wiki:ToolTricks

Version 1 (modified by perry, 14 years ago) (diff)

--

The various tools can do some neat things that you might not realise. Heres a list of cool things they can do.

Create a trace file

 traceconvert int:eth0 pcapfile:foo.pcap.gz

(substitute pcapinf: for int: if your not on Linux.

To capture with a filter:

 tracefilter int:eth0 'port 80' pcapfile:foo.pcap.gz

This isn't smart enough to do snapping, anonymisation, file rotation or anything an advanced capture suite would do. If you need more advanced capturing software use wdcap. (It also doesn't flush things to disk as often as it should).

To replay a trace

Warning, this will replay the trace exactly as it was captured -- including IP headers, link level headers, etc.

 traceconvert pcapfile:foo.pcap.gz int:eth0

To merge two directions back into one file

  tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz

To concatenate traces together

  tracemerge -s erf:out.gz erf:in-*.gz