summaryrefslogtreecommitdiff
path: root/trafgen.8
blob: 6f5d318231e92bb913de4567c5f904f4ce3a1a8a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
.\" netsniff-ng - the packet sniffing beast
.\" Copyright 2013 Daniel Borkmann.
.\" Subject to the GPL, version 2.
.TH TRAFGEN 8 "03 March 2013" "Linux" "netsniff-ng toolkit"
.SH NAME
trafgen \- a fast, multithreaded network packet generator
.PP
.SH SYNOPSIS
.PP
\fBtrafgen\fR [\fIoptions\fR] [\fIpacket\fR]
.PP
.SH DESCRIPTION
.PP
trafgen is a fast, zero-copy network traffic generator for debugging,
performance evaluation, and fuzz-testing. trafgen utilizes the packet(7)
socket interface of Linux which postpones complete control over packet data
and packet headers into the user space. It has a powerful packet configuration
language, which is rather low-level and not limited to particular protocols.
Thus, trafgen can be used for many purposes. Its only limitation is that it
cannot mimic full streams resp. sessions. However, it is very useful for
various kinds of load testing in order to analyze and subsequently improve
systems behaviour under DoS attack scenarios, for instance.
.PP
trafgen is Linux specific, meaning there is no support for other operating
systems, same as netsniff-ng(8), thus we can keep the code footprint quite
minimal and to the point. trafgen makes use of packet(7) socket's TX_RING
interface of the Linux kernel, which is a mmap(2)'ed ring buffer shared between
user and kernel space.
.PP
By default, trafgen starts as many processes as available CPUs, pins each
of them to their respective CPU and sets up the ring buffer each in their own
process space after having compiled a list of packets to transmit. Thus, this is
likely the fastest one can get out of the box in terms of transmission performance
from user space, without having to load unsupported or non-mainline third-party
kernel modules. On Gigabit Ethernet, trafgen has a comparable performance to
pktgen, the built-in Linux kernel traffic generator, except that trafgen is more
flexible in terms of packet configuration possibilities. On 10-Gigabit-per-second
Ethernet, trafgen might be slower than pktgen due to the user/kernel space
overhead but still has a fairly high performance for out of the box kernels.
.PP
trafgen has the potential to do fuzz testing, meaning a packet configuration can
be built with random numbers on all or certain packet offsets that are freshly
generated each time a packet is sent out. With a built-in IPv4 ping, trafgen can
send out an ICMP probe after each packet injection to the remote host in order
to test if it is still responsive/alive. Assuming there is no answer from the
remote host after a certain threshold of probes, the machine is considered dead
and the last sent packet is printed together with the random seed that was used
by trafgen. You might not really get lucky fuzz-testing the Linux kernel, but
presumably there are buggy closed-source embedded systems or network driver's
firmware files that are prone to bugs, where trafgen could help in finding them.
.PP
trafgen's configuration language is quite powerful, also due to the fact, that
it supports C preprocessor macros. A stddef.h is being shipped with trafgen for
this purpose, so that well known defines from Linux kernel or network programming
can be reused. After a configuration file has passed the C preprocessor stage,
it is processed by the trafgen packet compiler. The language itself supports a
couple of features that are useful when assembling packets, such as built-in
runtime checksum support for IP, UDP and TCP. Also it has an expression evaluator
where arithmetic (basic operations, bit operations, bit shifting, ...) on constant
expressions is being reduced to a single constant on compile time. Other features
are ''fill'' macros, where a packet can be filled with n bytes by a constant, a
compile-time random number or run-time random number (as mentioned with fuzz
testing). Also, netsniff-ng(8) is able to convert a pcap file into a trafgen
configuration file, thus such a configuration can then be further tweaked for a
given scenario.
.PP
.SH OPTIONS
.PP
.SS -i <cfg|->, -c <cfg|i>, --in <cfg|->, --conf <cfg|->
Defines the input configuration file that can either be passed as a normal plain
text file or via stdin (''-''). Note that currently, if a configuration is
passed through stdin, only 1 CPU will be used.
.PP
.SS -o <dev>, -d <dev>, --out <dev>, --dev <dev>
Defines the outgoing networking device such as eth0, wlan0 and others.
.PP
.SS -p, --cpp
Pass the packet configuration to the C preprocessor before reading it into
trafgen. This allows #define and #include directives (e.g. to include
definitions from system headers) to be used in the trafgen configuration file.
.PP
.SS -D <name>=<definition>, --define <name>=<definition>
Add macro definition for the C preprocessor to use it within trafgen file. This
option is used in combination with the -p,--cpp option.
.PP
.SS -J, --jumbo-support
By default trafgen's ring buffer frames are of a fixed size of 2048 bytes.
This means that if you're expecting jumbo frames or even super jumbo frames to
pass your line, then you will need to enable support for that with the help of
this option. However, this has the disadvantage of a performance regression and
a bigger memory footprint for the ring buffer.
.PP
.SS -R, --rfraw
In case the output networking device is a wireless device, it is possible with
trafgen to turn this into monitor mode and create a mon<X> device that trafgen
will be transmitting on instead of wlan<X>, for instance. This enables trafgen
to inject raw 802.11 frames.
.PP
.SS -s <ipv4>, --smoke-test <ipv4>
In case this option is enabled, trafgen will perform a smoke test. In other
words, it will probe the remote end, specified by an <ipv4> address, that is
being ''attacked'' with trafgen network traffic, if it is still alive and
responsive. That means, after each transmitted packet that has been configured,
trafgen sends out ICMP echo requests and waits for an answer before it continues.
In case the remote end stays unresponsive, trafgen assumes that the machine
has crashed and will print out the content of the last packet as a trafgen
packet configuration and the random seed that has been used in order to
reproduce a possible bug. This might be useful when testing proprietary embedded
devices. It is recommended to have a direct link between the host running
trafgen and the host being attacked by trafgen.
.PP
.SS -n <0|uint>, --num <0|uint>
Process a number of packets and then exit. If the number of packets is 0, then
this is equivalent to infinite packets resp. processing until interrupted.
Otherwise, a number given as an unsigned integer will limit processing.
.PP
.SS -r, --rand
Randomize the packet selection of the configuration file. By default, if more
than one packet is defined in a packet configuration, packets are scheduled for
transmission in a round robin fashion. With this option, they are selected
randomly instread.
.PP
.SS -P <uint>, --cpus <uint>
Specify the number of processes trafgen shall fork(2) off. By default trafgen
will start as many processes as CPUs that are online and pin them to each,
respectively. Allowed value must be within interval [1,CPUs].
.PP
.SS -t <time>, --gap <time>
Specify a static inter-packet timegap in seconds, milliseconds, microseconds,
or nanoseconds: ''<num>s/ms/us/ns''. If no postfix is given default to
microseconds. If this option is given, then instead of packet(7)'s TX_RING
interface, trafgen will use sendto(2) I/O for network packets, even if the
<time> argument is 0. This option is useful for a couple of reasons: i)
comparison between sendto(2) and TX_RING performance, ii) low-traffic packet
probing for a given interval, iii) ping-like debugging with specific payload
patterns. Furthermore, the TX_RING interface does not cope with interpacket
gaps.
.PP
.SS -S <size>, --ring-size <size>
Manually define the TX_RING resp. TX_RING size in ''<num>KiB/MiB/GiB''. On
default the size is being determined based on the network connectivity rate.
.PP
.SS -E <uint>, --seed <uint>
Manually set the seed for pseudo random number generator (PRNG) in trafgen. By
default, a random seed from /dev/urandom is used to feed glibc's PRNG. If that
fails, it falls back to the unix timestamp. It can be useful to set the seed
manually in order to be able to reproduce a trafgen session, e.g. after fuzz
testing.
.PP
.SS -u <uid>, --user <uid> resp. -g <gid>, --group <gid>
After ring setup, drop privileges to a non-root user/group combination.
.PP
.SS -H, --prio-high
Set this process as a high priority process in order to achieve a higher
scheduling rate resp. CPU time. This is however not the default setting, since
it could lead to starvation of other processes, for example low priority kernel
threads.
.PP
.SS -A, --no-sock-mem
Do not change systems default socket memory setting during testrun.
Default is to boost socket buffer memory during the test to:
.PP
   /proc/sys/net/core/rmem_default:4194304
   /proc/sys/net/core/wmem_default:4194304
   /proc/sys/net/core/rmem_max:104857600
   /proc/sys/net/core/wmem_max:104857600
.PP
.SS -Q, --notouch-irq
Do not reassign the NIC's IRQ CPU affinity settings.
.PP
.SS -q, --qdisc-path
Since Linux 3.14, the kernel supports a socket option PACKET_QDISC_BYPASS,
which trafgen enables by default.  This options disables the qdisc bypass,
and uses the normal send path through the kernel's qdisc (traffic control)
layer, which can be usefully for testing the qdisc path.
.PP
.SS -V, --verbose
Let trafgen be more talkative and let it print the parsed configuration and
some ring buffer statistics.
.PP
.SS -e, --example
Show a built-in packet configuration example. This might be a good starting
point for an initial packet configuration scenario.
.PP
.SS -C, --no-cpu-stats
Do not print CPU time statistics on exit.
.PP
.SS -v, --version
Show version information and exit.
.PP
.SS -h, --help
Show user help and exit.
.PP
.SH SYNTAX
.PP
trafgen's packet configuration syntax is fairly simple. The very basic things
one needs to know is that a configuration file is a simple plain text file
where packets are defined. It can contain one or more packets. Packets are
enclosed by opening '{' and closing '}' braces, for example:
.PP
   { /* packet 1 content goes here ... */ }
   { /* packet 2 content goes here ... */ }
.PP
Alternatively, packets can also be specified directly on the command line, using
the same syntax as used in the configuration files.
.PP
When trafgen is started using multiple CPUs (default), then each of those packets
will be scheduled for transmission on all CPUs by default. However, it is possible
to tell trafgen to schedule a packet only on a particular CPU:
.PP
   cpu(1): { /* packet 1 content goes here ... */ }
   cpu(2-3): { /* packet 2 content goes here ... */ }
.PP
Thus, in case we have a 4 core machine with CPU0-CPU3, packet 1 will be scheduled
only on CPU1, packet 2 on CPU2 and CPU3. When using trafgen with \-\-num option,
then these constraints will still be valid and the packet is fairly distributed
among those CPUs.
.PP
Packet content is delimited either by a comma or whitespace, or both:
.PP
   { 0xca, 0xfe, 0xba 0xbe }
.PP
Packet content can be of the following:
.PP
   hex bytes:   0xca, xff
   decimal:     42
   binary:      0b11110000, b11110000
   octal:       011
   character:   'a'
   string:      "hello world"
   shellcode:   "\\x31\\xdb\\x8d\\x43\\x17\\x99\\xcd\\x80\\x31\\xc9"
.PP
Thus, a quite useless packet packet configuration might look like this (one can
verify this when running this with trafgen in combination with \-V):
.PP
   { 0xca, 42, 0b11110000, 011, 'a', "hello world",
     "\\x31\\xdb\\x8d\\x43\\x17\\x99\\xcd\\x80\\x31\\xc9" }
.PP
There are a couple of helper functions in trafgen's language to make life easier
to write configurations:
.PP
i) Fill with garbage functions:
.PP
   byte fill function:      fill(<content>, <times>): fill(0xca, 128)
   compile-time random:     rnd(<times>): rnd(128), rnd()
   runtime random numbers:  drnd(<times>): drnd(128), drnd()
   compile-time counter:    seqinc(<start-val>, <increment>, <times>)
                            seqdec(<start-val>, <decrement>, <times>)
   runtime counter (1byte): dinc(<min-val>, <max-val>, <increment>)
                            ddec(<min-val>, <max-val>, <decrement>)
.PP
ii) Checksum helper functions (packet offsets start with 0):
.PP
   IP/ICMP checksum:        csumip/csumicmp(<off-from>, <off-to>)
   UDP checksum:            csumudp(<off-iphdr>, <off-udpdr>)
   TCP checksum:            csumtcp(<off-iphdr>, <off-tcphdr>)
   UDP checksum (IPv6):     csumudp6(<off-ip6hdr>, <off-udpdr>)
   TCP checksum (IPv6):     csumtcp6(<off-ip6hdr>, <off-tcphdr>)
.PP
iii) Multibyte functions, compile-time expression evaluation:
.PP
   const8(<content>), c8(<content>), const16(<content>), c16(<content>),
   const32(<content>), c32(<content>), const64(<content>), c64(<content>)
.PP
   These functions write their result in network byte order into the packet
configuration, e.g. const16(0xaa) will result in ''00 aa''. Within c*()
functions, it is possible to do some arithmetics: -,+,*,/,%,&,|,<<,>>,^
E.g. const16((((1<<8)+0x32)|0b110)*2) will be evaluated to ''02 6c''.
.PP
Furthermore, there are two types of comments in trafgen configuration files:
.PP
  1. Multi-line C-style comments:        /* put comment here */
  2. Single-line Shell-style comments:   #  put comment here
.PP
Next to all of this, a configuration can be passed through the C preprocessor
before the trafgen compiler gets to see it with option \-\-cpp. To give you a
taste of a more advanced example, run ''trafgen \-e'', fields are commented:
.PP
   /* Note: dynamic elements make trafgen slower! */
   #include <stddef.h>

   {
     /* MAC Destination */
     fill(0xff, ETH_ALEN),
     /* MAC Source */
     0x00, 0x02, 0xb3, drnd(3),
     /* IPv4 Protocol */
     c16(ETH_P_IP),
     /* IPv4 Version, IHL, TOS */
     0b01000101, 0,
     /* IPv4 Total Len */
     c16(59),
     /* IPv4 Ident */
     drnd(2),
     /* IPv4 Flags, Frag Off */
     0b01000000, 0,
     /* IPv4 TTL */
     64,
     /* Proto TCP */
     0x06,
     /* IPv4 Checksum (IP header from, to) */
     csumip(14, 33),
     /* Source IP */
     drnd(4),
     /* Dest IP */
     drnd(4),
     /* TCP Source Port */
     drnd(2),
     /* TCP Dest Port */
     c16(80),
     /* TCP Sequence Number */
     drnd(4),
     /* TCP Ackn. Number */
     c32(0),
     /* TCP Header length + TCP SYN/ECN Flag */
     c16((8 << 12) | TCP_FLAG_SYN | TCP_FLAG_ECE)
     /* Window Size */
     c16(16),
     /* TCP Checksum (offset IP, offset TCP) */
     csumtcp(14, 34),
     /* TCP Options */
     0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x06,
     0x91, 0x68, 0x7d, 0x06, 0x91, 0x68, 0x6f,
     /* Data blob */
     "gotcha!",
   }
.PP
Another real-world example by Jesper Dangaard Brouer [1]:
.PP
   {
     # --- ethernet header ---
     0x00, 0x1b, 0x21, 0x3c, 0x9d, 0xf8,  # mac destination
     0x90, 0xe2, 0xba, 0x0a, 0x56, 0xb4,  # mac source
     const16(0x0800), # protocol
     # --- ip header ---
     # ipv4 version (4-bit) + ihl (4-bit), tos
     0b01000101, 0,
     # ipv4 total len
     const16(40),
     # id (note: runtime dynamic random)
     drnd(2),
     # ipv4 3-bit flags + 13-bit fragment offset
     # 001 = more fragments
     0b00100000, 0,
     64, # ttl
     17, # proto udp
     # dynamic ip checksum (note: offsets are zero indexed)
     csumip(14, 33),
     192, 168, 51, 1, # source ip
     192, 168, 51, 2, # dest ip
     # --- udp header ---
     # as this is a fragment the below stuff does not matter too much
     const16(48054), # src port
     const16(43514), # dst port
     const16(20),    # udp length
     # udp checksum can be dyn calc via csumudp(offset ip, offset tcp)
     # which is csumudp(14, 34), but for udp its allowed to be zero
     const16(0),
     # payload
     'A',  fill(0x41, 11),
   }
.PP
   [1] http://thread.gmane.org/gmane.linux.network/257155
.PP
.SH USAGE EXAMPLE
.PP
.SS trafgen --dev eth0 --conf trafgen.cfg
This is the most simple and, probably, the most common use of trafgen. It
will generate traffic defined in the configuration file ''trafgen.cfg'' and
transmit this via the ''eth0'' networking device. All online CPUs are used.
.PP
.SS trafgen -e | trafgen -i - -o lo --cpp -n 1
This is an example where we send one packet of the built-in example through
the loopback device. The example configuration is passed via stdin and also
through the C preprocessor before trafgen's packet compiler will see it.
.PP
.SS trafgen --dev eth0 --conf fuzzing.cfg --smoke-test 10.0.0.1
Read the ''fuzzing.cfg'' packet configuration file (which contains drnd()
calls) and send out the generated packets to the ''eth0'' device. After each
sent packet, ping probe the attacked host with address 10.0.0.1 to check if
it's still alive. This also means, that we utilize 1 CPU only, and do not
use the TX_RING, but sendto(2) packet I/O due to ''slow mode''.
.PP
.SS trafgen --dev wlan0 --rfraw --conf beacon-test.txf -V --cpus 2
As an output device ''wlan0'' is used and put into monitoring mode, thus we
are going to transmit raw 802.11 frames through the air. Use the
 ''beacon-test.txf'' configuration file, set trafgen into verbose mode and
use only 2 CPUs.
.PP
.SS trafgen --dev em1 --conf frag_dos.cfg --rand --gap 1000us
Use trafgen in sendto(2) mode instead of TX_RING mode and sleep after each
sent packet a static timegap for 1000us. Generate packets from ''frag_dos.cfg''
and select next packets to send randomly instead of a round-robin fashion.
The output device for packets is ''em1''.
.PP
.SS trafgen --dev eth0 --conf icmp.cfg --rand --num 1400000 -k1000
Send only 1400000 packets using the ''icmp.cfg'' configuration file and then
exit trafgen. Select packets randomly from that file for transmission and
send them out via ''eth0''. Also, trigger the kernel every 1000us for batching
the ring frames from user space (default is 10us).
.PP
.SS trafgen --dev eth0 --conf tcp_syn.cfg -u `id -u bob` -g `id -g bob`
Send out packets generated from the configuration file ''tcp_syn.cfg'' via
the ''eth0'' networking device. After setting up the ring for transmission,
drop credentials to the non-root user/group bob/bob.
.PP
.SS trafgen --dev eth0 '{ fill(0xff, 6), 0x00, 0x02, 0xb3, rnd(3), c16(0x0800), fill(0xca, 64) }' -n 1
Send out 1 invaid IPv4 packet built from command line to all hosts.
.PP
.SH NOTE
.PP
trafgen can saturate a Gigabit Ethernet link without problems. As always,
of course, this depends on your hardware as well. Not everywhere where it
says Gigabit Ethernet on the box, will you reach almost physical line rate!
Please also read the netsniff-ng(8) man page, section NOTE for further
details about tuning your system e.g. with tuned(8).
.PP
If you intend to use trafgen on a 10-Gbit/s Ethernet NIC, make sure you
are using a multiqueue tc(8) discipline, and make sure that the packets
you generate with trafgen will have a good distribution among tx_hashes
so that you'll actually make use of multiqueues.
.PP
For introducing bit errors, delays with random variation and more, there
is no built-in option in trafgen. Rather, one should reuse existing methods
for that which integrate nicely with trafgen, such as tc(8) with its
different disciplines, i.e. netem.
.PP
For more complex packet configurations, it is recommended to use high-level
scripting for generating trafgen packet configurations in a more automated
way, i.e. also to create different traffic distributions that are common for
industrial benchmarking:
.PP
    Traffic model              Distribution
.PP
    IMIX                       64:7,  570:4,  1518:1
    Tolly                      64:55,  78:5,   576:17, 1518:23
    Cisco                      64:7,  594:4,  1518:1
    RPR Trimodal               64:60, 512:20, 1518:20
    RPR Quadrimodal            64:50, 512:15, 1518:15, 9218:20
.PP
The low-level nature of trafgen makes trafgen rather protocol independent
and therefore useful in many scenarios when stress testing is needed, for
instance. However, if a traffic generator with higher level packet
descriptions is desired, netsniff-ng's mausezahn(8) can be of good use as
well.
.PP
For smoke/fuzz testing with trafgen, it is recommended to have a direct
link between the host you want to analyze (''victim'' machine) and the host
you run trafgen on (''attacker'' machine). If the ICMP reply from the victim
fails, we assume that probably its kernel crashed, thus we print the last
sent packet together with the seed and quit probing. It might be very unlikely
to find such a ping-of-death on modern Linux systems. However, there might
be a good chance to find it on some proprietary (e.g. embedded) systems or
buggy driver firmwares that are in the wild. Also, fuzz testing can be done
on raw 802.11 frames, of course. In case you find a ping-of-death, please
mention that you were using trafgen in your commit message of the fix!
.PP
.SH BUGS
For old trafgen versions only, there could occur kernel crashes: we have fixed
this bug in the mainline and stable kernels under commit 7f5c3e3a8 (''af_packet:
remove BUG statement in tpacket_destruct_skb'') and also in trafgen.
.PP
Probably the best is if you upgrade trafgen to the latest version.
.PP
.SH LEGAL
trafgen is licensed under the GNU GPL version 2.0.
.PP
.SH HISTORY
.B trafgen
was originally written for the netsniff-ng toolkit by Daniel Borkmann. It
is currently maintained by Tobias Klauser <tklauser@distanz.ch> and Daniel
Borkmann <dborkma@tik.ee.ethz.ch>.
.PP
.SH SEE ALSO
.BR netsniff-ng (8),
.BR mausezahn (8),
.BR ifpps (8),
.BR bpfc (8),
.BR flowtop (8),
.BR astraceroute (8),
.BR curvetun (8)
.PP
.SH AUTHOR
Manpage was written by Daniel Borkmann.
.PP
.SH COLOPHON
This page is part of the Linux netsniff-ng toolkit project. A description of the project,
and information about reporting bugs, can be found at http://netsniff-ng.org/.