Changes between Version 10 and Version 11 of SupportedTraceFormats


Ignore:
Timestamp:
07/28/10 14:22:13 (10 years ago)
Author:
salcock
Comment:

Update trace formats page

Legend:

Unmodified
Added
Removed
Modified
  • SupportedTraceFormats

    v10 v11  
    6060== Per format notes ==
    6161
     62=== PCAP ===
     63 * There are three pcap formats supported by libtrace: {{{pcapfile}}}, {{{pcapint}}} and {{{pcap}}}. Generally you want to use {{{pcapfile}}} if reading or writing pcap trace files and {{{pcapint}}} if reading or writing from a live pcap interface.
     64 * {{{pcapfile}}} and {{{pcapint}}} have been implemented directly within libtrace, whereas {{{pcap}}} uses the libpcap API. We recommend against using {{{pcap}}} wherever possible.
     65 * Most pcap-based utilities, including tcpdump, tcptrace and snort, do not support compressed trace files so you may need to decompress the trace first. For example, "zcat foo.pcap.gz | tcpdump -r-" will do this for tcpdump.
     66
    6267=== DAG capture card (dag:) ===
    6368 * Requires the Dag API from endace.
     
    7378 * Supports only incoming and outgoing direction, attempts to set other directions will fail. (3.0.3+)
    7479
    75 === Internal PCAP tracefile output (pcapfile:) ===
    76  * Currently always writes out data compressed, even if compression level 0 is used.  This confuses tcpdump which doesn't support compressed traces.  You can use "zcat foo.pcap.gz | tcpdump -r-" to read these traces.
    77 
    7880=== RT protocol ===
    7981 * libtrace does not (yet?) support RT output.
    80  * The [wiki:RTProtocol protocol specification] is available so people can write their own servers.
     82 * The [wiki:RTProtocol protocol specification] may soon be made available so people can write their own servers.
    8183
    8284=== BSD BPF Interface ===