Version 8 (modified by perry, 14 years ago) (diff)

Document limitations and benefits of all the various format types

Supported Input Formats

Libtrace supports reading from the following trace capture and storage formats:

Live Capture

  • Endace DAG cards
  • pcap interfaces
  • Native Linux PF_PACKET interfaces
  • WAG cards (internal WAND project)
  • Native BSD BPF interfaces
  • Receiving packets over a network via the RT protocol

Trace Formats

  • pcap traces
  • ERF (Extensible Record Format) traces
  • Legacy DAG formats, such as those used in various Auckland tracesets
  • WTF (WAG Trace Format) traces

Supported Output Formats

In addition, libtrace can write traces in the following formats:

  • pcap traces
  • ERF (Extensible Record Format) traces
  • WTF (WAG Trace Format) traces
  • pcap interfaces
  • Native Linux PF_PACKET interfaces

Format URIs

Libtrace input and output sources are specified using URIs which describe both the format and location of the trace, interface or device in question. Below is a definitive list of URIs for all the trace formats supported by libtrace.

Live pcap interface
pcap trace file
Live DAG capture
dag:<DAG device location e.g. /dev/dag0>
ERF trace file
Native Linux interface
Native BSD BPF interface
RT protocol
Legacy ATM
Legacy Ethernet
Legacy Packet over Sonet
Live WAG capture
wag:<WAG device location e.g. /dev/wag>
WTF trace file

URI's that include a filename usually accept '-' to represent stdin, e.g. erf:- will read ERF records from stdin.

Per format notes

ERF Trace file (erf:)

  • Supports a maximum of 4 interfaces, by convention 0 for outgoing, 1 for incoming, 2 for other, and 3 is unused.
  • There is at least one traceset which is known to have an ERF type of "0", just to be annoying, libtrace attempts to account for this.

Native Linux interface (int:)

  • Currently supports a fast way of retrieving the timestamp of the packet from kernel space using ancillary data.
  • Doesn't support uploading bpf filters to the kernel (yet)
  • Supports only incoming and outgoing direction, attempts to set other directions will fail. (3.0.3+)

Internal PCAP tracefile output (pcapfile:)

  • Currently always writes out data compressed, even if compression level 0 is used. This confuses tcpdump which doesn't support compressed traces. You can use "zcat foo.pcap.gz | tcpdump -r-" to read these traces.

RT protocol

  • libtrace does not (yet?) support RT output.
  • The protocol specification? is available so people can write their own servers.

BSD BPF Interface

  • Currently supports capture, but not writing.