wiki:SupportedTraceFormats

Version 7 (modified by perry, 13 years ago) (diff)

--

Supported Input Formats

Libtrace supports reading from the following trace capture and storage formats:

Live Capture

  • Endace DAG cards
  • pcap interfaces
  • Native Linux PF_PACKET interfaces
  • WAG cards (internal WAND project)
  • Native BSD BPF interfaces
  • Receiving packets over a network via the RT protocol

Trace Formats

  • pcap traces
  • ERF (Extensible Record Format) traces
  • Legacy DAG formats, such as those used in various Auckland tracesets
  • WTF (WAG Trace Format) traces

Supported Output Formats

In addition, libtrace can write traces in the following formats:

  • pcap traces
  • ERF (Extensible Record Format) traces
  • WTF (WAG Trace Format) traces
  • pcap interfaces
  • Native Linux PF_PACKET interfaces

By default, pcap trace files written by libtrace are compressed which cannot be handled directly by programs such as tcpdump. Use tcpdump -r <(zcat mytrace.pcap.gz) to read these files.

Note that libtrace does not include support for writing packets to a network via the RT protocol. Documentation of the RT protocol can be found here? which should enable programmers to write their own RT server.

Also, currently there is no support for writing to native BSD BPF interfaces but this may be added in a future version of libtrace.

Format URIs

Libtrace input and output sources are specified using URIs which describe both the format and location of the trace, interface or device in question. Below is a definitive list of URIs for all the trace formats supported by libtrace.

Live pcap interface
pcapint:<interface>
pcap trace file
pcapfile:<filename>
Live DAG capture
dag:<DAG device location e.g. /dev/dag0>
ERF trace file
erf:<filename>
Native Linux interface
int:<interface>
Native BSD BPF interface
bpf:<interface>
RT protocol
rt:<host>:<port>
Legacy ATM
legacyatm:<filename>
Legacy Ethernet
legacyeth:<filename>
Legacy Packet over Sonet
legacypos:<filename>
Live WAG capture
wag:<WAG device location e.g. /dev/wag>
WTF trace file
wtf:<filename>

URI's that include a filename usually accept '-' to represent stdin, e.g. erf:- will read ERF records from stdin.

Per format notes

ERF Trace file (erf:)

  • Supports a maximum of 4 interfaces, by convention 0 for outgoing, 1 for incoming, 2 for other, and 3 is unused.
  • There is at least one traceset which is known to have an ERF type of "0", just to be annoying, libtrace attempts to account for this.

Native Linux interface (int:)

  • Currently supports a fast way of retrieving the timestamp of the packet from kernel space using ancillary data.
  • Doesn't support uploading bpf filters to the kernel (yet)
  • Supports only incoming and outgoing direction, attempts to set other directions will fail. (3.0.3+)