Changes between Version 7 and Version 8 of ToolTricks


Ignore:
Timestamp:
11/25/06 12:40:14 (16 years ago)
Author:
perry
Comment:

Cleanup article to put more advanced usages later. Explain how you can do advanced capturing using tracesplit.

Legend:

Unmodified
Added
Removed
Modified

  • ToolTricks

    v7 v8  
    11The various tools can do some neat things that you might not realise.  Heres a list of cool things they can do.
     2
     3== Things all tools can do ==
     4All tools can read off a network with {{{int:}}}/{{{bpf:}}}/{{{pcapint:}}}/{{{dag:}}}, or from stdin with {{{pcapfile:-}}}/{{{pcap:-}}}/{{{erf:-}}}/{{{legacypos:-}}}/{{{legacyatm:-}}}/{{{legacyeth:-}}}.
     5
     6All tools can write to a network with {{{int:}}}/{{{pcapint:}}}, or to standard out with {{{pcapfile:-}}}/{{{pcap:-}}}
     7
     8== Investigate whats in a trace ==
     9{{{
     10 tracedump erf:trace.erf
     11}}}
     12
     13== Get some stats about a interface/trace ==
     14{{{
     15  tracertstats int:eth0
     16}}}
     17substitute {{{int:eth0}}} for {{{pcapfile:trace.gz}}} to produce stats on a trace.
     18
     19== Get more detailed stats on a trace ==
     20{{{
     21  tracesummary pcapfile:foo.pcap.gz
     22  tracereport pcapfile:foo.pcap.gz
     23  tracertstats pcapfile:foo.pcap.gz
     24}}}
     25Note that {{{tracereport}}}/{{{tracesummary}}} waits for its input to complete, since an interface never completes it won't ever finish tallying results.
     26
     27== To merge two directions back into one file ==
     28{{{
     29  tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz
     30}}}
     31
     32== To concatenate traces together ==
     33{{{
     34  tracemerge -s erf:out.gz erf:in-*.gz
     35}}}
    236
    337== Capture a trace file ==
     
    1246}}}
    1347
    14 This isn't smart enough to do snapping, anonymisation, file rotation or anything an advanced capture suite would do.  If you need more advanced capturing software use wdcap.  (It also doesn't flush things to disk as often as it should).
     48To capture with file rotation, filtering and anonymisation:
     49{{{
     50 traceanon -sde 'foo' int:eth0 pcapfile:- | tracesplit --filter 'port 80' --interval 300 pcapfile:- pcapfile:foo.pcap.gz
     51}}}
     52
     53This isn't smart enough to do snapping, or anything an advanced capture suite would do.  If you need more advanced capturing software use wdcap.
    1554
    1655== To replay a trace ==
     
    1958 traceconvert pcapfile:foo.pcap.gz int:eth0
    2059}}}
    21 
    22 == Investigate whats in a trace ==
    23 {{{
    24  tracedump erf:trace.erf
    25 }}}
    26 
    27 == To merge two directions back into one file ==
    28 {{{
    29   tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz
    30 }}}
    31 
    32 == To concatenate traces together ==
    33 {{{
    34   tracemerge -s erf:out.gz erf:in-*.gz
    35 }}}
    36 
    37 == Things all tools can do ==
    38 All tools can read off a network with {{{int:}}}/{{{bpf:}}}/{{{pcapint:}}}/{{{dag:}}}, or from stdin with {{{pcapfile:-}}}/{{{pcap:-}}}/{{{erf:-}}}/{{{legacypos:-}}}/{{{legacyatm:-}}}/{{{legacyeth:-}}}.
    39 
    40 All tools can write to a network with {{{int:}}}/{{{pcapint:}}}, or to standard out with {{{pcapfile:-}}}/{{{pcap:-}}}
    4160
    4261== Speed up trace processing on a dual processor machine ==
     
    5574}}}
    5675
    57 == Get some stats about a interface/trace ==
    58 {{{
    59   tracertstats int:eth0
    60 }}}
    61 substitute {{{int:eth0}}} for {{{pcapfile:trace.gz}}} to produce stats on a trace.
    62 
    63 == Get more detailed stats on a trace ==
    64 {{{
    65   tracesummary pcapfile:foo.pcap.gz
    66   tracereport pcapfile:foo.pcap.gz
    67   tracertstats pcapfile:foo.pcap.gz
    68 }}}
    69 Note that {{{tracereport}}}/{{{tracesummary}}} waits for its input to complete, since an interface never completes it won't ever finish tallying results.