wiki:ConvertingTracesets

Version 17 (modified by perry, 12 years ago) (diff)

--

libtrace comes with a program (traceconvert) that lets you convert from any trace type that https://secure.wand.net.nz/trac/libtrace/wiki/ConvertingTracesets?action=edit#libtrace understands, to any trace type libtrace can output.

Example usage:

  traceconvert legacyatm:auck4-20010220-210122-0.gz pcapfile:auck4-20010220-210122-0.pcap.gz

Note: The pcapfile: output specifier by defaults outputs compressed pcap files (which tcpdump can't natively understand). Use tcpdump -r <(zcat auck4-20010220-210122-0.pcap.gz) to read these files.

Note 2: Instead of converting to pcap you can use libtrace directly to access these files and enjoy the benefits of file format, link and network layer independance, a high level API, and transparent fast decompression/compression.

Note 3: Most tracesets have one file per direction, ending in -0 for one direction, and -1 for the reverse. These can be merged and converted at the same time with tracemerge.

  tracemerge pcapfile:auck4-20010220-210122-combined.gz legacyatm:auck4-20010220-210122-0.gz legacyatm:auck4-20010220-210122-1.gz

Conversions for common tracesets:

Abilene I

Available from: http://pma.nlanr.net/Traces/long/ipls1.html

These are in legacy Packet over Sonet format:

  traceconvert legacypos:abileneI-IPLS-KSCY-20020814-090000-0.gz pcapfile:abileneI-IPLS-KSCY-20020814-090000-0.pcap.gz

Auckland I

Libtrace does not currently support the DAG2 trace format. We have a program dag2toerf that will translate these files (losslessly) to erf which can be read by libtrace.

Auckland II

Available from: http://pma.nlanr.net/Traces/long/auck2.html

  traceconvert legacyatm:auck2-20000125-143640-0.gz pcapfile:auck2-20000125-143640-0.pcap.gz

Auckland IV

Available from: http://pma.nlanr.net/Traces/long/auck4.html

  traceconvert legacyatm:auck4-20010220-210122-0.gz pcapfile:auck4-20010220-210122-0.pcap.gz

Auckland V

Available from: This traceset have been withdrawn in favor of Auckland VII.

An ATM cell header trace collected at the University of Auckland OC3c ATM link. This trace does not include any IP payload. libtrace currently cannot parse this traceset. Similar to Auckland VII.

Auckland VI

Available from: http://pma.nlanr.net/Traces/long/auck6.html

There are two types of traces, some are ATM and some are Ethernet. for the traces ending in -0 or -1 use:

  traceconvert legacyatm:auck6-20010510-162311-0.gz pcapfile:auck6.pcap.gz

for the traces ending in -e0 or -e1 use:

  traceconvert legacyeth:auck6-20010510-162311-e0.gz pcapfile:auck6.pcap.gz

Auckland VII

Available from: http://pma.nlanr.net/Traces/long/auck7.html

These traces are an ERF timestamp followed by the first 4 bytes of the ATM header. These traces contain no IP headers. Libtrace cannot read these traces at the moment, if you need the ability to read them, then contact us.

Auckland VIII

Available from: http://pma.nlanr.net/Special/auck8.html

These traces are in standard ERF format.

  traceconvert erf:auck8-20031215-220000.gz pcapfile:auck8-20031215-220000.pcap.gz

Leipzig I

Available from: http://pma.nlanr.net/Special/leip1.html

These traces are in ERF format, but incorrectly have the "type" field set to unknown. Support for these traces were added in libtrace 3.0.1.

  traceconvert erf:leip1-0021121-200000-0.gz pcapfile:leip1.pcap.gz

Leipzig II

Available from: http://pma.nlanr.net/Special/leip2.html

These traces are in legacy Packet over Sonet format:

  traceconvert legacypos:leip2-20030221-121359-0.gz pcapfile:leip2-20030221-121359-0.pcap.gz

NZIX II

Available from: http://pma.nlanr.net/Traces/long/nzix2.html

These traces are in legacy ethernet format.

  traceconvert legacyeth:nzixII-20000710-000000.gz pcapfile:nzixII-20000710-000000.pcap.gz

SDSC I

Available from: http://pma.nlanr.net/Special/sdsc1.html

These traces are in erf format:

  traceconvert erf:sdsc1-20040130-132000-0.gz pcapfile:sdsc1-20040130-132000-0.pcap.gz

Note: These traces appear to be snapped poorly, or have some kind of RX error. Large parts of some packets appear to be obliterated with \x00's.

Waikato tracesets

These traces are in standard ERF format

  traceconvert erf:waikato1-20050525-000000-0.gz pcapfile:waikato1-20050525-000000-0.pcap.gz