The various tools can do some neat things that you might not realise.  Heres a list of cool things they can do.

== Things all tools can do ==
All tools can read off a network with {{{int:}}}/{{{bpf:}}}/{{{pcapint:}}}/{{{dag:}}}, or from stdin with {{{pcapfile:-}}}/{{{pcap:-}}}/{{{erf:-}}}/{{{legacypos:-}}}/{{{legacyatm:-}}}/{{{legacyeth:-}}}.

All tools can write to a network with {{{int:}}}/{{{pcapint:}}}, or to standard out with {{{pcapfile:-}}}/{{{pcap:-}}}

== Investigate whats in a trace ==
{{{
 tracedump erf:trace.erf
}}}

== Get some stats about a interface/trace ==
{{{
  tracertstats int:eth0
}}}
substitute {{{int:eth0}}} for {{{pcapfile:trace.gz}}} to produce stats on a trace.

== Get more detailed stats on a trace ==
{{{
  tracesummary pcapfile:foo.pcap.gz
  tracereport pcapfile:foo.pcap.gz
  tracertstats pcapfile:foo.pcap.gz
}}}
Note that {{{tracereport}}}/{{{tracesummary}}} waits for its input to complete, since an interface never completes it won't ever finish tallying results.

== Converting traces ==
See ConvertingTracesets

== To merge two directions back into one file ==
{{{
  tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz
}}}

== To concatenate traces together ==
{{{
  tracemerge erf:out.gz erf:in-1.gz erf:in-2.gz erf:in-3.gz
}}}

== Capture a trace file ==
{{{
 traceconvert int:eth0 pcapfile:foo.pcap.gz
}}}
(substitute {{{pcapint:}}} for {{{int:}}} if your not on Linux.

To capture with a filter:
{{{
 tracefilter int:eth0 'port 80' pcapfile:foo.pcap.gz
}}}

To capture with file rotation, filtering and anonymisation:
{{{
 traceanon -sd -c 'foo' int:eth0 pcapfile:- | tracesplit --filter 'port 80' --interval 300 pcapfile:- pcapfile:foo.pcap.gz
}}}

This isn't smart enough to do snapping, or anything an advanced capture suite would do.  If you need more advanced capturing software use wdcap.

== To replay a trace ==
Warning, this will replay the trace exactly as it was captured -- including IP headers, link level headers, etc.
{{{
 traceconvert pcapfile:foo.pcap.gz int:eth0
}}}

== Speed up trace processing on a dual processor machine ==
On a dual processor machine you can do decompression on one CPU and the trace processing on another.  Having a buffer in between the two will decouple them and get even more cpu usage out of them.  At WAND we use the command line:
{{{
 zcat tracefile.erf.gz | bfr | ./tool erf:-
}}}

Doing decompression in a seperate thread is likely to be added to some later release of libtrace.

== 1:1 NAT from one IP range to another ==
This will map 10.1.0.0/16 on eth0 to 192.168.0.0/16 on eth1.
{{{
 tracefilter int:eth0 'src 10.1.0.0/16' pcapfile:- | traceanon -s -p 192.168.0.0/16 pcapfile:- int:eth1
 tracefilter int:eth1 'dst 192.168.0.0/16' pcapfile:- | traceanon -d -p 10.1.0.0/16 pcapfile:- int:eth0
}}}