Content-type: text/html Manpage of TOMAHAWK


Section: User Commands (1)
Index Return to Main Contents


tomahawk - bidirectionally replay packets from capture files  


tomahawk [ -i interface1 ] [ -j interface1 ] [ -h ] [ -Z ] [ -q ] [ -d ] [ -W ] [ -R rate ] [ -m window ] [ -w lookahead ] [ -a startIpAddr ] [ -s startId ] [ -e endId ] [ -L logFile ] [ -N maxActive ] [ -A (0|1) ] [ -t timeout ] [ -r maxRetrans ] [ -n maxActive ] [ -l loops ] [ -f file ]



tomahawk is a tool for replaying network traffic from files saved with tcpdump(8).

The basic operation of tomahawk is to resend all packets from input file(s) from two network interfaces as fast as possible, ensuring that the packets arrive at an intermediate device (any layer-2 bridging device, but typically a network-based intrusion prevention system) in exactly the same order they appeared on the network at the time of capture.

While loading a file, Tomahawk automatically partitions the traffic between two interfaces. Tomahawk then replays a window of packets out one interface and waits for one or more packets to be received at the other interface. When a packet is received, the window moves forward, allowing new packets (from either interface) to be sent.

As part of its replay, Tomahawk modifies the IP addresses on the packets. This allows many copies of a single trace to be replayed in parallel, each stream with its block of IP addresses. This feature is useful for "scaling up" a packet trace from a comparatively low speed network. For example, suppose you have a trace of traffic from a 100 Mbps network with 500 hosts. By using the maxActive to 10, you can simulate a network with 5000 hosts on a gigabit backbone.

If a packet is dropped in the intermediate network for any reason, tomahawk will retransmit the lost packet up to maxRetrans times. This feature differentiates between a NIPS dropping a packet due to congestion versus deliberately dropping it because it contains an attack.  


Tomahawk accepts two types of options: global and stream options. The global options include the following:

Print a usage message and exit.
Send debugging information to standard output. This option can be used multiple times to increased verbosity.
Quiet mode. Suppresses normal messages (debug and error messages are still printed).
Warning mode. This mode enables extra checks and prints out warnings.
-w lookahead
Maximum number of packets to examime while gathering the group to send (default: 500)
-s startId
Lowest hadler ID to use (default: 1)
-e endId
Highest handler ID to use (default: 251)
-L logFile
Run in logMode and log packets that time out to logFile (- is STDOUT).
-i interface1
Specify the first interface to use in replaying packets.
-j interface2
Specify the second interface to use in replaying packets.
-N maxActive
Specify the maximum number of parallel replays allowed at once. Even though the stream options may specify many packet traces can be replayed in parallel, this variable sets an upper limit on the number of traces that are replayed in parallel. NOTE: Adjusting this parameter can improve or degrade performance.
-m window
Specify the maximum number of packets on the wire at one time. Adjusting this parameter can improve or degrade performance.
-R rate
Limit the rate at which tomahawk sends traffic onto the test network to rate megabits/second. Rate can be a floating point number. For example, to generate 100 Kbps of traffic you would use "-R 0.1"
-a startIpAddress
When rewriting IP addresses, start allocating addresses sequentially from startIpAddress.



The following options applying to individual streams. Each option is collected and applied to a stream specified in the file parameter. For example, to play file1 2 times, file2 2 times, and file3 3 times, you would use the flags

      -l 2 -f file1 -f file2 -l 3 -f file3

-A (0|1)
Specify if the tool should modify IP addresses in the packet traces. A value of 0 suppresses address modification.
Randomize lower 2 bytes of IP address (use only when the pcap has 2 IPs in it)
-t timeout -r retrans
Specify the minimum amount of time (in milliseconds) to wait for a packet to arrive at the destination interface after being put on the wire. If the packet does not arrive in a timely manner, it is retransmitted up the retrans times.
-n maxActive
Specifies the maximum number of simultaneously active copies of the stream that is sent in parallel on the wire.
-l loops
Specifies the number of copies of the stream that are placed on the wire.
-f file
Specifies the packet trace that contains the file to be replayed.


The following command plays the file outlook.pcap once:

        tomahawk -l 1 -f outlook.pcap

To play this pcap five times in succession, you would use:

    tomahawk -l 5 -f outlook.pcap

The "-l" parameter controls the number of loops.

If the trace contains an attack and is replayed through an IPS, the IPS should block the attack. Because an IPS often blocks a stream (identified by a host/port quadruple), Tomahawk gives each replay of the attack its own unique host/port quadruple. Assuming that the pcap contains 2 addresses, Tomahawk rewrites the packets so that the first replay of the attack is from to, the second replay is from to, and so on.

You can control the start address with the "-a" flag. For example:

    tomahawk -l 5 -f outlook.pcap -a

starts replay attacks at

The example above plays 5 copies of outlook.pcap sequentially; Tomahawk waits for the first replay to complete before sending the second. You can use the "-n" flag to set Tomahawk to send the replay packets in parallel. For example:

    tomahawk -n 3 -l 5 -f outlook.pcap 

replays outlook.pcap 5 times, with up to 3 versions running simultaneously.

You can also use Tomahawk to play multiple attacks simultaneously. For example:

    tomahawk -n 3 -l 5 -f outlook.pcap -f slammer.pcap
        -f codered.pcap

This command plays up to 3 copies of Outlook, 3 copies of Slammer, and 3 copies of CodeRed simultaneously. In terms of the tool, it plays 9 simultaneous replays in all, 6 of which (Slammer and CodeRed) are attacks.

The flags that control looping (-l) and parallel replay (-n) apply to subsequent packet traces as they are loaded (-f). For example, consider the following:

    tomahawk -n 3 -l 5 -f outlook.pcap -n 2 -l 4 -f slammer.pcap          -f codered.pcap

This command line tells tomahawk:

 o to play outlook 5 times, with up to 3 copies running simultaneously

 o to play slammer 4 times, with up to 2 copies running simultaneously

 o to play codered 4 times, with up to 2 copies running simultaneously

Up to 7 pcaps and 4 attacks are running simultaneously, and a total of 8 attacks are run.

The command

    tomahawk -l 1 -r 5 -t 1000 -f outlook.pcap 

sets Tomahawk to wait (at least) 1000 milliseconds before declaring a packet lost ("-t 1000") and to retransmit the packet 5 times ("-r 5") before giving up and printing a timeout message.

To limit the data rate generated by Tomahawk, use the "-R" flag. For example, to generate 100 Mbps of clean traffic, use the following:

    tomahawk -n 50 -l 10000 -f http.pcap -R 100

The value of "-R" is a floating point number. To generate 100 Kbps of traffic, use the following:

    tomahawk -n 50 -l 10000 -f http.pcap -R 0.1  


tcpdump(8), tcpreplay(8)  


Brian Smith, TippingPoint Inc.  


The current version is available via HTTP:


Please see the tomahawk FAQ for a list of limitations and any possible work-arounds:




This document was created by man2html, using the manual pages.
Time: 17:55:14 GMT, April 28, 2006