| Version 4 (modified by spa1, 13 years ago) (diff) |
|---|
Supported Input Formats
Libtrace supports reading from the following trace capture and storage formats:
Live Capture
- Endace DAG cards
- pcap interfaces
- Native Linux PF_PACKET interfaces
- WAG cards (internal WAND project)
- Native BSD BPF interfaces
- Receiving packets over a network via the RT protocol
Trace Formats
- pcap traces
- ERF (Extensible Record Format) traces
- Legacy DAG formats, such as those used in various Auckland tracesets
- WTF (WAG Trace Format) traces
Supported Output Formats
In addition, libtrace can write traces in the following formats:
- pcap traces
- ERF (Extensible Record Format) traces
- WTF (WAG Trace Format) traces
- pcap interfaces
- Native Linux PF_PACKET interfaces
Note that libtrace does not include support for writing packets to a network via the RT protocol. Documentation of the RT protocol can be found here? which should enable programmers to write their own RT server.
Also, currently there is no support for writing to native BSD BPF interfaces but this may be added in a future version of libtrace.
Format URIs
Libtrace input and output sources are specified using URIs which describe both the format and location of the trace, interface or device in question. Below is a definitive list of URIs for all the trace formats supported by libtrace.
- Live pcap interface
- pcapint:<interface>
- pcap trace file
- pcapfile:<filename>
- Live DAG capture
- dag:<DAG device location e.g. /dev/dag0>
- ERF trace file
- erf:<filename>
- Native Linux interface
- int:<interface>
- Native BSD BPF interface
- bpf:<interface>
- RT protocol
- rt:<host>:<port>
- Legacy ATM
- legacyatm:<filename>
- Legacy Ethernet
- legacyeth:<filename>
- Legacy Packet over Sonet
- legacypos:<filename>
- Live WAG capture
- wag:<WAG device location e.g. /dev/wag>
- WTF trace file
- wtf:<filename>
URI's that include a filename usually accept '-' to represent stdin, e.g. erf:- will read ERF records from stdin.
