Version 58 (modified by salcock, 9 years ago) (diff)


See for download information

libtrace 3.0.15 (2012-10-08)

Bug Fixes

  • Fixed bug in tracereplay where it would try to update the transport checksum for packets without a complete transport header (Thanks to Alistair King for reporting this bug) (r1766)
  • Fixed configure bug that was preventing transmit using a pcap interface from working correctly (Thanks to Alistair King for reporting this bug) (r1767)
  • Fixed wrap-around bug in trace_get_payload_length() which resulted in ridiculous payload lengths (r1758)
  • Fixed build error where iow-lzo.c would require (and not be able to find) libtrace.h (r1760)
  • Fixed build error where libpacketdump could not find wandio.h (r1761)
  • Fixed bug where TRACE_RT_LAST would overflow the 32-bit integer being used to store the RT packet type (r1763, #322)
  • Fixed bug where Linux Native input would give errors when being used to monitor a loopback interface (Thanks to Asad Arfeen for reporting this bug) (r1764)


  • libtrace_sll_header_t data structure is now exported via libtrace.h, so it can be used in user code (r1759)
  • Better detection and reporting of cases where the user is trying to read a compressed format that their libtrace build doesn't support (r1762)

libtrace 3.0.14 (2012-03-06)

Bug Fixes

  • Fixed flex detection failure on some systems (r1743)
  • Fixed bug where cached values for "remaining" were being returned after the capture length had been changed (r1746)
  • Fixed bug where BPF filters were not being applied to RT inputs that were using the event API (r1747)
  • Fixed typo in the BPF JIT code (r1750)


  • Added support for --with-FOO configure options for zlib, bzip2, lzo and ncurses (r1748)
  • Replaced assert failure when a pcapfile input is corrupted with a more graceful BAD_PACKET error (r1751)
  • Added new error types (BAD_FILTER and RT_FAILURE) so we can avoid using BAD_PACKET in cases where that isn't really the problem (r1752)
  • wandio functions are now exported through a separate shared library and can be used to do general file I/O (r1756, r1757)

libtrace 3.0.13 (2012-01-09)

New Features

  • Libtrace API functions for decoding OSPFv2 packets, including LSA and Router Link decoders (r1735, r1736)
  • Libpacketdump decoders for OSPFv2 packets (r1737)
  • New API function: trace_interrupt. Calling this function will cause a live capture that is blocking due to waiting on packets to immediately stop. This is useful when running your own signal handler (r1729).

Bug Fixes

  • Fixed bug where occasionally a trace file written using zlib would not be flushed correctly, resulting in a truncated trace (r1742)
  • Fixed annoying warnings that were caused by multiple definitions of ERF types when building with DAG support (r1725)
  • Fixed bug where pcap interface format would reject a BPF filter when filter was actually legit (r1729)
  • Fixed tools that would not respond to Ctrl-C if stuck waiting for packets on a live interface (r1730)
  • Fixed bug where trace_get_link_type was not using the cached link type value (r1731)
  • Fixed bug in libpacketdump where we were attempting to incorrectly decode IPv6 fragments (r1733)
  • Fixed bug introduced in 3.0.12 where the FCS was being incorrectly deducted from the "remaining" value when calling trace_get_payload_from_ip (r1734)


  • Capture length for pcap packets is now cached when the packet is first read, rather than when trace_get_capture_length is first called (r1726)
  • Added a LIBTRACEIO options ("buffers") which can be used to configure the number of IO buffers used for threaded reading. Also bumped default buffer space from 5 MB to 50 MB (r1727).
  • Updated pcap interfaces to use pcap_create and pcap_activate APIs in libpcap 1.0 (r1728)
  • Optimisations to trace_apply_filter (r1729)
  • Optimisations to tracestats (r1730)
  • Wire length is now cached for each packet (r1731)
  • Trace files created by programs running via sudo now belong to the user who was running sudo rather than root (r1732)

libtrace 3.0.12 (2011-09-12)

New Features

  • Added new tools: tracetopends and traceends (r1717)

Bug Fixes

  • Fixed bug in trace_get_payload_from_ip6 that would return the wrong payload if extension headers were present (r1712, #314)
  • Fixed bug with payload length calculation if the packet has additional padding (r1716)
  • Fixed build issue when building DAG format modules on Fedora Core systems (r1715)
  • Fixed bug where trace_get_layer2 would return a meta-data header instead NULL when no layer 2 payload was present (r1714, #263)


  • Added more caching to further improve performance in some cases (r1716)
  • Reworked trace_get_layer2 to be faster (r1716)
  • Added libpacketdump decoders for some IPv6 extension headers (hop by hop, routing and destination options) (r1713)

libtrace 3.0.11 (2011-07-06)

New Features

  • ECN bits in the TCP header are now directly accessible in the same fashion as other TCP flags. NOTE: this will break existing code that accessed the reserved bits that we have replaced with ECN flags, especially anything that attempted to access ECN prior to this release! (r1707)

Bug Fixes

  • Fixed bug where libtrace would fail at guessing the trace format for small trace files (r1708)
  • Fixed bug where using a BPF filter on a live DAG interface via the event API would result in bad packet lengths (r1706)
  • Fixed bug where BPF filters would cause an RT input source to fail (r1702)
  • Fixed bug where trace_event would not update the time to sleep properly if called before the timer has expired (r1700)
  • Fixed bug where constructed packets did not have their cached values initialised correctly (r1698)


  • Tracepktdump now reports any errors that occur while reading packets (r1703)
  • Tidied up linking process so that components only link against libraries that they actually use - should make Debian packaging easier (r1701)
  • Tracetop now reports traffic based on wire length rather than capture length (r1699)

libtrace 3.0.10 (2011-03-11)

Bug Fixes

  • Fixed problems with processing Linux SLL Ethernet captures (r1691, r1695)
  • Libpacketdump also now processes Linux SLL headers correctly (r1692, r1696)
  • Fixed build problem where libtrace would fail to detect whether it needed to link against libdl (r1693)
  • Tidied up errors in tracetop and tracediff manpages (r1694)


  • Significantly improved performance of libtrace event API (r1691)
  • Transport headers and payload length are now cached for each packet, saving time on subsequent lookups (r1691)

libtrace 3.0.9 (2011-01-25)

Bug Fixes

  • Fixed bug in the threaded I/O that was affecting users on 32-bit machines - should bring an end to the random segmentation faults when reading trace files from disk (r1685, #292)
  • Corrected problem with missing manpages for tracereplay and tracetop tools (r1682, r1688, #293)
  • Fixed bug where the accepted packet counter would be incorrect (r1684)
  • Fixed bug where an invalid free could occur in trace_create() (r1687, #228)


  • tracesplit can now accept multiple input URIs which are read in turn (r1680)

libtrace 3.0.8 (2010-12-03)

New Features

  • Added a new API function called trace_get_payload_length() that returns the length of the original payload content (i.e. the size of the post-transport header payload prior to any snapping) (r1661)

Bug Fixes

  • Fixed bug where converting from int: to pcapfile: would result in losing four bytes of payload (r1673) - Thanks to Nevil Brownlee for reporting this bug.
  • Fixed segfault that occurred when trying to read from int: inputs without permission (r1653, #279)
  • Fixed segfault in tracertstats when an invalid output format is specified (r1660)
  • Fixed errors in payload length calculations for v6 in v4 and truncated or corrupted TCP headers (r1662, r1663)
  • Fixed bug where libtrace would attempt to write NONDATA packets, which could not be converted into an appropriate packet type for most trace formats (r1664)
  • Fixed incorrect parsing of IPv6 extension headers (r1665, r1666)
  • Fixed compilation error when building against DAG 2.5 drivers (r1668, #286) - Thanks to Guillaume Vu-Brugier for reporting this bug.
  • Fixed linking error when building against certain versions of libpcap that install pcap-int.h (r1669, #287) - Thanks to Guillaume Vu-Brugier for reporting this bug.
  • Fixed libpacketdump compilation error that occurred on some systems, e.g. Fedora (r1674) - Thanks to Nevil Brownlee for reporting this bug.


  • Added IPv6 and IPv6 fragmentation header decoders to libpacketdump (r1654,r1656,r1667)
  • traceanon can now read cryptopan keys from a file (r1659)

libtrace 3.0.7 (2010-08-03)

New Features

  • Replaced IO subsystem with wandio abstraction (r1391,r1394,r1395,r1396,r1397,r1398,r1400)
    • IO / compression / decompression is now performed in a separate thread, resulting in improved performance
    • Modular design makes it easy to add support for new compression formats
  • Added native support for reading and writing bzip files (r1391)
  • Added native support for writing lzo files (r1530,r1531,r1534)
  • JITing of BPF bytecode using LLVM, leading to faster BPF filtering (r1586,r1588)
  • Added enums for post-IP protocols and Ethertypes (r1386,r1387,r1388,r1389)
  • Write support added for DAG cards - thanks to Daniel Lawson (r1406,r1414,r1418)
  • Added new trace tool: tracetop. Shows the top N flows each second (r1408,r1409,r1411,r1412,r1413,r1415,r1416,r1417)
  • Added new trace tool: tracereplay. Attempts to replay trace files in trace time (r1460 to r1476)
  • Added new trace tool: tracediff. Displays packets that differ between two trace files (r1494)
  • Added trace_get_timespec() function (r1421)
  • If the format is not specified as part of the URI, libtrace can now attempt to guess the trace format (r1401,r1403)
  • Libpacketdump can now decode CHDLC and PPP/HDLC headers (r1538)
  • Added all the code examples from the libtrace tutorial to the examples directory (r1502)

Bug Fixes

  • Fixed bug where packets read from a DAG card that did not match the filter were causing lengthy sleep events under the event API (r1483)
  • Fixed various tools that were not reporting the occurrence of a read error (r1486,#270)
  • Fixed segfault caused by malformed URIs (r1393,r1399)
  • Fixed bug where reading a zero-length payload from a PCAP trace would result in an EOF being incorrectly reported (r1490)
  • Fixed bug where filtered packet count was not initialised to zero (r1393)
  • trace_get_payload_from_ip() now returns NULL when the IP version is incorrect rather than asserting (r1402)
  • Fixed segfault when writing packets to a Linux native socket, caused by byte ordering issue (r1405)
  • Fixed bug where custom pcap event function was not being used (r1422)
  • Fixed misplaced assertion in the pcap file reading code (r1423)
  • Fixed bug where trace_event would never get a packet event under recent versions of libpcap (r1426)
  • Fixed assertion failure when an unknown linktype is encountered by libpacketdump (r1459)
  • Fixed error caused by LCP packets that are common in some trace sets, e.g. Leipzig (r1482)
  • Increased size of RT packet buffer to fix problems caused by jumbograms (r1493)
  • Fixed errors caused by 32- and 64-bit incompatibility when sending Linux Native packets using the RT protocol (r1498,r1499)
  • trace_get_*_port() functions now always return 0 for ICMP packets (r1500)
  • Fixed problems with decoding HDLC and CHDLC headers (r1536)
  • Fixed segfault when reading PCAP packets that had no packet content (r1537)
  • Fixed bug where PCAP packets would be written with a larger capture length than the wire length (r1549)
  • Fixed segfault in the TCP segment report in tracereport caused by segments larger than 1500 bytes (r1539, r1540)
  • Fixed bug with restarting a PCAP trace file (r1574)
  • Fixed bugs relating to the size of the TSH packet records (r1577)
  • Fixed bug where we were not accounting for the FCS in legacy Ethernet captures (r1581)
  • Fixed bug where libpacketdump could not decode Linux SLL properly due to using an "undefined" function (r1583)
  • Fixed bug where libpacketdump was not skipping IP options before attempting to decode the next header (r1600)
  • Fixed bug where padding was being treated as part of a truncated header (r1602)
  • Fixed assertion when converting a packet with a corrupt wire length to PCAP (r1603)
  • More fixes for missing #includes (r1425)


  • trace_get_source_address() and trace_get_destination_address() now return link layer addresses in the absence of an IP header wherever possible (r1410)
  • trace_get_<protocol> short-cut functions now return NULL if the entire header (minus options) is not present in the packet (r1491)
  • Added missing set_capture_length() functionality for Linux Native (r1495)
  • traceanon can now write compressed traces (r1550)
  • traceanon now replaces checksums with zeroes (r1567)
  • traceanon, tracesplit and tracemerge now support all libtrace compression types for output (r1568,r1570,r1571)
  • tracereport no longer does the flow report by default (r1551)
  • Added support for new ERF types (r1507)
  • Added linktype for Experimental Ethernet (r1497)
  • Added --count option to tracereport (r1427,#248)
  • Added --merge-inputs option to tracertstats (r1440)
  • Added support for ARPHRD_NONE (r1451)
  • Added a libpacketdump decoder for ubiquity headers (r1488)
  • Improved libpacketdump's method of searching for decoders (r1584)
  • More efficient arrangement of internal structures (r1442,r1443)
  • Tidied up exported symbols (r1454,r1456)
  • General code maintenance (r1404,r1407,r1517)
  • Tidied up manpages (r1492,r1569,r1572)
  • Improved documentation (r1419,r1420,r1496,r1501,r1506,r1507,r1508,r1509,r1510,r1513,r1515,r1516,r1517,r1518,r1519,r1520,r1521,r1522,r1523,r1524,r1543,r1578)

libtrace 3.0.6 (2008-11-27)

  • Fixed compilation errors caused by missing #includes (r1382)
  • Added trace_get_payload_from_pppoe() to external API (r1383)
  • autoconf now correctly detects libgdc properly for tracertstats (r1384)
  • Fixed some warnings on recent versions of gcc (r1385)

libtrace 3.0.5 (2008-11-07)

  • Bug fix with respect to loss counter caching (r1312)
  • Major fixes to PoS traces (#261,r1371,r1378,r1379)
  • Windows fixes (r1322,r1323)
  • Code cleanups (r1324,r1325,r1326,r1333,r1355)
  • Dag 2.5:
    • Dropped packet counter fixes (with multithread locking) (r1326,r1329)
    • Event api issues (r1327)
    • Multiple stream support (and compatibility for dag 2.4) (r1328)
    • Better detection of dag version numbers (r1343)
  • New ERF types added (r1328,r1331)
  • Coloured ethernet ERF type support (r1328)
  • Fixes to the ERF Etherhack (r1328)
  • Bug fix for unsupported configuration options for erf traces (r1330)
  • Bug fix for {{set_capture_length()}} not updating the capture length cache (r1331)
  • Bug fix for more capture length cache entries (r1346)
  • Cleaned up the way managing packet's memory was done internally (r1332,r1335,r1336)
  • Added RT type for {{bpf:}} traces (r1332)
  • Bug fix for closing a {{pcapfile:}} trace file that was never trace_start()'d (r1334) (reported by Nevil Brownlee)
  • Fix compile error with bpf: on OpenBSD (r1336)
  • Fix compile errors with old compilers (r1337,r1339,r1340,r1341,r1345)
  • libpacketdump cleanups (r1338,r1339)
    • libpacketdump constification (r1351)
  • traceanon code cleanups (r1342)
  • tracertstats code cleanups (r1344)
  • tracertstats documentation cleanups (r1369)
  • int: code cleanups (r1347,r1352)
  • tracesplit documentation cleanups (r1348)
  • tracesplit error handling fixes (r1364)
  • Cleanup examples (r1365)
  • Deal better with creating compressed files (r1349)
  • Deal with raw IP capture (r1350)
  • Provide API's for dealing with VLAN and MPLS headers (r1353, r1359, r1372)
  • get_payload_from_X API's now return NULL if the header is incomplete with remaining == 0. If there is no payload then they return where the payload would be, and remaining == 0. (r1376)
  • Fix bug with trace_get_erf_timestamp() where UINT_MAX ends up being signed (reported by yuri from isi) (r1357)
  • Force 64bit for filesizes (r1358)
  • Add support for PPPoE, and skip PPPoE headers in trace_get_layer3() (r1360)
  • Improve support for VLANs (r1363)
  • Improve tracesplit's dealing with rotations based on starttime, and better debugging output (r1366)
  • assert() on bad packets that aren't caught before we return them back to the user (r1367)
  • Cleanup libpacketdump GRE parser (r1368, r1370)
  • Support specifying compression levels (r1373)
  • Better fixes for endianness issues (r1375)
  • removed traceflow, to be replaced with maji (ipfix collector) available seperately (r1377)

libtrace 3.0.4 (2008-01-02)

libtrace 3.0.3 (2007-09-05)

  • Code cleanups w.r.t warnings (r1211,r1212,r1213,r1214,r1216,r1217,r1218,r1219,r1224,r1225,r1255)
  • tracesplit_dir now provides a warning of the number of packets that had an unknown direction at the end of the trace (r1215)
  • Fix a segfault in tracereport with rxerrors, non ip (r1221, r1227)
  • Add support for decoding 802.2 LLC/SNAP and Ethernet II in 802.11 frames (r1222,r1226)
  • Documentation fixes and clarifications (r1223,r1235,r1236,r1245,r1248,r1249)
  • Fix bug with trace_get_payload_from_80211() and 3 vs 4 frame formats (r1226)
  • Deal correctly with uri's with parse errors causing segfaults on cleanup (r1229)
  • Minor tidyups to protocol decoders (r1230,r1232)
  • Add more information to libtracepktdump (r1231,r1256)
  • Correctly deal with PPP captures (r1233)
  • Cache trace_get_capture_length() and trace_get_l3() which are both heavily used internally (r1234)
  • Build system cleanups (r1237,r1250)
  • Add a GRE tracepktdump decoder (r1238)
  • Add a preliminary PPPoE tracepktdump decoder (r1241)
  • Add more information to tracereport (r1239,r1247)
  • Fix bug in legacy decoder with wire lengths (r1239)
  • Fix bug in trace_ether_ntoa (r1240)
  • Add legacynzix: trace format (r1243)
  • Don't assert() on bad packets (instead return BADPACKET) for erf traces (r1244)
  • Add TRACE_OPTION_EVENT_REALTIME to allow the event framework to playback traces in realtime (r1246)
  • Rename TRACE_META_FREQ to TRACE_OPTION_META_FREQ to follow naming convention (r1246)
  • Correctly deal with errors when using trace_set_option (r1247)
  • Deal better with signals when writing packets to files (#254,r1251,r1252,r1253)
  • Add support for dag 3.x (r1254)
  • Improved dag 2.5+ support (r1254,r1255)
  • dag2.5+ supports setting the snaplen from libtrace (r1254)
  • Add support for setting direction on linux int: formats (r1257,r1258)
  • Consider loopback packets outgoing, not incoming (r1257)
  • Fix trace_get_source_mac() for wireless frames (#253,r1259)
  • Add support for interfaces_per_input to tracemerge (r1260)
  • Fix tracereport direction report (r1261)
  • Deprecated wag: and wtf formats (r1262,r1263)

libtrace 3.0.2 (2007-04-27)

libtrace 3.0.1 (2007-03-26)

libtrace 3.0.0 final release! (2007-02-12)

libtrace 3.0.0 beta 7 (2006-11-07)

  • Display ToS bits in libpacketdump as DSCP/ECN (r1071)
  • Fix bug where the final packets were not being flushed out in some of the tools (r1072)
  • Fix bug where DLT_NULL was being used instead of DLT_RAW for raw IP packets (r1073)
  • Fix compile warnings (r1074, r1076, r1077)
  • Fix bug with tracesplit segfaulting if given more than 2 options. (r1075)
  • Fix bug with legacyatm: not signalling end of file correctly (r1078)
  • More tests (r1079)

libtrace 3.0.0 beta 6 (2006-10-26)

  • int: ignored overridden promisc flags (r1058)
  • Build fixes (r1059,r1060,r1068,r1069,r1070)
  • Add proper decode support for ATM cells (r1061)
  • pcap:/pcapfile:/trace_filter_apply() now will "demote" a packet, stripping off any header that pcap doesn't understand. (r1062,r1063,r1064,r1067)

libtrace 3.0.0 beta 5 (2006-10-16)

libtrace 3.0.0 beta 4 (2006-08-30)

  • tracesplit tidyups to deal better with old NLANR traces (r950)
  • pcap: uris should deal with packets that are corrupt/missing a linklayer (r951)
  • Code cleanups/build system cleanups (r952, r953, r956, r958, r963)
    • when linking against libpacketdump, you need to provide -lfl (r959)
  • libpacketdump should deal with packets that are corrupt/missing a linklayer (r954)
  • Tom Young's linux int: performance improvements (r955, r960)
  • if libpacketdump can't decode a linklayer itself, it should ask libtrace to decode it (r957)

libtrace 3.0.0 beta 3 (2006-08-22)

Most of this release was bug fixes for MacOS portability, mostly dealing with endianness issues

libtrace 3.0.0 beta 2 (2006-06-27)

  • Added better error handling for pcap/duck/rt formats (r875,r880,r885,r886)
  • Fixed problems with TRACE_TYPE enum (some values had been shuffled around) (r876)
  • Fixed protocol decodes for 802.11 and LLC/Snap (r879)
  • Added better unit tests for protocol decoding, writing files, and did some general cleanups (r882,r883,r884,r899)
  • Massive build system overhaul (r887,r892,r893,r896)
  • Update documentation (r888,r891)
  • Minor cleanups (r889,r894,r895,r900,r901)
  • trace_get_{source,destination}_address() now include the port number in the sin{,6}_port field. (r897)

See for details of changes that occurred prior to libtrace 3