network-programmingpcaptcpreplay

tcpprep: Command line arguments not allowed

I'm not sure, why executing below command on ubuntu terminal throws error. tcpprep syntax and options are mentioned as per in help doc, still throws error. 

root@test-vm:~# /usr/bin/tcpprep --cachefile='cachefile1' —-pcap='/pcaps/http.pcap' 

tcpprep: Command line arguments not allowed
tcpprep (tcpprep) - Create a tcpreplay cache cache file from a pcap file

root@test-vm:~# /usr/bin/tcpprep -V
tcpprep version: 3.4.4 (build 2450) (debug)
Solution

  • There are two problems with your command (and it doesn't help that tcpprep errors are vague or wrong).

    Problem #1: Commands out of order

    tcpprep requires that -i/--pcap come before -o/--cachefile. You can fix this as below, but then you get a different error:

    bash$ /usr/bin/tcpprep —-pcap='/pcaps/http.pcap' --cachefile='cachefile1'

Fatal Error in tcpprep_api.c:tcpprep_post_args() line 387:
Must specify a processing mode: -a, -c, -r, -p

    Note that the error above is not even accurate! -e/--mac can also be used!

    Problem #2: Processing mode must be specified

    tcpprep is used to preprocess a capture file into client/server using a heuristic that you provide. Looking through the tcpprep manpage, there are 5 valid options (-acerp). Given this capture file as input.pcapng with server 192.168.122.201 and next hop mac 52:54:00:12:35:02,

    -a/--auto

    Let tcpprep determine based on one of 5 heuristics: bridge, router, client, server, first. Ex:

    tcpprep --auto=first —-pcap=input.pcapng --cachefile=input.cache

    -c/--cidr

    Specify server by cidr range. We see servers at 192.168.122.201, 192.168.122.202, and 192.168.3.40, so summarize with 192.168.0.0/16:

    tcpprep --cidr=192.168.0.0/16 --pcap=input.pcapng --cachefile=input.cache

    -e/--mac

    This is not as useful in this capture as ALL traffic in this capture has dest mac of next hop of 52:54:00:12:35:02, ff:ff:ff:ff:ff:ff (broadcast), or 33:33:00:01:00:02 (multicast). Nonetheless, traffic from the next hop won't be client traffic, so this would look like:

    tcpprep --mac=52:54:00:12:35:02 —-pcap=input.pcapng --cachefile=input.cache

    -r/--regex

    This is for IP ranges, and is an alternative to summarizing subnets with --cidr. This would be more useful if you have several IPs like 10.0.20.1, 10.1.20.1, 10.2.20.1, ... where summarization won't work and regex will. This is one regex we could use to summarize the servers:

    tcpprep --regex="192\.168\.(122|3).*" —-pcap=input.pcapng --cachefile=input.cache

    -p/--port

    Looking at Wireshark > Statistics > Endpoints, we see ports [135,139,445,1024]/tcp, [137,138]/udp are associated with the server IPs. 1024/tcp, used with dcerpc is the only one that falls outside the range 0-1023, and so we'd have to manually specify it. Per services syntax, we'd represent this as 'dcerpc 1024/tcp'. In order to specify port, we also need to specify a --services file. We can specify one inline as a temporary file descriptor with process substitution. Altogether,

    tcpprep --port --services=<(echo "dcerpc    1024/tcp") --pcap=input.pcapng --cachefile=input.cache

    Further Reading

    For more examples and information, check out the online docs.