I'm not sure, why executing below command on ubuntu terminal throws error. tcpprep syntax and options are mentioned as per in help doc, still throws error.
root@test-vm:~# /usr/bin/tcpprep --cachefile='cachefile1' —-pcap='/pcaps/http.pcap'
tcpprep: Command line arguments not allowed
tcpprep (tcpprep) - Create a tcpreplay cache cache file from a pcap file
root@test-vm:~# /usr/bin/tcpprep -V
tcpprep version: 3.4.4 (build 2450) (debug)
There are two problems with your command (and it doesn't help that
tcpprep
errors are vague or wrong).Problem #1: Commands out of order
tcpprep requires that
-i/--pcap
come before-o/--cachefile
. You can fix this as below, but then you get a different error:Note that the error above is not even accurate!
-e/--mac
can also be used!Problem #2: Processing mode must be specified
tcpprep
is used to preprocess a capture file into client/server using a heuristic that you provide. Looking through the tcpprep manpage, there are 5 valid options (-acerp
). Given this capture file asinput.pcapng
with server192.168.122.201
and next hop mac52:54:00:12:35:02
,-a/--auto
Let tcpprep determine based on one of 5 heuristics:
bridge
,router
,client
,server
,first
. Ex:-c/--cidr
Specify server by cidr range. We see servers at 192.168.122.201, 192.168.122.202, and 192.168.3.40, so summarize with
192.168.0.0/16
:-e/--mac
This is not as useful in this capture as ALL traffic in this capture has dest mac of next hop of
52:54:00:12:35:02
,ff:ff:ff:ff:ff:ff
(broadcast), or33:33:00:01:00:02
(multicast). Nonetheless, traffic from the next hop won't be client traffic, so this would look like:-r/--regex
This is for IP ranges, and is an alternative to summarizing subnets with
--cidr
. This would be more useful if you have several IPs like 10.0.20.1, 10.1.20.1, 10.2.20.1, ... where summarization won't work and regex will. This is one regex we could use to summarize the servers:-p/--port
Looking at Wireshark > Statistics > Endpoints, we see ports [135,139,445,1024]/tcp, [137,138]/udp are associated with the server IPs. 1024/tcp, used with
dcerpc
is the only one that falls outside the range 0-1023, and so we'd have to manually specify it. Per services syntax, we'd represent this as 'dcerpc 1024/tcp'. In order to specify port, we also need to specify a--services
file. We can specify one inline as a temporary file descriptor with process substitution. Altogether,Further Reading
For more examples and information, check out the online docs.