wiki:ConvertingTracesets

libtrace comes with a program (traceconvert) that lets you convert from any trace type that libtrace understands, to any trace type libtrace can output.

Example usage:

  traceconvert legacyatm:auck4-20010220-210122-0.gz pcapfile:auck4-20010220-210122-0.pcap.gz

Note: The pcapfile: output specifier by defaults outputs compressed pcap files (which tcpdump can't natively understand). Use tcpdump -r <(zcat auck4-20010220-210122-0.pcap.gz) to read these files.

Note 2: Instead of converting to pcap you can use libtrace directly to access these files and enjoy the benefits of file format, link and network layer independance, a high level API, and transparent fast decompression/compression.

Note 3: Most tracesets have one file per direction, ending in -0 for one direction, and -1 for the reverse. These can be merged and converted at the same time with tracemerge.

  tracemerge pcapfile:auck4-20010220-210122-combined.gz legacyatm:auck4-20010220-210122-0.gz legacyatm:auck4-20010220-210122-1.gz

Conversions for common tracesets:

Abilene I (also known as IPLS I)

Available from: http://www.wand.net.nz/wits/ipls/1/

These are in legacy Packet over Sonet format:

  traceconvert legacypos:IPLS-KSCY-20020814-090000-0.gz pcapfile:IPLS-KSCY-20020814-090000-0.pcap.gz

Auckland I

Libtrace does not currently support the DAG2 trace format. We have a program dag2toerf that will translate these files (losslessly) to erf which can be read by libtrace.

Auckland II

Available from: http://www.wand.net.nz/wits/auck/2/auckland_ii.php

  traceconvert legacyatm:auck2-20000125-143640-0.gz pcapfile:auck2-20000125-143640-0.pcap.gz

Auckland IV

Available from: http://www.wand.net.nz/wits/auck/4/auckland_iv.php

  traceconvert legacyatm:auck4-20010220-210122-0.gz pcapfile:auck4-20010220-210122-0.pcap.gz

Auckland V

Available from: This traceset have been withdrawn in favor of Auckland VII.

An ATM cell header trace collected at the University of Auckland OC3c ATM link. This trace does not include any IP payload. libtrace currently cannot parse this traceset. Similar to Auckland VII.

Auckland VI

Available from: http://www.wand.net.nz/wits/auck/6/auckland_vi.php

There are two types of traces, some are ATM and some are Ethernet. for the traces ending in -0 or -1 use:

  traceconvert legacyatm:auck6-20010510-162311-0.gz pcapfile:auck6.pcap.gz

for the traces ending in -e0 or -e1 use:

  traceconvert legacyeth:auck6-20010510-162311-e0.gz pcapfile:auck6.pcap.gz

Auckland VII

Available from: http://www.wand.net.nz/wits/auck/7/auckland_vii.php

These traces are an ERF timestamp followed by the first 4 bytes of the ATM header, which we refer to as the ATM header format. Converting to PCAP is not very useful for these traces and probably won't work well, but you're welcome to try.

  traceconvert atmhdr:auck7-20010724-100000-0.hdr.gz pcapfile:auck7-20010724-100000-0.hdr.pcap.gz

Auckland VIII

Available from: http://www.wand.net.nz/wits/auck/8/auckland_viii.php

These traces are in standard ERF format.

  traceconvert erf:auck8-20031215-220000.gz pcapfile:auck8-20031215-220000.pcap.gz

Leipzig I

Available from: http://www.wand.net.nz/wits/leipzig/1/leipzig_i.php

These traces are in ERF format, but incorrectly have the "type" field set to unknown. Support for these traces were added in libtrace 3.0.1.

  traceconvert erf:leip1-20021121-200000-0.gz pcapfile:leip1.pcap.gz

Leipzig II

Available from: http://www.wand.net.nz/wits/leipzig/2/leipzig_ii.php

These traces are in legacy Packet over Sonet format:

  traceconvert legacypos:leip2-20030221-121359-0.gz pcapfile:leip2-20030221-121359-0.pcap.gz

NZIX II

Available from: http://www.wand.net.nz/wits/nzix/2/nzix-ii.php

These traces are in legacy ethernet format.

  traceconvert legacyeth:nzixII-20000710-000000.gz pcapfile:nzixII-20000710-000000.pcap.gz

SDSC I

Available from: ftp://wits.cs.waikato.ac.nz/pma/long/sdag/1/

These traces are in erf format:

  traceconvert erf:sdsc1-20040130-132000-0.gz pcapfile:sdsc1-20040130-132000-0.pcap.gz

Note: These traces appear to be snapped poorly, or have some kind of RX error. Large parts of some packets appear to be obliterated with \x00's.

Waikato tracesets

Available from: http://www.wand.net.nz/wits/waikato/1/waikato_i.php

These traces are in standard ERF format

  traceconvert erf:waikato1-20050525-000000-0.gz pcapfile:waikato1-20050525-000000-0.pcap.gz
Last modified 10 years ago Last modified on 05/21/10 13:33:15