| Version 14 (modified by spa1, 14 years ago) (diff) |
|---|
The various tools can do some neat things that you might not realise. Here is a list of cool things they can do.
For more specific details on what each tool can do, go here
Things all tools can do
All tools can read off a network with int:/bpf:/pcapint:/dag:, or from stdin with pcapfile:-/pcap:-/erf:-/legacypos:-/legacyatm:-/legacyeth:-.
All tools can write to a network with int:/pcapint:, or to standard out with pcapfile:-/pcap:-
Investigate what is in a trace
tracedump erf:trace.erf
Get some stats about a interface/trace
tracertstats int:eth0
substitute int:eth0 for pcapfile:trace.gz to produce stats on a trace.
Get more detailed stats on a trace
tracesummary pcapfile:foo.pcap.gz tracereport pcapfile:foo.pcap.gz tracertstats pcapfile:foo.pcap.gz
Note that tracereport/tracesummary waits for its input to complete, since an interface never completes it won't ever finish tallying results.
Converting traces
To merge two directions back into one file
tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz
To concatenate traces together
tracemerge erf:out.gz erf:in-1.gz erf:in-2.gz erf:in-3.gz
Capture a trace file
traceconvert int:eth0 pcapfile:foo.pcap.gz
(substitute pcapint: for int: if your not on Linux.
To capture with a filter:
tracefilter int:eth0 'port 80' pcapfile:foo.pcap.gz
To capture with file rotation, filtering and anonymisation:
traceanon -sd -c 'foo' int:eth0 pcapfile:- | tracesplit --filter 'port 80' --interval 300 pcapfile:- pcapfile:foo.pcap.gz
This isn't smart enough to do snapping, or anything an advanced capture suite would do. If you need more advanced capturing software use wdcap.
To replay a trace
Warning, this will replay the trace exactly as it was captured -- including IP headers, link level headers, etc.
traceconvert pcapfile:foo.pcap.gz int:eth0
Speed up trace processing on a dual processor machine
On a dual processor machine you can do decompression on one CPU and the trace processing on another. Having a buffer in between the two will decouple them and get even more cpu usage out of them. At WAND we use the command line:
zcat tracefile.erf.gz | bfr | ./tool erf:-
Doing decompression in a seperate thread is likely to be added to some later release of libtrace.
1:1 NAT from one IP range to another
This will map 10.1.0.0/16 on eth0 to 192.168.0.0/16 on eth1.
tracefilter int:eth0 'src 10.1.0.0/16' pcapfile:- | traceanon -s -p 192.168.0.0/16 pcapfile:- int:eth1 tracefilter int:eth1 'dst 192.168.0.0/16' pcapfile:- | traceanon -d -p 10.1.0.0/16 pcapfile:- int:eth0
