Tcpreplay tool Installation and use

A. Introduction to Tcpreplay features

First recommend a website:http://tcpreplay.synfin.net/ , which has tcpreplay installation packages and many documents, including manuals, man pages and FAQs.

Tcpreplay is a generic term for a range of tools, including tools such as Tcpreplay, Tcprewrite, and Tcpprep, which can be used to replay network packets on UNIX or Linux systems. These packages are captured by software such as tcpdump, ethereal, and Wireshark, which are packets in PCAP format.

When installing the Tcpreplay package, the following tools are installed by default to prepare the cache for the contract, rewrite the message, and so on:

(1)Tcpprep: The role of this tool is to divide the client and server, to differentiate the flow of PCAP packets, that is, the division of those packets are client, which package is the server, one will be contracted when the client package from a network card, Another server's package may be sent from another NIC.

(2)tcprewrite: The function of this tool is to modify the message, mainly modify the 2 layer, 3 layer, 4 beginning head, that is, MAC address, IP address and port address.

(3)Tcpreplay: This is the final real contract use of the tool, you can choose the main network card, from the network card, packet speed and so on.

A. Tcpreplay Installation conditions

Tcpreplay Some other libraries are used to implement its functions:

1)Libpcap Library: since tcpreplay is primarily dependent on the Libpcap library during use, it is necessary to install Libpcap before installing Tcpreplay, Otherwise, when installing Tcpreplay, you will be prompted to libpcap the installation failed. However, if you want Libpcap to work properly on Linux, you must enable the kernel to support the "packet" protocol, which opens the configuration option Config_packet when the kernel is compiled (the option is on by default).

Libpcap can be downloaded from the following links:http://www.tcpdump.org/ can be installed with the source code, relatively simple.

2) tcpdump: This is not necessary, the main function of this tool is to decode the packet, under the Linux system to view the Pcap file within the packet, you can also use it to grab packets. You can choose to install the Tcpreplay when you install it or you can choose not to install it. (personal recommendations are also installed together to prevent other errors when using Tcpreplay.) ）

3) Libnet Library. nor is it necessary for a library. Tcpreplay can also use it to send packets, but due to the fact that Libnet has more bugs and no longer maintenance, tcpreplay may be able to cancel support for future releases. (The current version also requires support for this library, so it is recommended to also install)

In addition, the Linux system you are using needs to have the GCC compiler installed, or you will not be able to install all the tools.

Two Tcpreplay installation Process

(1) first of all to explain how to install the Libpcap library (before installing the Tcpreplay need to install libpcap), before installing LIBPCAP need to first install M4, Bison,flex, otherwise an error will occur:

1) Open the URL:www.tcpdump.org/ Download libpcap-1.1.1.tar.gz (512.0KB) package, through the command tar zxvf libpcap-1.1.1.tar.gz unzip the file, And put it in a custom installation directory.

2) Open URL:flex.sourceforge.net/ Download flex-2.5.35.tar.gz (1.40MB) package, unzip the file via tar zxvf flex-2.5.35.tar.gz, and put it in the above custom installation directory.

Note : If you do not compile and install this file, the "Configure:error:Your operating system" Lex is insufficient to compile LIBP will appear when you compile and install Libpcap Cap. " The error prompt.

3) Open URL:ftp.gnu.org/gnu/bison/ Download bison-2.4.1.tar.gz (1.9MB) package, unzip the file via tar zxvf bison-2.4.1.tar.gz, and put it in the above custom installation directory.

Note : If you do not compile and install this file, the "Configure:WARNING:don ' t has both flex and bison will appear when you compile and install libpcap; Reverting to LEX/YACC checking for capable lex ... insufficient "error message.

4) Open URL:ftp.gnu.org/gnu/m4/ Download m4-1.4.13.tar.gz (1.2MB) package, via tar zxvf m4-1.4.13.tar.gz Unzip the file and put it in the above custom installation directory.

Note : If you do not compile and install this file, the "Configure:error:GNU M4 1.4 is required" error message appears when you compile and install bison-2.4.1.

Then, go to m4-1.4.13,bison-2.4.1,flex-2.5.35,libpcap-1.1.1 and execute the following command:

#./configure

# make

# make Install

After the command is complete, the LIBPCAP can be used normally.

(2) after the installation of Libpcap can be installed Tcpreplay, from this link http://tcpreplay.synfin.net/ Download the tcpreplay-3.4.4.tar.gz package, unzip the file via Tar zxvf tcpreplay-3.4.4.tar.gz, and place it in the custom installation directory described above. Then go to tcpreplay-3.4.4 and execute the following command:

#./configure

# make

# make Install

After the execution, Tcpreplay can be used, you can use the command: Tcpreplay–vesion to view its version information, tcpreplay–h to view the Help content.

Three. Various parameters used by Tcpreplay

(1) Parameters used by Tcpprep:

Usage: # tcpprep [-a-n <mode>-N <type> |-c <cidr> |-P |-r <regex>]-o <out>-I <in& Gt <args>

-A Split traffic in Auto Mode

In general, this parameter is required to indicate that the automatic separation of traffic flows by mode generates the cache file, indicating that the topology pattern taken by the auto-detach is taken to determine the two sides to take that pattern to separate traffic traffic.

-C CIDR1,CIDR2,... Split Traffic in CIDR Mode

Optional parameter that indicates that the flow is separated by CIDR (Classless Inter-domain routing) mode. Format: TCPPREP-AC10.10.0.0/24, indicates that the source address matching 10.10.0.0/24 network segment of the message is sent by the main network card, the remaining messages from the network card sent out, there is a point to add, Is tcpreplay in the replay message when the definition of two network cards is clear, a primary network card (primary interface), one is from the network card (secondary interface), different modes, two network card properties are not the same.

-C <comment> Embed comment in tcpprep cache file

Optional parameters, which are embedded in the cache file, can be used to comment on the contents of the cache file, note the use of the parameter location, do not put in the last, I test the value of the-o parameter after the error, put it before the-I parameter can be. After generating the cache file, use-p to view what is written. (This parameter is generally not a need)

-H Help

Show Help Files

-I <capfile> Input capture file to process

The required parameters for generating the cache file, followed by the Pcap file name, indicate that the Pcap file needs to be processed.

-M <minmask> Minimum mask length in Auto/router mode

Optional parameter, used when router mode is selected, represents the minimum mask, which defaults to 30 (2 valid IP addresses).

-M <maxmask> Maximum mask length in Auto/router mode

Optional parameter, used when router mode is selected, represents the maximum mask, the default is 8 (16 million IP addresses).

-N <auto mode> use specified algorithm in auto mode

The required parameters for generating the cache file, followed by the pattern name, can be selected (Bridge|router|client|server), and the current version only supports these 4 modes. The choice of the mode is very important, for example, when the client uses the FTP software to download the file, then the message that you caught in the client generates the Pcap file, then chooses the client mode, and the Pcap file generated by the message captured on the server is selected as the server mode. Only the mode is selected to correctly separate the traffic from the correct interface to send the correct message. Note: Server-side messages are sent out by the main network Mehsud, and client-side messages are sent from the NIC. How to determine the master-slave network card by the Tcpreplay command (-i–i two parameters) to determine.

-O <outputfile> Output cache file name

The required parameters of the cache file are generated, followed by the cache filename, which indicates that the output's cache file is named after this name.

-P Split traffic based on destination port

Optional parameters, based on the destination port to separate traffic flow, it is differentiated by the 0-1023 port is considered to be the end of the server sent messages, the other ports are sent by the client message, the specific port corresponding to the contents of the/etc/services file. Format used:-p/etc/services, you can make a file according to your own needs.

-R <regex> Split traffic in regex Mode

An optional parameter that indicates that the traffic is detached using the regex pattern, somewhat similar to CIDR mode, but that it matches the source IP of the server. The man file hint cannot be used with the-a,-c parameter.

-R <ratio> Specify a ratio to use in Auto Mode

An optional parameter, a scale value, that is the ratio of the number of connections initiated by the server and the number of connections initiated by the client, which is considered the server side if the value is greater than 2. I am not too sure about this English intention, we can refer to the original text:

The ratio of server connections to client connections necessary to is classified as a server in Auto mode.  A system is classified as a server if [# Server connections] >= ([# Client connections] * [ratio]). Default is:2.0

-X <match> only send the packets specified

An important optional parameter that indicates the sending message is defined according to the requirements defined by the parameter. There are specific parameters, because in our capture process, may be due to the network environment, caught many of the messages we do not need to replay, we can determine according to this parameter we need to replay which message content. The specific parameters mean the following:

S:<cidr1>,...-SRC IP must match specified CIDR (s)

The source IP must be matched in CIDR mode, in the format:-XS:100.1.1.0/24,10.10.10.0/26. Multiple separated by commas, the number of parameters have not tried, 3 no problem.

D:<cidr1>,...-Dst IP must match specified CIDR (s)

The destination IP must be matched in CIDR mode, in the same format.

b:<cidr1>,...-Both src and DST addresses must match

Must match both the source and destination IP, in the same format.

e:<cidr1>,...-either SRC or DST address must match

Match the source or destination IP, in the same format.

Ex:-xp:1-5,9,15 would only send packets 1 through 5, 9 and 15.

The specified message is sent according to the parameter value (message number) after the parameter. You can confirm the number of the message in the ethereal, and then send the required message. Can be used to exclude ARP messages.

Tcpprep Use Summary: In the use of the process, a lot of parameters are not used, with more options parameters on-V,-P,-XB,-XP, is generally the client and server mode, the other two models have not been tested, and temporarily do not know how to use.

Examples of tcpprep differentiated patterns:

1) tcpprep-e 00:00:00:00:00:05--include=p:1,2,3-i test.pcap-o Test.cache & (Mac mode include)

2) tcpprep-e 00:1e:c9:4c:03:0a--exclude=p:1,2-5-i test.pcap-o Test.cache & (Mac mode exclude)

3) tcpprep-a Server--exclude=p:1,2-5-I test.pcap-o Test.cache & (Auto mode)

4) Tcpprep--CIDR=192.168.0.0/16,10.0.0.0/8--include=p:1,2-5-i test.pcap-o Test.cache & (CIDR)

5) Tcpprep-p--include=p:1,2-5-I test.pcap-o Test.cache & (Port mode)

(2) Parameters used by Tcprewrite

-R rewrite TCP/UDP ports

Overriding the TCP/UDP port

-e rewrite IP addresses to be between-endpoints

Overriding the IP address between two endpoints

-B skpi rewriting broadcast/multicast Ipv4/ipv6 addresses

Skip rewrite broadcast/multicast Ipv4/ipv6 address

--enet-dmac Override destination Ethernet MAC addresses

Modify Destination MAC Address

--enet-smac Override source Ethernet MAC addresses

Modifying the source-side MAC address

-I Input pcap file to be processed

Enter the Pcap file being processed

-O out Pcap file

Output Pcap file (This generated file here I haven't figured out what the effect is)

-C Split Traffic via Tcpprep cache file

Sent files, that is, TCPPREP processing the generated cache file

-H Help

Show Help

(The Tcprewrite tool has not been tested for real use, so specific functionality is also verified)

(3) Parameters used by Tcpreplay:

Usage:tcpreplay [args] <file (s) >

-C <cachefile> Split traffic via cache file

Two network card playback message required parameters, followed by the cache file name, the file is tcpprep according to the corresponding Pcap file constructed.

-F Fix IP, TCP, UDP and ICMP checksums

Optional parameters to automatically correct the error checksum when sending a message. It is still useful to test the DUT for verification and verification.

-I <nic> Primary interface to send traffic out of

Dual network card playback message required parameters, specify the main interface.

-I <nic> secondary interface to send traffic out of

Dual network card playback message required parameters, specified from the interface.

-L <limit> Specify the maximum number of packets to send

Optional parameter that specifies the maximum number of packages. Can be used when verifying the debugging of a connection.

-X <multiple> Set replay speed to given multiple

Optional parameters, specifying a multiplier value, is the rate at which the default send rate is to be sent. After increasing the rate of transmission, the DUT may mean more concurrent connections and connections, especially for BT messages, because the timeout for the connection is fixed, and if the rate increases, the number of connections left in the session table increases, which can also be achieved by modifying the connection time-out.

-P <packetrate> Set replay speed to given rate (PACKETS/SEC)

Optional parameters, specify the number of messages sent per second, specify this parameter, the other rate-related parameters are ignored, the final printing information will not have the rate and send the message per second statistics.

This is the main parameter, some of the data found from the Internet is very different from the parameters in the specific tcpreplay, so it is recommended that you use the command: # tcpreplay–h to view the help when you want to use other parameters.

Four Examples of Tcpreplay use:

test process : Fetch from the client to access the original package of Butterfly, Tcp.pcap, through Tcpreplay back, after the packet crawled on the switch result.pcap, it can be seen that two files in the same order of the package.

Configuration instance:

The two interfaces of the DUT and the two interfaces of the PC are connected using a network cable and the Tcpreplay replay message is used. Note the firewall is configured for bridge (transparent) mode. One of the PC's NICs is connected to the DUT Port 1, and the other NIC connects to the DUT's port 2,dut with the MAC address set to static mapping.

1) in the client to use Ethreal crawl Client access to butterfly TCP packet, the destination IP address is: 10.1.145.249, the local address is: 10.1.145.96;

2) Save the captured package file as: Tcp.pcap, then copy it to the Linux system and put it in the Tcpreplay directory you installed.

3) Use Tcpprep to differentiate between client and server side and generate cache file.

# tcpprep–a Client–i tcp.pcap–o Tcp.cache

(Automatic client mode distinction is used here)

4) using Tcpreplay Replay message

#tcpreplay –p 1000–c tcp.cache–i eth0–i eth1 tcp.pcap

conclusion : In the slow replay package, the device can be passed according to the interaction order of the original message. The interaction between the client and the server is fully simulated.

The software defaults to a wire-speed package, and the experiment found that there would be a faulty package and a disorderly sequence of packages. When configured to 1000 packages/s, there is no disorder.

Speculation disorder reason: in the high-speed packet, especially rely on the network card, as long as the network card has jitter, may lead to client side and server-side packets sent through the DUT, the sequencing problem.

Install all installation package files required by Tcpreplay, I have uploaded to//pmd-3/Test Department/tools directory. If you find any problems in use, you are welcome to communicate with each other.

Usage Experience Summary:

If the package file is not overwritten, the process is:

1. Differentiate the package from the client and server side:

Tcpprep-a client-i http. Pcap-o http. Cache

2. Replay the package file, the command is:

Tcpreplay–p 1-c http.cache-i eth0-i eth1 http.pcap

If the package file is overwritten, the process for the bundle file is:

1. Differentiate the package from the client and server side:

Tcpprep-a client-i http. Pcap-o http. Cache

2. Overwrite the package file:

Tcprewrite-e 192.85.1.2:192.85.2.2--enet-dmac=00:15:17:2b:ca:14,00:15:17:2b:ca:15--enet-smac=00:10:f3 : 19:79:86,00:10:f3:19:79:87-c test.cache-i Test.tcpdump-o 1.pcap

3. Replay Package Files:

Tcpreplay-i eth0-i eth1-l 1000-t-c/dev/shm/test.cache/dev/shm/1.pcap

Reprinted from:http://www.360doc.com/content/12/0704/08/10339652_222137382.shtml

Tcpreplay tool Installation and use