Tcpreplay Experience with installation#Author: Ypguo
#Data: 2010.4.23
#Version: 1.2 added modified VLAN tag content.
1.1 Modified the contents of the installation under Cygwin
1.0 Initial Upload.
[keywords]: Tcpreplay, Tcpprep, Tcprewrite, Libpcap, WinPcap, Linux, Windows, Cygwin
[Abstract]: This paper summarizes the experience of installation and use of Tcpreplay. I tried it on the Cygwin.
[Catalogue]:(Created by Txtbrowser)
1. What is Tcpreplay
2. Installation Guide
3. User Guide
. 3.1 Tcpprep (Pcap pre-processor)
. 3.1.1 Determination of CLIENT/SERVER messages based on message source IP
. 3.1.2 Using automatic mode to determine Client/server messages
. 3.2 Tcprewrite
. An example of 3.2.1 Tcprewrite
. 3.2.2 Modifying the 2-layer head
. 3.2.3 Modifying the 3-layer head
. 3.2.4 Modifying the 4-layer head
. 3.2.5 Modifying layer 5-7 data
. 3.3 Tcpreplay
1. What is Tcpreplay
Cite a section of Tcpreplay official website (http://tcpreplay.synfin.net/trac/) to explain what is
TCPREPLAY[1]:
#摘自tcpreplay官方网站 (http://tcpreplay.synfin.net/trac/):
| Tcpreplay is a suite of BSD licensed tools written by Aaron Turner for UNIX
| (and Win32 under Cygwin) operating systems which gives you the ability-use
| Previously captured traffic in LIBPCAP format to test a variety of network
| Devices. It allows classify traffic as client or server, rewrite Layer
| 2, 3 and 4 headers and finally replay the traffic back onto the network and
| Through other devices such as switches, routers, firewalls, NIDS and IPS ' s.
| Tcpreplay supports both single and dual NICs modes for testing both sniffing
| and inline devices.
Simply put, Tcpreplay is a PCAP package replay tool that can be captured with Ethreal, Wireshark tools
The packages come down as is or after any modification and replay back. It allows you to make arbitrary changes to the message (mainly referring to the 2-layer
, 3 layer, 4 beginning head), specify the speed of the replay message, and so on, so that tcpreplay can be used to reproduce the situation of grasping the packet
To locate bugs and replay them at very fast speeds for stress testing.
The Tcpreplay itself contains several ancillary tools for preparing the cache for the package, rewriting the message, etc.:
* Tcpprep-The simplest is to divide which packages are client, which are servers, and the
When the client's package is sent from one NIC, the server's package may be sent from another NIC.
* Tcprewrite-Simple to say is to modify the 2 layer, 3 layers, 4 beginning head.
* Tcpreplay-Real contract, you can choose the main, from the network card, packet speed and so on.
* Tcpbridge-bridge-segments with the power of Tcprewrite
2. Installation Guide
Tcpreplay is officially provided by: Http://tcpreplay.synfin.net/trac/wiki/Download,
Since Tcpreplay relies on the Libpcap library,
So you must install Libpcap (WinPcap under Windows) before installing Tcpreplay, otherwise
/configure you will be prompted to say that the Libpcap library is not installed.
Linux relies on the library Libpcap by the Tcpdump engineering team developed, it seems to be an open source project, can go to
http://www.tcpdump.org/download to, can be installed with the source code, seemingly relatively simple.
The dependent library WinPcap under Windows (including Cygwin) must be downloaded to WinPcap's official website:
Http://www.winpcap.org/install/default.htm. WinPcap is a libpcap migration on windows,
This does not seem to be open source, so you can only get a static library and programming Interface "Wpdpack_4_1_2.zip",
After decompression, you can get the folder "Wpdpack", copy the folder to the root directory of Cygwin,
You can complete the installation of WinPcap in the "./configure"
When choosing the parameter--with-libpcap=/wpdpack (I have tried it myself,
It does not seem that this parameter can be successful, but it is recommended to add this parameter) [2]:
#winpcap的安装过程:
| $ unzip Wpdpack_4_1_2.zip
| $ cp-r wpdpack//(Install Tcpreplay dependent WinPcap, that is, copy the wpdpack to the root directory.)
#tcpreplay的安装过程:
| $./autogen.sh (Subversion checkouts only)
| $./configure--with-libpcap=/wpdpack
| $ make
| # Make Test (Note:tcprewrite tests is currently broken on Cygwin/win32)
| # Make install
3. User Guide
So far, the tcpreplay on your machine can be used, how to use it, online raiders are also many, but
The most authoritative guide to use is of course the online Manual of the official website:
Http://tcpreplay.synfin.net/trac/wiki/manual, a simple introduction to the Tcpreplay embedded
The use of several tools, here is an example I have used, only to better understand the online Manual:
The previous version seems to be able to use a command to send the PCAP package directly through the modification, but after 3.0
Tcpreplay does not support this, before the contract with Tcpgrep to establish a cache, and then use Tcprewite to modify the package
Information, and finally sent out with Tcpreplay:
The role of the cache file interpretation, mainly to accelerate the transmission of the message, the cache file is stored in the Pcap file in each
Frame number and time stamp information, in order to achieve tcpreplay playback can be more rapid transmission of the message purposes.
3.1 tcpprep (pcap pre-processor)
The Tcpprep tool generates a cache file that holds which packages will be sent out from the main network port and which packets will be
The network port is sent out. For example, if you use Wireshark to capture a pcap file, it may have both a address and a
b Address of the package, there is a B address to the package A, with the Tcpprep tool can be specified from a to B packets from the main network card issued,
Packets from B to a are sent from the secondary NIC.
3.1.1 Determination of Client/server messages based on message source IP
#tcpprep的用法举例, depending on the source IP:
|$ tcpprep-c 172.22.64.2/24-i Mgcp.pcap-o Mgcp.cach
The above command specifies that all packets with a source IP of 172.22.64.2/24 will be issued from the primary network card, and the other slave
The. input file is mgcp.pcap and the output file is Mgcp.cach.
3.1.2 Using automatic mode to determine Client/server messages
#tcpprep的用法举例, automatic mode:
|$ tcpprep-a client-i Mgcp.pcap-o Mgcp.cach
The above command specifies the subcontracting mode using the automatic/client mode. Automatic mode here, as I understand it, explain:
Tcpprep the IP that has the following behavior in automatic mode is client: 1. The one party that sends the TCP SYN packet, 2. DNS
The party of the package, 3. Income to Icmp-port unreachable's side. A party that considers the following behavior to be a server
End: 1. The party that sends the TCP Syn/ack, 2. The party that sent the DNS reply, 3. The party that sent Icmp-port unreachable.
Those packets that are identified as servers are sent from the primary network card, and the packets identified as the client are from the secondary network
Card issued. and automatic/client mode will all the unidentified packages to the client, the same automatic/server mode will
The packets that are not recognized are classified as server. This mode is not as good as the IP address classification.
Tcpprep There are many other ways to specify the direction of sending, please read the online manual or man manual for details.
3.2 Tcprewrite
To put it simply, Tcprewrite is rewriting the packet header in the PCAP package, which includes 2, 3, 4, and 5-7 layers. From 3.0
After the release, all the operations that rewritten the PCAP headers were moved from Tcpreplay to Tcprewrite.
There are two ways to modify packet using Tcprewrite, one method is to modify one item at a time to generate a
File, and then take this file as input file ... until the final modification is completed, such as:
Tcprewrite--option1=xxx-c input.cach-i Input.pcap-o 1.pcap
Tcprewrite--option2=xxx-c input.cach-i 1.pcap-o 2.pcap
...
Tcprewrite--optionn=xxx-c input.cach-i N-1.pcap-o n.pcap
Another way to do this is to put all the options into one command, such as:
Tcprewrite--option1=xxx--option2=xxx ...--optionn=xxx-i input.pcap-c input.cach-o out.pcap
Both of these methods are feasible and have pros and cons. The first method is clear, but complex, the second method is simple but not easy
Understand. My advice is to use the first method to do the experiment, easy to debug, and so on after the modification succeeded, then put all the options
Together, in the actual use of the second method. Let me give you an example and then analyze one
Under Use Tcprewrite is how to modify the two layer, three layer, four layer, 5-7 layer head, in order to understand the work of Tcprewrite
Acting.
An example of 3.2.1 Tcprewrite
Tcpreplay only guarantee to send the package out, as for the package really can reach the address, I think it is based on the original package
IP and Mac. If you are on the same network segment, you may need to change your MAC address to a test device's Mac If you need to go through the network
The IP address should be changed to the IP of the test device and the port number.
The basic format of the Tcprewrite is (note that there is no line break in the command, just to add line breaks for easy reading.)
): Please use the tcprewrite command to inquire more details.
#tcprewrite的格式:
|$ Tcprewrite--enet-smac=host_src_mac,client_src_mac \
| --enet-dmac=host_dst_mac, Client_dst_mac \
| --ENDPOINTS=HOST_DST_IP:CLIENT_DST_IP \
| --portmap=old_port1:new_port1,old_port2, New_port2 \
| -I input.pcap-c input.cach-o out.pcap
Explain that the input parameters of this command are the Input.pcap and Input.cach files, and the result is saved as Out.pcap
This command will all the host packages in the Input.pcap package (the Input.cach file specifies which packages are the host packages, which
Package is the client package) of the source MAC address, the destination MAC address, the destination IP address is changed to: Host_src_mac,
Host_dst_mac and HOST_DST_IP, client package source MAC address, destination MAC address, destination IP address, respectively
: Client_src_mac, Client_dst_mac and CLIENT_DST_IP, change the port number from Old_port1 to
New_port1, change the port number from Old_port2 to New_port2.
#tcprewrite的用法举例:
|$ Tcprewrite--enet-smac=11:22:22:22:22:22,22:22:22:22:22:22 \
| --enet-dmac=11:11:11:11:11:11,22:11:11:11:11:11 \
| --endpoints=192.168.0.1:192.168.0.11 \
| --portmap=5070:5061,9060:5060 \
| -I success.pcap-o out.pcap-c Success.cach
The command will modify the package, the host package two layer, three layer, four layer head respectively: 11:22:22:22:22:22,
192.168.0.1, 5061, client package two layer, three layer, four layer head respectively: 22:22:22:22:22:22,
192.168.0.11, 5060.
3.2.2 Modifying the 2-layer head
1)Modify MAC Address
If you do not specify a cache file, the source MAC address and destination MAC address of all packages are changed to
00:44:66:fc:29:af and 00:55:22:af:c6:37:
$ tcprewrite--enet-dmac=00:55:22:af:c6:37--enet-smac=00:44:66:fc:29:af--infile=input.pcap--outfile=output.pcap
After you specify the cache file, rewrite the server package's destination/source MAC address to
00:44:66:FC:29:AF/00:66:AA:D1:32:C2, change the client's destination/source MAC address to:
00:55:22:AF:C6:37/00:22:55:AC:DE:AC, note that the server address is in front.
$ tcprewrite--enet-dmac=00:44:66:fc:29:af,00:55:22:af:c6:37--enet-smac=00:66:aa:d1:32:c2,00:22:55:ac:de:ac-- Cachefile=input.cache--infile=input.pcap--outfile=output.pcap
2)Modify 802.1q VLAN
Frequent customer grab packets with VLAN header domain, these packets if not stripped VLAN header is no way on your own switch
Replay, Tcprewrite the method of removing or adding VLANs:
Getting rid of VLANs is simple:
$ tcprewrite--enet-vlan=del--infile=input.pcap--outfile=output.pcap
Adding VLANs is also simple, the following command sets the VLAN tag to 1, and the VLAN priority to 4.
$ tcprewrite--enet-vlan=add--enet-vlan-tag=40--enet-vlan-cfi=1--enet-vlan-pri=4--infile=input.pcap--outfile= Output.pcap
3)Modify Layer Two protocol name:
Seems to be transferring the Ethernet protocol header to Cisco HDLC or other layer two protocols? This part is not really used, need
[2] for the person's own reference.
3.2.3 Modifying the 3-layer head
Starting with version 3.4.2, Tcprewrite began to support the IPv6 protocol (the version number or 3.4.1 when I wrote this article)
, Tcpreplay upgrade pretty fast Oh ^) ^). Tcprewrite the IP address will automatically help you calculate the checksum, this is still
Very thoughtful ^) ^, when the command line passes in the IPV6 address, use square brackets, for example: [2001::d Ead:beef] or
[2001::/16]
1)Modify Destination IP
Depending on the identity in the cache file, change the IP of the server to 10.10.1.1 and the client IP to 10.10.1.2:
$ tcprewrite--endpoints=10.10.1.1:10.10.1.2--cachefile=input.cache--infile=input.pcap--outfile=output.pcap-- Skipbroadcast
2)Modify the network portion of an IP address
Note: 2) and 3) have not been verified
As we all know, the IP address is the same as the network part and the host part, the following command can be the subnet address 10.0.0.0/8
or 192.168.0.0/16 IP into a subnet of 172.16.0.0/12:
$ tcprewrite--PNAT=10.0.0.0/8:172.16.0.0/12,192.168.0.0/16:172.16.0.0/12--infile=input.pcap--outfile= Output.pcap--skipbroadcast
The following command modifies the subnet address based on the client package or the server package:
$ tcprewrite--pnat=10.0.0.0/8:192.168.0.0/24--pnat=10.0.0.0/8:192.168.1.0/24--cachefile=input.cache--infile= Input.pcap--outfile=output.pcap--skipbroadcast
3)To modify other parts of the IP header:
The TOS for modifying the IPV4 header is 50
$ tcprewrite--tos=50--infile=input.pcap--outfile=output.pcap
Change the IPV6 header traffic class value to 33
$ tcprewrite--tclass=33--infile=input.pcap--outfile=output.pcap
Modify the Flow Label field:
$ tcprewrite--flowlabel=67234--infile=input.pcap--outfile=output.pcap
3.2.4 Modifying the 4-layer head
As with modifying the IP header, the tcpwrite automatically calculates the checksum when the 4-layer header is modified, and this does not need to be feared.
1)Modify Port number
Change the 80 port number to 8080 and 22 to 8022:
$ tcprewrite--portmap=80:8080,22:8022--infile=input.pcap--outfile=output.pcap
2)To force the calculation of transport-layer checksums:
Some applications may not calculate the checksum of the transport layer, allowing Tcpwrite to force the calculation:
$ tcprewrite--fixcsum--infile=input.pcap--outfile=output.pcap
3.2.5 Modifying layer 5-7 data
Tcpwrite to 5-7 layers of modification is very limited, at most, is not grasping the bag, the middle of the application layer data lost.
Tcpwrite will not catch the data to fill 0, or modify the length of the tcp/udp byte, or discard the package. Yes
Please refer to the official information directly. [2]
3.3 Tcpreplay
Under Linux, the name of the interface can be obtained with the ifconfig command, but it must be obtained under Cygwin with the following command
Name of the interface:
#在cygwin下获得接口的名字:
|$ tcpreplay--listnics
#结果可能如下所示:
|$ tcpreplay--listnics
|Available Network interfaces:
|Alias Name Description
|%0 \device\npf_genericdialupadapter
|Adapter for generic dialup and VPN capture
|%1 \device\npf_{6b508b29-b3e3-4d0b-892f-02914ac9a668}
|Intel (R) 82566DM Gigabit Network Connection (Microsoft ' s Packet
|Scheduler)
|%2 \DEVICE\NPF_{CBCE38CA-1FAD-4AEB-89DF-FD2D8EF861FA}
|D-Link dfe-530tx PCI Fast Ethernet Adapter (rev. C
|(Microsoft ' s Packet Scheduler)
|%3 \DEVICE\NPF_{ABB813FE-3C51-49A3-8146-16CD2C4507C3}
|D-Link dfe-530tx PCI Fast Ethernet Adapter (rev. C
|(Microsoft ' s Packet Scheduler)
It can be seen that the machine has two network cards, one is called%1, the other is called%2. You can specify the network card below
The re-contract:
#用tcpreplay发包:
|$ tcpreplay-c mgcp.cach-i%1-i%2 out.pcap
This command is to put the OUT.PCAP package, in accordance with the Mgcp.cach division of the host package and the client package, the host package
Sent from Nic%1 to send the client package from Nic%2.
[References]
[1] Tcpreplay official website: http://tcpreplay.synfin.net/trac/
[2] Tcpreplay official website: http://tcpreplay.synfin.net/wiki/manual
[3] WinPcap official website: http://www.winpcap.org
[4] skillfully use tcpreplay let attack traffic cheat,
Http://news.newhua.com/news1/safe_product/2007/1116/0711169442155I34A78I25B09B5752K.ht
Tcpreplay Experience with installation
