.\" .\" bittwiste.1 - manpage for the bittwiste program .\" Copyright (C) 2006 - 2023 Addy Yeow .\" .\" This program is free software; you can redistribute it and/or .\" modify it under the terms of the GNU General Public License .\" as published by the Free Software Foundation; either version 2 .\" of the License, or (at your option) any later version. .\" .\" This program is distributed in the hope that it will be useful, .\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" .\" You should have received a copy of the GNU General Public License .\" along with this program; if not, write to the Free Software .\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. .\" .TH BITTWISTE 1 "6 July 2023" .SH NAME .B bittwiste \-- pcap capture file editor .SH SYNOPSIS .B bittwiste [ .B \-I .I input ] [ .B \-O .I output ] [ .B \-L .I layer ] [ .B \-X .I payload ] .ti +10 [ .B \-C ] [ .B \-M .I linktype ] [ .B \-D .I offset ] [ .B \-R .I range ] .ti +10 [ .B \-S .I timeframe ] [ .B \-N .I repeat ] [ .B \-G .I gaprange ] [ .B \-P .I seed ] .ti +10 [ .B \-T .I header ] [ .I header-specific-options ] [ .B \-h ] .SH DESCRIPTION This document describes the \fIbittwiste\fP program, the \fIpcap\fP(3) capture file editor. \fIBittwiste\fP is designed to work only with Ethernet frame, e.g. link type DLT_EN10MB in \fIpcap\fP(3), with a maximum frame size of 1514 bytes which is equivalent to an MTU of 1500 bytes, 14 bytes for Ethernet header. .PP \fIBittwiste\fP can currently edit Ethernet, ARP, IPv4, IPv6, ICMPv4, ICMPv6, TCP, and UDP headers. IPv6 packets with extension headers or next header field not matching ICMPv6, TCP, or UDP are not supported; \fIbittwiste\fP will simply write such packets as is to output trace file as it encounters them in the input trace file. .PP If run with the \fB-X\fP flag, you can append your own payload after any of the supported headers; specified using the \fB-L\fP and \fB-T\fP flag. \fIBittwiste\fP will, if not run with the \fB-C\fP flag, recalculate the checksums for IPv4, ICMPv4, ICMPv6, TCP, and UDP headers, except for the last fragment of a fragmented IPv4 datagram; \fIbittwiste\fP does not currently support checksum correction for the last fragment of a fragmented IPv4 datagram. .PP While parsing the packets in an input trace file, \fIbittwiste\fP will skip, i.e. write to output trace file as is, any truncated packet, for example, an ICMPv4 packet with a captured length of 25 bytes (we need at least 28 bytes; 14 bytes for Ethernet header, minimum 20 bytes for IP header, and 4 bytes for ICMPv4 header) does not give enough information on its ICMPv4 header for \fIbittwiste\fP to read and modify it. In this case, you can utilize the \fB-L\fP and \fB-T\fP flag to copy the original packet up to its IP header and append your customized ICMPv4 header and data to the packet using the \fB-X\fP flag. When specifying payload that covers the ICMPv4, ICMPv6, TCP, or UDP header and its data, you can use zeros, e.g. 0000 for 2 bytes of zeros, for the header checksum which is then corrected automatically by \fIbittwiste\fP. .PP In order to simplify the way options are specified, you can only edit packets of a specific type supplied to the \fB-T\fP flag per execution of \fIbittwiste\fP on an input trace file. In addition, the \fB-T\fP flag must appear last among the general options which are the \fB-I\fP, \fB-O\fP, \fB-L\fP, \fB-X\fP, \fB-C\fP, \fB-M\fP, \fB-D\fP, \fB-R\fP, \fB-S\fP, \fB-N\fP, \fB-G\fP, and \fB-P\fP flag. .SH OPTIONS .TP .B \-I \fIinput\fP Input pcap based trace file. Typically, \fIinput\fP should be a file path to a pcap based trace file. However, for convenience, the following template names are also accepted to load trace file from one of the built-in templates: .IP \fBeth\fP : Ethernet header .br \fBarp\fP : ARP header .br \fBip\fP : IPv4 header .br \fBip6\fP : IPv6 header .br \fBicmp\fP : ICMPv4 header .br \fBicmp6\fP : ICMPv6 header .br \fBtcp\fP : IPv4 TCP header .br \fBip6tcp\fP : IPv6 TCP header .br \fBudp\fP : IPv4 UDP header .br \fBip6udp\fP : IPv6 UDP header .IP Example: \fB-I\fP icmp .TP .B \-O \fIoutput\fP Output trace file. .TP .B \-L \fIlayer\fP Copy up to the specified \fIlayer\fP and discard the remaining data. Value for \fIlayer\fP must be either 2, 3, or 4 where 2 for Ethernet, 3 for ARP, IPv4, or IPv6, and 4 for ICMPv4, ICMPv6, TCP, or UDP. .TP .B \-X \fIpayload\fP Append \fIpayload\fP in hex digits to the end of each packet. .br Example: \fB-X\fP 0302aad1 .br \fB-X\fP flag is ignored if \fB-L\fP and \fB-T\fP flag are not specified. .TP .B \-C Specify this flag to disable checksum correction. Checksum correction is applicable for non-fragmented supported packets only. .TP .B \-M \fIlinktype\fP Replace the \fIlinktype\fP stored in the pcap file header. Typically, value for \fIlinktype\fP is 1 for Ethernet. .br Example: \fB-M\fP 12 (for raw IP), \fB-M\fP 51 (for PPPoE) .IP For the complete list, see: .br \fIhttps://www.tcpdump.org/linktypes.html\fP .TP .B \-D \fIoffset\fP Delete the specified byte \fIoffset\fP from each packet. .br First byte (starting from link layer header) starts from 1. .br \fB-L\fP, \fB-X\fP, \fB-C\fP and \fB-T\fP flag are ignored if \fB-D\fP flag is specified. .br Example: \fB-D\fP 15-40, \fB-D\fP 10, or \fB-D\fP 18-9999 .TP .B \-R \fIrange\fP Save only the specified \fIrange\fP of packets. .br Example: \fB-R\fP 5-21 or \fB-R\fP 9 .TP .B \-S \fItimeframe\fP Save only the packets within the specified \fItimeframe\fP with up to one-second resolution using DD/MM/YYYY,HH:MM:SS as the format for start and end time in \fItimeframe\fP. .br Example: \fB-S\fP 22/10/2006,21:47:35-24/10/2006,13:16:05 .br \fB-S\fP flag is evaluated after \fB-R\fP flag. .TP .B \-N \fIrepeat\fP Duplicate packets from the \fIinput\fP trace file \fIrepeat\fP times. Use this flag to create a stream of packets, each with, for example, a random tcp sequence number, from a 1-packet trace file. .br Example: \fB-N\fP 100000 .br \fB-N\fP flag is evaluated after \fB-R\fP and \fB-S\fP flag. .TP .B \-G \fIgaprange\fP Apply inter-packet gap between packets in microseconds from 1 to (2^31 - 1). Values in \fIgaprange\fP are inclusive and selected randomly. A single value implies a fixed gap. .br Example: \fB-G\fP 1000-10000 or \fB-G\fP 1000 .br \fB-G\fP flag is evaluated after \fB-R\fP, \fB-S\fP, and \fB-N\fP flag. .TP .B \-P \fIseed\fP Positive integer to seed the random number generator (RNG) used, for example, to generate random port number. If unset, current timestamp will be used as the RNG seed. .IP bittwiste uses Mersenne Twister for high-speed uniformly distributed random number generation. .TP .B \-T \fIheader\fP Edit only the specified \fIheader\fP. Possible keywords for \fIheader\fP are, \fBeth\fP, \fBarp\fP, \fBip\fP, \fBip6\fP, \fBicmp\fP, \fBicmp6\fP, \fBtcp\fP, or \fBudp\fP. \fB-T\fP flag must appear last among the general options. .TP .B \-h Print version information and usage. .TP \fIheader-specific-options\fP Each packet that matches the type supplied to the \fB-T\fP flag is modified based on the options described below: .IP Options for \fBeth\fP (RFC 894): .RS .TP .B \-d \fIdmac\fP or \fIomac\fP,\fInmac\fP .br Destination MAC address. If \fIomac\fP and \fInmac\fP are specified, any instances of \fIomac\fP in the destination MAC address field will be replaced with \fInmac\fP. You can also use the string 'rand' for a random MAC address. .IP Examples: .br \fB-d\fP 00:08:55:64:65:6a .br \fB-d\fP rand .br \fB-d\fP 00:08:55:64:65:6a,rand .TP .B \-s \fIsmac\fP or \fIomac\fP,\fInmac\fP .br Source MAC address. If \fIomac\fP and \fInmac\fP are specified, any instances of \fIomac\fP in the source MAC address field will be replaced with \fInmac\fP. You can also use the string 'rand' for a random MAC address. .IP Examples: .br \fB-s\fP 00:13:20:3e:ab:cf .br \fB-s\fP rand .br \fB-s\fP 00:13:20:3e:ab:cf,rand .TP .B \-t \fItype\fP EtherType. Possible keywords for type are, \fBip\fP, \fBip6\fP, and \fBarp\fP only. .TP Options for \fBarp\fP (RFC 826): .TP .B \-o \fIopcode\fP Operation code in integer value between 0 to 65535. For example, you can set \fIopcode\fP to 1 for ARP request, 2 for ARP reply. .TP .B \-s \fIsmac\fP or \fIomac\fP,\fInmac\fP .br Sender MAC address. If \fIomac\fP and \fInmac\fP are specified, any instances of \fIomac\fP in the sender MAC address field will be replaced with \fInmac\fP. You can also use the string 'rand' for a random MAC address. .IP Examples: .br \fB-s\fP 00:13:20:3e:ab:cf .br \fB-s\fP rand .br \fB-s\fP 00:13:20:3e:ab:cf,rand .TP .B \-p \fIsip\fP or \fIoip\fP,\fInip\fP .br Sender IP address. Example: \fB-p\fP 192.168.0.1 .br If \fIoip\fP and \fInip\fP are specified, any instances of \fIoip\fP in the sender IP address field will be replaced with \fInip\fP. .TP .B \-t \fItmac\fP or \fIomac\fP,\fInmac\fP .br Target MAC address. If \fIomac\fP and \fInmac\fP are specified, any instances of \fIomac\fP in the target MAC address field will be replaced with \fInmac\fP. You can also use the string 'rand' for a random MAC address. .IP Examples: .br \fB-t\fP 00:08:55:64:65:6a .br \fB-t\fP rand .br \fB-t\fP 00:08:55:64:65:6a,rand .TP .B \-q \fItip\fP or \fIoip\fP,\fInip\fP .br Target IP address. Example: \fB-q\fP 192.168.0.2 .br If \fIoip\fP and \fInip\fP are specified, any instances of \fIoip\fP in the target IP address field will be replaced with \fInip\fP. .TP Options for \fBip\fP (RFC 791): .TP .B \-c \fIds_field\fP .br 6-bit DS field (first 6-bit of 8-bit type of service field). .IP Some of the service class name mapping to \fIds_field\fP value from RFC 4594: .IP \fB0\fP : Standard (CS0) .br \fB8\fP : Low-priority data (CS1) .br \fB16\fP : OAM (CS2) .br \fB24\fP : Broadcast video (CS3) .br \fB32\fP : Real-time interactive (CS4) .IP Example: \fB-c\fP 16 or \fB-c\fP 0x10 (to classify packet for operation and management of the network) .IP For more information on DS field, see RFC 2474 and RFC 4594. .TP .B \-e \fIecn_field\fP .br 2-bit ECN field (last 2-bit of 8-bit type of service field). .IP \fIecn_field\fP can be set to one of the 4 values below: .IP \fB0\fP : Not-ECT .br \fB1\fP : ECT(1) .br \fB2\fP : ECT(0) .br \fB3\fP : CE .IP Example: \fB-e\fP 3 or \fB-e\fP 0x03 (to indicate congestion to the end hosts) .IP For more information on ECN field, see RFC 3168. .TP .B \-i \fIid\fP or \fIoi\fP,\fIni\fP Identification in integer value between 0 to 65535. If \fIoi\fP and \fIni\fP are specified, any instances of \fIoi\fP in the identification field will be replaced with \fIni\fP. You can also use the string 'rand' for a random identification. .IP Example: \fB-i\fP 2000, \fB-i\fP rand, or \fB-i\fP 1000,rand .TP .B \-f \fIflags\fP Control flags. Possible characters for \fIflags\fP are: .IP \fB-\fP : remove all flags .br \fBr\fP : set the reserved flag .br \fBd\fP : set the don't fragment flag .br \fBm\fP : set the more fragment flag .IP Example: \fB-f\fP d .br If any of the flags is specified, all original flags are removed automatically. .TP .B \-o \fIoffset\fP Fragment offset in integer value between 0 to 7770. Value for \fIoffset\fP represents the number of 64-bit segments contained in earlier fragments which must not exceed 7770 (62160 bytes). .TP .B \-t \fIttl\fP or \fIot\fP,\fInt\fP Time to live in integer value between 0 to 255 (milliseconds). If \fIot\fP and \fInt\fP are specified, any instances of \fIot\fP in the time to live field will be replaced with \fInt\fP. You can also use the string 'rand' for a random time to live. .IP Example: \fB-t\fP 64, \fB-i\fP rand, or \fB-i\fP 64,rand .TP .B \-p \fIproto\fP or \fIop\fP,\fInp\fP Protocol number in integer value between 0 to 255. If \fIop\fP and \fInp\fP are specified, any instances of \fIop\fP in the protocol number field will be replaced with \fInp\fP. You can also use the string 'rand' for a random protocol number. Some common protocol numbers are: .IP \fB1\fP : Internet Control Message (ICMP) .br \fB6\fP : Transmission Control (TCP) .br \fB17\fP : User Datagram (UDP) .IP For the complete list, see: .br \fIhttps://www.iana.org/assignments/protocol-numbers\fP .TP .B \-s \fIsip\fP or \fIoip\fP,\fInip\fP .br Source IP address. If \fIoip\fP and \fInip\fP are specified, any instances of \fIoip\fP in the source IP address field will be replaced with \fInip\fP. If CIDR notation (RFC 4632) is specified, e.g. 192.168.0.0/16, an IP address will be selected at random from the range. .IP Examples: .br \fB-s\fP 192.168.0.1 .br \fB-s\fP 127.0.0.1,192.168.0.0/16 .br \fB-s\fP 0.0.0.0/0 (random IPv4 throughout the entire range) .TP .B \-d \fIdip\fP or \fIoip\fP,\fInip\fP .br Destination IP address. If \fIoip\fP and \fInip\fP are specified, any instances of \fIoip\fP in the destination IP address field will be replaced with \fInip\fP. If CIDR notation (RFC 4632) is specified, e.g. 192.168.0.0/16, an IP address will be selected at random from the range. .IP Examples: .br \fB-d\fP 192.168.0.2 .br \fB-d\fP 127.0.0.2,192.168.0.0/16 .br \fB-d\fP 0.0.0.0/0 (random IPv4 throughout the entire range) .TP Options for \fBip6\fP (RFC 8200): .TP .B \-c \fIds_field\fP .br 6-bit DS field (first 6-bit of 8-bit traffic class field). .IP Some of the service class name mapping to \fIds_field\fP value from RFC 4594: .IP \fB0\fP : Standard (CS0) .br \fB8\fP : Low-priority data (CS1) .br \fB16\fP : OAM (CS2) .br \fB24\fP : Broadcast video (CS3) .br \fB32\fP : Real-time interactive (CS4) .IP Example: \fB-c\fP 16 or \fB-c\fP 0x10 (to classify packet for operation and management of the network) .IP For more information on DS field, see RFC 2474 and RFC 4594. .TP .B \-e \fIecn_field\fP .br 2-bit ECN field (last 2-bit of 8-bit traffic class field). .IP \fIecn_field\fP can be set to one of the 4 values below: .IP \fB0\fP : Not-ECT .br \fB1\fP : ECT(1) .br \fB2\fP : ECT(0) .br \fB3\fP : CE .IP Example: \fB-e\fP 3 or \fB-e\fP 0x03 (to indicate congestion to the end hosts) .IP For more information on ECN field, see RFC 3168. .TP .B \-f \fIflow_label\fP .br Flow label in integer value between 0 to 1048575 or hexadecimal value between 0x00000 to 0xfffff (20-bit). .br Example: \fB-f\fP 0 .IP Value of 0 is to indicate that the packet does not belong to any flow. For more information, see RFC 6437. .TP .B \-n \fInext_header\fP or \fIon\fP,\fInn\fP .br Next header number in integer value between 0 to 255. If \fIon\fP and \fInn\fP are specified, any instances of \fIon\fP in the next header field will be replaced with \fInn\fP. You can also use the string 'rand' for a random next header number. Example of next header numbers: .IP \fB0\fP : IPv6 Hop-by-Hop Option (HOPOPT) .br \fB6\fP : Transmission Control (TCP) .br \fB17\fP : User Datagram (UDP) .br \fB50\fP : Encap Security Payload (ESP) .br \fB51\fP : Authentication Header (AH) .br \fB58\fP : ICMP for IPv6 (IPv6-ICMP) .IP For the complete list, see: .br \fIhttps://www.iana.org/assignments/protocol-numbers\fP .TP .B \-h \fIhop_limit\fP or \fIoh\fP,\fInh\fP .br Hop limit in integer value between 0 to 255. If \fIoh\fP and \fInh\fP are specified, any instances of \fIoh\fP in the hop limit field will be replaced with \fInh\fP. You can also use the string 'rand' for a random hop limit. Destination host should not discard a packet with hop limit equal to 0. .TP .B \-s \fIsip\fP or \fIoip\fP,\fInip\fP .br Source IP address. If \fIoip\fP and \fInip\fP are specified, any instances of \fIoip\fP in the source IP address field will be replaced with \fInip\fP. If CIDR notation (RFC 4291) is specified, e.g. 2001:db8::/64, an IP address will be selected at random from the range. .IP Examples: .br \fB-s\fP fd00::1 .br \fB-s\fP ::1,2001:db8::/64 .br \fB-s\fP ::/0 (random IPv6 throughout the entire range) .TP .B \-d \fIdip\fP or \fIoip\fP,\fInip\fP .br Destination IP address. If \fIoip\fP and \fInip\fP are specified, any instances of \fIoip\fP in the destination IP address field will be replaced with \fInip\fP. If CIDR notation (RFC 4291) is specified, e.g. 2001:db8::/64, an IP address will be selected at random from the range. .IP Examples: .br \fB-d\fP fd00::2 .br \fB-d\fP ::2,2001:db8::/64 .br \fB-d\fP ::/0 (random IPv6 throughout the entire range) .TP Options for \fBicmp\fP (RFC 792): .TP .B \-t \fItype\fP Type of message in integer value between 0 to 255. Some common messages are: .IP \fB0\fP : Echo reply .br \fB3\fP : Destination unreachable .br \fB8\fP : Echo .br \fB11\fP : Time exceeded .IP For the complete list, see: .br \fIhttps://www.iana.org/assignments/icmp-parameters\fP .TP .B \-c \fIcode\fP Error code for this ICMPv4 message in integer value between 0 to 255. For example, \fIcode\fP for \fBtime exceeded\fP message may have one of the following values: .IP \fB0\fP : transit TTL exceeded .br \fB1\fP : reassembly TTL exceeded .IP For the complete list, see: .br \fIhttps://www.iana.org/assignments/icmp-parameters\fP .TP Options for \fBicmp6\fP (RFC 4443): .TP .B \-t \fItype\fP Type of message in integer value between 0 to 255. Some common messages are: .IP \fB3\fP : Time Exceeded .br \fB128\fP : Echo Request .br \fB129\fP : Echo Reply .IP For the complete list, see: .br \fIhttps://www.iana.org/assignments/icmpv6-parameters\fP .TP .B \-c \fIcode\fP Code for this ICMPv6 message in integer value between 0 to 255. For example, \fIcode\fP for \fBTime Exceeded\fP message may have one of the following values: .IP \fB0\fP : hop limit exceeded in transit .br \fB1\fP : fragment reassembly time exceeded .IP For the complete list, see: .br \fIhttps://www.iana.org/assignments/icmpv6-parameters\fP .TP Options for \fBtcp\fP (RFC 9293): .TP .B \-s \fIsport\fP or \fIop\fP,\fInp\fP Source port number in integer value between 0 to 65535. If \fIop\fP and \fInp\fP are specified, any instances of \fIop\fP in the source port field will be replaced with \fInp\fP. You can also use the string 'rand' for a random port number. .IP Example: \fB-s\fP 2000, \fB-s\fP rand, or \fB-s\fP 1000,rand .TP .B \-d \fIdport\fP or \fIop\fP,\fInp\fP Destination port number in integer value between 0 to 65535. If \fIop\fP and \fInp\fP are specified, any instances of \fIop\fP in the destination port field will be replaced with \fInp\fP. You can also use the string 'rand' for a random port number. .IP Example: \fB-d\fP 2000, \fB-d\fP rand, or \fB-d\fP 1000,rand .TP .B \-q \fIseq\fP or \fIos\fP,\fIns\fP .br Sequence number in integer value between 0 to 4294967295. If SYN control bit is set, e.g. character \fBs\fP is supplied to the \fB-f\fP flag, \fIseq\fP represents the initial sequence number (ISN) and the first data byte is ISN + 1. If \fIos\fP and \fIns\fP are specified, any instances of \fIos\fP in the sequence number field will be replaced with \fIns\fP. You can also use the string 'rand' for a random sequence number. .IP Example: \fB-q\fP 100000, \fB-q\fP rand, or \fB-q\fP 100000,rand .TP .B \-a \fIack\fP or \fIoa\fP,\fIna\fP .br Acknowledgment number in integer value between 0 to 4294967295. If ACK control bit is set, e.g. character \fBa\fP is supplied to the \fB-f\fP flag, \fIack\fP represents the value of the next sequence number that the receiver is expecting to receive. If \fIoa\fP and \fIna\fP are specified, any instances of \fIoa\fP in the acknowledgment number field will be replaced with \fIna\fP. You can also use the string 'rand' for a random acknowledgment number. .IP Example: \fB-a\fP 100000, \fB-a\fP rand, or \fB-a\fP 100000,rand .TP .B \-f \fIflags\fP Control flags. Possible characters for \fIflags\fP are: .IP \fB-\fP : remove all flags .br \fBc\fP : congestion window reduced .br \fBe\fP : explicit congestion notification echo .br \fBu\fP : urgent pointer field is significant .br \fBa\fP : acknowledgment field is significant .br \fBp\fP : push function .br \fBr\fP : resets the connection .br \fBs\fP : synchronizes the sequence numbers .br \fBf\fP : no more data from sender .IP Example: \fB-f\fP s .br If any of the flags is specified, all original flags are removed automatically. .TP .B \-w \fIwin\fP .br Window size in integer value between 0 to 65535. If ACK control bit is set, e.g. character \fBa\fP is supplied to the \fB-f\fP flag, \fIwin\fP represents the number of data bytes, beginning with the one indicated in the acknowledgment number field that the receiver is willing to accept. .TP .B \-u \fIurg\fP .br Urgent pointer in integer value between 0 to 65535. If URG control bit is set, e.g. character \fBu\fP is supplied to the \fB-f\fP flag, \fIurg\fP represents a pointer that points to the first data byte following the urgent data. .TP Options for \fBudp\fP (RFC 768): .TP .B \-s \fIsport\fP or \fIop\fP,\fInp\fP Source port number in integer value between 0 to 65535. If \fIop\fP and \fInp\fP are specified, any instances of \fIop\fP in the source port field will be replaced with \fInp\fP. You can also use the string 'rand' for a random port number. .IP Example: \fB-s\fP 2000, \fB-s\fP rand, or \fB-s\fP 1000,rand .TP .B \-d \fIdport\fP or \fIop\fP,\fInp\fP Destination port number in integer value between 0 to 65535. If \fIop\fP and \fInp\fP are specified, any instances of \fIop\fP in the destination port field will be replaced with \fInp\fP. You can also use the string 'rand' for a random port number. .IP Example: \fB-d\fP 2000, \fB-d\fP rand, or \fB-d\fP 1000,rand .RE .SH SEE ALSO bittwist(1), pcap(3), tcpdump(1) .SH BUGS File your bug report and send to: .IP Addy Yeow .PP Make sure you are using the latest stable version before submitting your bug report. .PP When running \fIbittwiste\fP with both the \fB-N\fP and \fB-G\fP flags, large inter-packet gap may result in the packet timestamp beyond Unix epoch 2147483647 (2038-01-19 03:14:07 UTC) to overflow. This is due to the use of signed 32-bit integer to store timestamp in \fIpcap\fP(3) header. Simply changing the data type, e.g. using unsigned 64-bit integer, would break the compatibility of the output trace file with existing systems. .PP The workaround built into \fIbittwiste\fP is to use Unix epoch 946684800 (2020-01-01 00:00:00 UTC) as the starting reference timestamp when \fB-G\fP flag is specified. This translates to a maximum timespan of 38 years or 559165 packets in the output trace file when using the maximum inter-packet gap, i.e. \fB-G\fP 2147483647. .SH COPYRIGHT Copyright (C) 2006 - 2023 Addy Yeow .PP This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. .PP You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. .SH AUTHORS Original author and current maintainer: .IP Addy Yeow .PP The current version is available from https://bittwist.sourceforge.io