m, --mtu=num              Override default MTU length (1500 bytes)
				- it must be in the range:
				  1 to 262144
       --mtu-trunc            Truncate packets larger then specified MTU
   -E, --efcs                 Remove Ethernet checksums (FCS) from end of frames
       --ttl=str              Modify the IPv4/v6 TTL/Hop Limit
       --tos=num              Set the IPv4 TOS/DiffServ/ECN byte
				- it must be in the range:
				  0 to 255
       --tclass=num           Set the IPv6 Traffic Class byte
				- it must be in the range:
				  0 to 255
       --flowlabel=num        Set the IPv6 Flow Label
				- it must be in the range:
				  0 to 1048575
   -F, --fixlen=str           Pad or truncate packet data to match header length
       --fuzz-seed=num        Fuzz 1 in X packets.  Edit bytes, length, or emulate packet drop
				- it must be in the range:
				  greater than or equal to 0
       --fuzz-factor=num      Set the Fuzz 1 in X packet ratio (default 1 in 8 packets)
				- requires the option 'fuzz-seed'
				- it must be in the range:
				  greater than or equal to 1
       --skipl2broadcast      Skip rewriting broadcast/multicast Layer 2 addresses
       --dlt=str              Override output DLT encapsulation
       --enet-dmac=str        Override destination ethernet MAC addresses
       --enet-smac=str        Override source ethernet MAC addresses
       --enet-subsmac=str     Substitute MAC addresses
				- may appear up to 9999 times
       --enet-mac-seed=num    Randomize MAC addresses
				- prohibits these options:
				enet-smac
				enet-dmac
				enet-subsmac
       --enet-mac-seed-keep-bytes=num Randomize MAC addresses
				- requires the option 'enet-mac-seed'
				- it must be in the range:
				  1 to 6
       --enet-vlan=str        Specify ethernet 802.1q VLAN tag mode
       --enet-vlan-tag=num    Specify the new ethernet 802.1q VLAN tag value
				- requires the option 'enet-vlan'
				- it must be in the range:
				  0 to 4095
       --enet-vlan-cfi=num    Specify the ethernet 802.1q VLAN CFI value
				- requires the option 'enet-vlan'
				- it must be in the range:
				  0 to 1
       --enet-vlan-pri=num    Specify the ethernet 802.1q VLAN priority
				- requires the option 'enet-vlan'
				- it must be in the range:
				  0 to 7
       --enet-vlan-proto=str  Specify VLAN tag protocol 802.1q or 802.1ad
       --hdlc-control=num     Specify HDLC control value
       --hdlc-address=num     Specify HDLC address
       --user-dlt=num         Set output file DLT type
       --user-dlink=str       Rewrite Data-Link layer with user specified data
				- may appear up to 2 times
   -d, --dbug=num             Enable debugging output
				- it must be in the range:
				  0 to 5
   -i, --infile=str           Input pcap file to be processed
   -o, --outfile=str          Output pcap file
   -c, --cachefile=str        Split traffic via tcpprep cache file
   -v, --verbose              Print decoded packets via tcpdump to STDOUT
   -A, --decode=str           Arguments passed to tcpdump decoder
				- requires the option 'verbose'
       --fragroute=str        Parse fragroute configuration file
       --fragdir=str          Which flows to apply fragroute to: c2s, s2c, both
				- requires the option 'cachefile'
       --skip-soft-errors     Skip writing packets with soft errors
   -V, --version              Print version information
   -h, --less-help            Display less usage information and exit

Version, usage and configuration options:

   -H, --help                 display extended usage information and exit
   -!, --more-help            extended usage information passed thru pager
       --save-opts[=arg]      save the option state to a config file
       --load-opts=str        load options from a config file
				- disabled as '--no-load-opts'
				- may appear multiple times

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.

The following option preset mechanisms are supported:
 - reading file /usr/bin/.tcprewriterc
Tcprewrite is a tool to rewrite packets stored in 'pcap(3)' file format,
such as created by tools such as 'tcpdump(1)' and 'wireshark(1)'.  Once a
pcap file has had it's packets rewritten, they can be replayed back out on
the network using 'tcpreplay(1)'.

tcprewrite currently supports reading the following DLT types:


'DLT_C_HDLC' aka Cisco HDLC


'DLT_EN10MB' aka Ethernet


'DLT_LINUX_SLL' aka Linux Cooked Socket


'DLT_RAW' aka RAW IP


'DLT_NULL' aka BSD Loopback


'DLT_LOOP' aka OpenBSD Loopback


'DLT_IEEE802_11' aka 802.11a/b/g


'DLT_IEEE802_11_RADIO' aka 802.11a/b/g with Radiotap headers


'DLT_JUNIPER_ETHER' aka Juniper Encapsulated Ethernet


'DLT_PPP_SERIAL' aka PPP over Serial

Please see the --dlt option for supported DLT types for writing.

The packet editing features of tcprewrite which distinguish between
"client" and "server" traffic requires a tcpprep(1) cache file.

For more details, please see the Tcpreplay Manual at:
http://tcpreplay.appneta.com

Please send bug reports to:  <>

Updated on: 2023-Mar-08


Last updated