| Version 15 (modified by salcock, 7 years ago) (diff) |
|---|
| Format | URI | Input | Output | Notes |
| Live pcap interface | pcapint:<interface> | Yes | Yes | |
| pcap trace file | pcapfile:<filename> | Yes | Yes | |
| ERF trace file | erf:<filename> | Yes | Yes | |
| DAG device | dag:<device location> | Yes | Yes | Requires DAG hardware capture card and libraries |
| Native Linux interface | int:<interface> | Yes | Yes | Only available on Linux |
| Native Linux interface (ring buffers) | ring:<interface> | Yes | Yes | Only available on Linux -- requires Libtrace 3.0.16 or later |
| Native BSD interface | bpf:<interface> | Yes | No | Only available on BSD or Mac OS X |
| TSH trace file | tsh:<filename> | Yes | No | |
| FR+ trace file | fr+:<filename> | Yes | No | |
| Legacy DAG ATM trace file | legacyatm:<filename> | Yes | No | |
| Legacy DAG POS trace file | legacypos:<filename> | Yes | No | |
| Legacy DAG Ethernet trace file | legacyeth:<filename> | Yes | No | |
| Legacy DAG NZIX trace file | legacynzix:<filename> | Yes | No | |
| ATM cell header trace file | atmhdr:<filename> | Yes | No | |
| RT network protocol | rt:<host>:<port> | Yes | No |
Libtrace input and output sources are specified using URIs which describe both the format and location of the trace, interface or device in question. To do so, simply append the location of the trace file, interface or device to the URI for the appropriate format as specified in the table above.
For example, pcapfile:sample.pcap.gz describes the PCAP trace file called sample.pcap.gz. dag:/dev/dag0 describes the DAG device present at /dev/dag0. int:eth0 is the URI for the Linux interface eth0.
URIs that include a filename usually accept '-' to represent stdin, e.g. erf:- will read ERF records from stdin.
Per format notes
PCAP
- There are three pcap formats supported by libtrace: pcapfile, pcapint and pcap. Generally you want to use pcapfile if reading or writing pcap trace files and pcapint if reading or writing from a live pcap interface.
- pcapfile and pcapint have been implemented directly within libtrace, whereas pcap uses the libpcap API. We recommend against using pcap wherever possible.
- Most pcap-based utilities, including tcpdump, tcptrace and snort, do not support compressed trace files so you may need to decompress the trace first. For example, "zcat foo.pcap.gz | tcpdump -r-" will do this for tcpdump.
DAG capture card (dag:)
- Requires the Dag API from endace.
- Anyone experiencing problems with using DAG cards for libtrace may wish to read over DAGNotes, which describes the libtrace DAG support in more detail.
ERF Trace file (erf:)
- Supports a maximum of 4 interfaces, by convention 0 for outgoing, 1 for incoming, 2 for other, and 3 is unused.
- There is at least one traceset which is known to have an ERF type of "0", just to be annoying, libtrace attempts to account for this.
- Does NOT require the dag API to read erf (and compressed erf) traces.
Native Linux interface (int:)
- Currently supports a fast way of retrieving the timestamp of the packet from kernel space using ancillary data.
- Supports uploading bpf filters into the kernel since 3.0.5+
- Supports only incoming and outgoing direction, attempts to set other directions will fail. (3.0.3+)
RT protocol
- libtrace does not (yet?) support RT output.
- The protocol specification? may soon be made available so people can write their own servers.
BSD BPF Interface
- Currently supports capture, but not writing.
