


NEMESIS-TCP(1)					   NEMESIS-TCP(1)


NAME
       nemesis-tcp - TCP Protocol (The Nemesis Project)

SYNOPSIS
       nemesis-tcp  [-vZ?] [-a ack-number ] [-d Ethernet-device ]
       [-D destination-IP-address ] [-f TCP-flags ] [-F	 fragmen-
       tation-options ] [-I IP-ID ] [-M destination-MAC-address ]
       [-o TCP-options-file ] [-O IP-options-file ] [-P	 payload-
       file  ]	[-s sequence-number ] [-S source-IP-address ] [-t
       IP-TOS ] [-T IP-TTL ] [-u urgent-pointer ] [-w window-size
       ] [-x source-port ] [-y destination-port ]

DESCRIPTION
       The  Nemesis  Project  is  designed  to be a command line-
       based, portable human IP stack for UNIX-like  and  Windows
       systems.	 The suite is broken down by protocol, and should
       allow for useful scripting of injected packets from simple
       shell scripts.

       nemesis-tcp  provides an interface to craft and inject TCP
       packets allowing the user to specify any portion of a  TCP
       packet  as  well	 as  lower-level  IP  packet information.
       nemesis-tcp

TCP Options
       -a Acknowledgement-Number
	      Specify  the  acknowledgement-number  (ACK  number)
	      within the TCP header.

       -f TCP flags (-fS/-fA/-fR/-fP/-fF/-fU/-fE/-fC)
	      Specify the TCP flags:

	      -fS (SYN)
	      -fA (ACK)
	      -fR (RST)
	      -fP (PSH)
	      -fF (FIN)
	      -fU (URG)
	      -fE (ECE)
	      -fC (CWR)

	      within  the  TCP	header.	 Flags can be combined in
	      the form '-fPA'.

       -o TCP-options-file
	      This will cause nemesis-dns to  use  the	specified
	      TCP-options-file	as  the options when building the
	      TCP header for the injected  packet.   TCP  options
	      can  be  up to 40 bytes in length.  The TCP options
	      file  must  be  created  manually	 based	upon  the
	      desired options.	TCP options can also be read from
	      stdin by	specifying  '-o	 -'  instead  of  a  TCP-
	      options-file.




			   16 May 2003				1





NEMESIS-TCP(1)					   NEMESIS-TCP(1)


       -P payload-file
	      This  will  case	nemesis-tcp  to use the specified
	      payload-file as  the  payload  when  injecting  TCP
	      packets.	For packets injected using the raw inter-
	      face (where -d is not used),  the	 maximum  payload
	      size  is	65415  bytes.  For packets injected using
	      the link layer interface (where -d  IS  used),  the
	      maximum  payload	size is 1380 bytes.  Payloads can
	      also be  read  from  stdin  by  specifying  '-P  -'
	      instead of a payload file.

	      Windows  systems	are  limited to a maximum payload
	      size of 1380 bytes for TCP packets.

       -s sequence-number
	      Specify the sequence-number within the TCP  header.

       -u urgent-pointer-offset
	      Specify  the  urgent-pointer-offset  within the TCP
	      header.

       -v verbose-mode
	      Display the injected packet in human readable form.
	      Use  twice to see a hexdump of the injected packet.

       -w window-size
	      Specify the window-size within the TCP header.

       -x source-port
	      Specify  the  source-port	 packet	 within	 the  TCP
	      header.

       -y destination port
	      Specify  the destintion-port within the TCP header.

IP OPTIONS
       -D destination-IP-address
	      Specify the destination-IP-address  within  the  IP
	      header.

       -F fragmentation-options (-F[D],[M],[R],[offset])
	      Specify the fragmentation options:

	      -FD (don't fragment)
	      -FM (more fragments)
	      -FR (reserved flag)
	      -F <offset>

	      within the IP header.  IP fragmentation options can
	      be specified individually or combined into a single
	      argument	to the -F command line switch by separat-
	      ing the options with commas (eg. '-FD,M') or spaces
	      (eg.  '-FM 223').	 The IP fragmentation offset is a
	      13-bit field with valid  values  from  0	to  8189.



			   16 May 2003				2





NEMESIS-TCP(1)					   NEMESIS-TCP(1)


	      Don't  fragment  (DF),  more fragments (MF) and the
	      reserved flag (RESERVED or RB) are 1-bit fields.

	      NOTE: Under normal conditions, the reserved flag is
	      unset.

       -I IP-ID
	      Specify the IP-ID within the IP header.

       -O IP-options-file
	      This  will  cause	 nemesis-tcp to use the specified
	      IP-options-file as the options when building the IP
	      header  for the injected packet.	IP options can be
	      up to 40 bytes in length.	 The IP options file must
	      be created manually based upon the desired options.
	      IP options can also be read from stdin by	 specify-
	      ing '-O -' instead of an IP-options-file.

       -S source-IP-address
	      Specify the source-IP-address within the IP header.

       -t IP-TOS
	      Specify the IP-type-of-service (TOS) within the  IP
	      header.  Valid type of service values:

	      2	 (Minimize monetary cost)
	      4	 (Maximize reliability)
	      8	 (Maximize throughput)
	      24 (Minimize delay)

	      NOTE:  Under  normal  conditions,	 only one type of
	      service is set within a packet.  To specify  multi-
	      ple types, specify the sum of the desired values as
	      the type of service.

       -T IP-TTL
	      Specify the IP-time-to-live  (TTL)  within  the  IP
	      header.

DATA LINK OPTIONS
       -d Ethernet-device
	      Specify  the  name  (for	UNIX-like systems) or the
	      number (for Windows systems) of the Ethernet-device
	      to use (eg. fxp0, eth0, hem0, 1).

       -H source-MAC-address
	      Specify the source-MAC-address (XX:XX:XX:XX:XX:XX).

       -M destination-MAC-address
	      Specify	      the	   defination-MAC-address
	      (XX:XX:XX:XX:XX:XX).

       -Z list-network-interfaces
	      Lists  the  available  network interfaces by number



			   16 May 2003				3





NEMESIS-TCP(1)					   NEMESIS-TCP(1)


	      for use in link-layer injection.

	      NOTE: This feature is only relevant to Windows sys-
	      tems.

DIAGNOSTICS
       Nemesis-tcp  returns 0 on a successful exit, 1 if it exits
       on an error.

BUGS
       Send  concise  and  clearly   written   bug   reports   to
       jeff@snort.org

AUTHOR
       Jeff Nathan <jeff@snorg.org>

       Originally developed by Mark Grimes <mark@stateful.net>

SEE ALSO
       nemesis-arp(1), nemesis-dns(1), nemesis-ethernet(1), neme-
       sis-icmp(1),  nemesis-igmp(1),	nemesis-ip(1),	 nemesis-
       ospf(1), nemesis-rip(1), nemesis-udp(1)



































			   16 May 2003				4


