Version 35 (modified by salcock, 11 years ago) (diff)


See for download information

libtrace 3.0.8 (coming soon!)

New Features

  • Added a new API function called trace_get_payload_length() that returns the length of the original payload content (i.e. the size of the post-transport header payload prior to any snapping) (r1661)

Bug Fixes

  • Fixed segfault that occurred when trying to read from int: inputs without permission (r1653, #279)
  • Fixed segfault in tracertstats when an invalid output format is specified (r1660)
  • Fixed errors in payload length calculations for v6 in v4 and truncated or corrupted TCP headers (r1662, r1663)
  • Fixed bug where libtrace would attempt to write NONDATA packets, which could not be converted into an appropriate packet type for most trace formats (r1664)
  • Fixed incorrect parsing of IPv6 extension headers (r1665, r1666)
  • Fixed compilation error when building against DAG 2.5 drivers (r1668, #286)
  • Fixed linking error when building against certain versions of libpcap that install pcap-int.h (r1669, #287)


  • Added IPv6 and IPv6 fragmentation header decoders to libpacketdump (r1654,r1656,r1667)
  • traceanon can now read cryptopan keys from a file (r1659)

libtrace 3.0.7 (2010-08-03)

New Features

  • Replaced IO subsystem with wandio abstraction (r1391,r1394,r1395,r1396,r1397,r1398,r1400)
    • IO / compression / decompression is now performed in a separate thread, resulting in improved performance
    • Modular design makes it easy to add support for new compression formats
  • Added native support for reading and writing bzip files (r1391)
  • Added native support for writing lzo files (r1530,r1531,r1534)
  • JITing of BPF bytecode using LLVM, leading to faster BPF filtering (r1586,r1588)
  • Added enums for post-IP protocols and Ethertypes (r1386,r1387,r1388,r1389)
  • Write support added for DAG cards - thanks to Daniel Lawson (r1406,r1414,r1418)
  • Added new trace tool: tracetop. Shows the top N flows each second (r1408,r1409,r1411,r1412,r1413,r1415,r1416,r1417)
  • Added new trace tool: tracereplay. Attempts to replay trace files in trace time (r1460 to r1476)
  • Added new trace tool: tracediff. Displays packets that differ between two trace files (r1494)
  • Added trace_get_timespec() function (r1421)
  • If the format is not specified as part of the URI, libtrace can now attempt to guess the trace format (r1401,r1403)
  • Libpacketdump can now decode CHDLC and PPP/HDLC headers (r1538)
  • Added all the code examples from the libtrace tutorial to the examples directory (r1502)

Bug Fixes

  • Fixed bug where packets read from a DAG card that did not match the filter were causing lengthy sleep events under the event API (r1483)
  • Fixed various tools that were not reporting the occurrence of a read error (r1486,#270)
  • Fixed segfault caused by malformed URIs (r1393,r1399)
  • Fixed bug where reading a zero-length payload from a PCAP trace would result in an EOF being incorrectly reported (r1490)
  • Fixed bug where filtered packet count was not initialised to zero (r1393)
  • trace_get_payload_from_ip() now returns NULL when the IP version is incorrect rather than asserting (r1402)
  • Fixed segfault when writing packets to a Linux native socket, caused by byte ordering issue (r1405)
  • Fixed bug where custom pcap event function was not being used (r1422)
  • Fixed misplaced assertion in the pcap file reading code (r1423)
  • Fixed bug where trace_event would never get a packet event under recent versions of libpcap (r1426)
  • Fixed assertion failure when an unknown linktype is encountered by libpacketdump (r1459)
  • Fixed error caused by LCP packets that are common in some trace sets, e.g. Leipzig (r1482)
  • Increased size of RT packet buffer to fix problems caused by jumbograms (r1493)
  • Fixed errors caused by 32- and 64-bit incompatibility when sending Linux Native packets using the RT protocol (r1498,r1499)
  • trace_get_*_port() functions now always return 0 for ICMP packets (r1500)
  • Fixed problems with decoding HDLC and CHDLC headers (r1536)
  • Fixed segfault when reading PCAP packets that had no packet content (r1537)
  • Fixed bug where PCAP packets would be written with a larger capture length than the wire length (r1549)
  • Fixed segfault in the TCP segment report in tracereport caused by segments larger than 1500 bytes (r1539, r1540)
  • Fixed bug with restarting a PCAP trace file (r1574)
  • Fixed bugs relating to the size of the TSH packet records (r1577)
  • Fixed bug where we were not accounting for the FCS in legacy Ethernet captures (r1581)
  • Fixed bug where libpacketdump could not decode Linux SLL properly due to using an "undefined" function (r1583)
  • Fixed bug where libpacketdump was not skipping IP options before attempting to decode the next header (r1600)
  • Fixed bug where padding was being treated as part of a truncated header (r1602)
  • Fixed assertion when converting a packet with a corrupt wire length to PCAP (r1603)
  • More fixes for missing #includes (r1425)


  • trace_get_source_address() and trace_get_destination_address() now return link layer addresses in the absence of an IP header wherever possible (r1410)
  • trace_get_<protocol> short-cut functions now return NULL if the entire header (minus options) is not present in the packet (r1491)
  • Added missing set_capture_length() functionality for Linux Native (r1495)
  • traceanon can now write compressed traces (r1550)
  • traceanon now replaces checksums with zeroes (r1567)
  • traceanon, tracesplit and tracemerge now support all libtrace compression types for output (r1568,r1570,r1571)
  • tracereport no longer does the flow report by default (r1551)
  • Added support for new ERF types (r1507)
  • Added linktype for Experimental Ethernet (r1497)
  • Added --count option to tracereport (r1427,#248)
  • Added --merge-inputs option to tracertstats (r1440)
  • Added support for ARPHRD_NONE (r1451)
  • Added a libpacketdump decoder for ubiquity headers (r1488)
  • Improved libpacketdump's method of searching for decoders (r1584)
  • More efficient arrangement of internal structures (r1442,r1443)
  • Tidied up exported symbols (r1454,r1456)
  • General code maintenance (r1404,r1407,r1517)
  • Tidied up manpages (r1492,r1569,r1572)
  • Improved documentation (r1419,r1420,r1496,r1501,r1506,r1507,r1508,r1509,r1510,r1513,r1515,r1516,r1517,r1518,r1519,r1520,r1521,r1522,r1523,r1524,r1543,r1578)

libtrace 3.0.6 (2008-11-27)

  • Fixed compilation errors caused by missing #includes (r1382)
  • Added trace_get_payload_from_pppoe() to external API (r1383)
  • autoconf now correctly detects libgdc properly for tracertstats (r1384)
  • Fixed some warnings on recent versions of gcc (r1385)

libtrace 3.0.5 (2008-11-07)

  • Bug fix with respect to loss counter caching (r1312)
  • Major fixes to PoS traces (#261,r1371,r1378,r1379)
  • Windows fixes (r1322,r1323)
  • Code cleanups (r1324,r1325,r1326,r1333,r1355)
  • Dag 2.5:
    • Dropped packet counter fixes (with multithread locking) (r1326,r1329)
    • Event api issues (r1327)
    • Multiple stream support (and compatibility for dag 2.4) (r1328)
    • Better detection of dag version numbers (r1343)
  • New ERF types added (r1328,r1331)
  • Coloured ethernet ERF type support (r1328)
  • Fixes to the ERF Etherhack (r1328)
  • Bug fix for unsupported configuration options for erf traces (r1330)
  • Bug fix for {{set_capture_length()}} not updating the capture length cache (r1331)
  • Bug fix for more capture length cache entries (r1346)
  • Cleaned up the way managing packet's memory was done internally (r1332,r1335,r1336)
  • Added RT type for {{bpf:}} traces (r1332)
  • Bug fix for closing a {{pcapfile:}} trace file that was never trace_start()'d (r1334) (reported by Nevil Brownlee)
  • Fix compile error with bpf: on OpenBSD (r1336)
  • Fix compile errors with old compilers (r1337,r1339,r1340,r1341,r1345)
  • libpacketdump cleanups (r1338,r1339)
    • libpacketdump constification (r1351)
  • traceanon code cleanups (r1342)
  • tracertstats code cleanups (r1344)
  • tracertstats documentation cleanups (r1369)
  • int: code cleanups (r1347,r1352)
  • tracesplit documentation cleanups (r1348)
  • tracesplit error handling fixes (r1364)
  • Cleanup examples (r1365)
  • Deal better with creating compressed files (r1349)
  • Deal with raw IP capture (r1350)
  • Provide API's for dealing with VLAN and MPLS headers (r1353, r1359, r1372)
  • get_payload_from_X API's now return NULL if the header is incomplete with remaining == 0. If there is no payload then they return where the payload would be, and remaining == 0. (r1376)
  • Fix bug with trace_get_erf_timestamp() where UINT_MAX ends up being signed (reported by yuri from isi) (r1357)
  • Force 64bit for filesizes (r1358)
  • Add support for PPPoE, and skip PPPoE headers in trace_get_layer3() (r1360)
  • Improve support for VLANs (r1363)
  • Improve tracesplit's dealing with rotations based on starttime, and better debugging output (r1366)
  • assert() on bad packets that aren't caught before we return them back to the user (r1367)
  • Cleanup libpacketdump GRE parser (r1368, r1370)
  • Support specifying compression levels (r1373)
  • Better fixes for endianness issues (r1375)
  • removed traceflow, to be replaced with maji (ipfix collector) available seperately (r1377)

libtrace 3.0.4 (2008-01-02)

libtrace 3.0.3 (2007-09-05)

  • Code cleanups w.r.t warnings (r1211,r1212,r1213,r1214,r1216,r1217,r1218,r1219,r1224,r1225,r1255)
  • tracesplit_dir now provides a warning of the number of packets that had an unknown direction at the end of the trace (r1215)
  • Fix a segfault in tracereport with rxerrors, non ip (r1221, r1227)
  • Add support for decoding 802.2 LLC/SNAP and Ethernet II in 802.11 frames (r1222,r1226)
  • Documentation fixes and clarifications (r1223,r1235,r1236,r1245,r1248,r1249)
  • Fix bug with trace_get_payload_from_80211() and 3 vs 4 frame formats (r1226)
  • Deal correctly with uri's with parse errors causing segfaults on cleanup (r1229)
  • Minor tidyups to protocol decoders (r1230,r1232)
  • Add more information to libtracepktdump (r1231,r1256)
  • Correctly deal with PPP captures (r1233)
  • Cache trace_get_capture_length() and trace_get_l3() which are both heavily used internally (r1234)
  • Build system cleanups (r1237,r1250)
  • Add a GRE tracepktdump decoder (r1238)
  • Add a preliminary PPPoE tracepktdump decoder (r1241)
  • Add more information to tracereport (r1239,r1247)
  • Fix bug in legacy decoder with wire lengths (r1239)
  • Fix bug in trace_ether_ntoa (r1240)
  • Add legacynzix: trace format (r1243)
  • Don't assert() on bad packets (instead return BADPACKET) for erf traces (r1244)
  • Add TRACE_OPTION_EVENT_REALTIME to allow the event framework to playback traces in realtime (r1246)
  • Rename TRACE_META_FREQ to TRACE_OPTION_META_FREQ to follow naming convention (r1246)
  • Correctly deal with errors when using trace_set_option (r1247)
  • Deal better with signals when writing packets to files (#254,r1251,r1252,r1253)
  • Add support for dag 3.x (r1254)
  • Improved dag 2.5+ support (r1254,r1255)
  • dag2.5+ supports setting the snaplen from libtrace (r1254)
  • Add support for setting direction on linux int: formats (r1257,r1258)
  • Consider loopback packets outgoing, not incoming (r1257)
  • Fix trace_get_source_mac() for wireless frames (#253,r1259)
  • Add support for interfaces_per_input to tracemerge (r1260)
  • Fix tracereport direction report (r1261)
  • Deprecated wag: and wtf formats (r1262,r1263)

libtrace 3.0.2 (2007-04-27)

libtrace 3.0.1 (2007-03-26)

libtrace 3.0.0 final release! (2007-02-12)

libtrace 3.0.0 beta 7 (2006-11-07)

  • Display ToS bits in libpacketdump as DSCP/ECN (r1071)
  • Fix bug where the final packets were not being flushed out in some of the tools (r1072)
  • Fix bug where DLT_NULL was being used instead of DLT_RAW for raw IP packets (r1073)
  • Fix compile warnings (r1074, r1076, r1077)
  • Fix bug with tracesplit segfaulting if given more than 2 options. (r1075)
  • Fix bug with legacyatm: not signalling end of file correctly (r1078)
  • More tests (r1079)

libtrace 3.0.0 beta 6 (2006-10-26)

  • int: ignored overridden promisc flags (r1058)
  • Build fixes (r1059,r1060,r1068,r1069,r1070)
  • Add proper decode support for ATM cells (r1061)
  • pcap:/pcapfile:/trace_filter_apply() now will "demote" a packet, stripping off any header that pcap doesn't understand. (r1062,r1063,r1064,r1067)

libtrace 3.0.0 beta 5 (2006-10-16)

libtrace 3.0.0 beta 4 (2006-08-30)

  • tracesplit tidyups to deal better with old NLANR traces (r950)
  • pcap: uris should deal with packets that are corrupt/missing a linklayer (r951)
  • Code cleanups/build system cleanups (r952, r953, r956, r958, r963)
    • when linking against libpacketdump, you need to provide -lfl (r959)
  • libpacketdump should deal with packets that are corrupt/missing a linklayer (r954)
  • Tom Young's linux int: performance improvements (r955, r960)
  • if libpacketdump can't decode a linklayer itself, it should ask libtrace to decode it (r957)

libtrace 3.0.0 beta 3 (2006-08-22)

Most of this release was bug fixes for MacOS portability, mostly dealing with endianness issues

libtrace 3.0.0 beta 2 (2006-06-27)

  • Added better error handling for pcap/duck/rt formats (r875,r880,r885,r886)
  • Fixed problems with TRACE_TYPE enum (some values had been shuffled around) (r876)
  • Fixed protocol decodes for 802.11 and LLC/Snap (r879)
  • Added better unit tests for protocol decoding, writing files, and did some general cleanups (r882,r883,r884,r899)
  • Massive build system overhaul (r887,r892,r893,r896)
  • Update documentation (r888,r891)
  • Minor cleanups (r889,r894,r895,r900,r901)
  • trace_get_{source,destination}_address() now include the port number in the sin{,6}_port field. (r897)

See for details of changes that occurred prior to libtrace 3