Opened 8 years ago

#334 new defect

traceconvert: pcap->erf results in different (incorrect) output than dagconvert (Endace)

Reported by: gemiel@… Owned by: salcock
Priority: major Milestone:
Component: tools Version:
Keywords: Cc:

Description

Hi all,

I've run into an issue with traceconvert in convert a pcap file to an erf file. The result is different from dagconvert (from Endace). The erf file from dagconvert works for my purposes but traceconvert does not. Traceconvert (same as tracesplit) seems to lose 4 bytes (see rlen).

I like libtrace and would like to see this investigated. I'll provide anything you need.

Thanks!

  • Emiel

$ dagconvert --version dagconvert (DAG 4.2.2) $Revision: 12512 $ using: libpcap version 0.9.4

$ tracesplit -H | head -1 libtrace 3.0.15

$ dagconvert -Tpcap:erf -i ./capture10.pcap -o ./out-dc.erf $ du -b out-dc.erf 7180 out-dc.erf

$ traceconvert pcapfile:./capture10.pcap erf:out-tc.erf.gz $ gunzip out-tc.erf.gz $ du -b out-tc.erf 6940 out-tc.erf

$ dagbits -f ./out-dc.erf decode | head print 1: file offset 0x0 ts=0x50470f4ab4caf709 2012-09-05 08:37:30.706222000 UTC type: ERF Ethernet dserror=0 rxerror=0 trunc=0 vlen=1 iface=0 rlen=84 lctr=0 wlen=66 pad=0x00 offset=0x00 dst=00:00:0c:07:ac:6e src=00:19:99:8c:be:77 etype=0x0800 ip: version=4 headerwords=5 tos=0 length=48 ip: id=59597 flags=0x2 fragmentoffset=0 ip: ttl=128 protocol=6 checksum=0x0000

$ dagbits -f ./out-tc.erf decode | head print 1: file offset 0x0 ts=0x50470f4ab4caf709 2012-09-05 08:37:30.706222000 UTC type: ERF Ethernet dserror=0 rxerror=0 trunc=0 vlen=0 iface=1 rlen=80 lctr=0 wlen=66 pad=0xfe offset=0x60 dst=00:00:0c:07:ac:6e src=00:19:99:8c:be:77 etype=0x0800 ip: version=4 headerwords=5 tos=0 length=48 ip: id=59597 flags=0x2 fragmentoffset=0 ip: ttl=128 protocol=6 checksum=0x0000

Change History (0)

Note: See TracTickets for help on using tickets.