| Version 18 (modified by salcock, 9 years ago) (diff) |
|---|
The various tools can do some neat things that you might not realise. Here is a list of cool things they can do.
For more specific details on what each tool can do, go here
Things all tools can do
All tools can read off a network with the following formats:
int: bpf: pcapint: dag: ring:
The tools can also read from stdin using the following URIs:
pcapfile:- pcap:- erf:- legacypos:- legacyatm:- legacyeth:-
All tools can write to a network with int:, ring: or pcapint:, or to standard out with pcapfile:-, pcap:- or erf:-
Investigate what is in a trace
tracepktdump erf:trace.erf
NOTE: You probably want to pipe the output through a tool like less for any non-trivial trace.
Get some stats about a interface/trace
tracertstats int:eth0
Substitute int:eth0 for pcapfile:trace.gz to produce stats on a trace.
Get more detailed stats on a trace
tracesummary pcapfile:foo.pcap.gz tracereport pcapfile:foo.pcap.gz tracertstats pcapfile:foo.pcap.gz
Note that tracereport/tracesummary waits for its input to complete, since an interface never completes it won't ever finish tallying results.
Converting traces
To merge two directions back into one file
tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz
To concatenate traces together
tracemerge erf:out.gz erf:in-1.gz erf:in-2.gz erf:in-3.gz
Capture a trace file
traceconvert int:eth0 pcapfile:foo.pcap.gz
Substitute pcapint: for int: if you are not using Linux.
To capture with a filter:
tracefilter int:eth0 'port 80' pcapfile:foo.pcap.gz
To capture with file rotation, filtering and anonymisation:
traceanon -sd -c 'foo' int:eth0 pcapfile:- | tracesplit --filter 'port 80' --interval 300 pcapfile:- pcapfile:foo.pcap.gz
This isn't smart enough to do snapping, or anything an advanced capture suite would do. If you need more advanced capturing software use wdcap.
To replay a trace
Warning, this will replay the trace exactly as it was captured -- including IP headers, link level headers, etc.
traceconvert pcapfile:foo.pcap.gz int:eth0
Speed up trace processing on a dual processor machine
On a dual processor machine you can do decompression on one CPU and the trace processing on another. Having a buffer in between the two will decouple them and get even more cpu usage out of them. At WAND we use the command line:
zcat tracefile.erf.gz | bfr | ./tool erf:-
NOTE: Libtrace now natively supports threaded IO in 3.0.7, so this is no longer necessary!
1:1 NAT from one IP range to another
This will map 10.1.0.0/16 on eth0 to 192.168.0.0/16 on eth1.
tracefilter int:eth0 'src 10.1.0.0/16' pcapfile:- | traceanon -s -p 192.168.0.0/16 pcapfile:- int:eth1 tracefilter int:eth1 'dst 192.168.0.0/16' pcapfile:- | traceanon -d -p 10.1.0.0/16 pcapfile:- int:eth0
