Version 2 (modified by perry, 14 years ago) (diff)


The various tools can do some neat things that you might not realise. Heres a list of cool things they can do.

Create a trace file

 traceconvert int:eth0 pcapfile:foo.pcap.gz

(substitute pcapinf: for int: if your not on Linux.

To capture with a filter:

 tracefilter int:eth0 'port 80' pcapfile:foo.pcap.gz

This isn't smart enough to do snapping, anonymisation, file rotation or anything an advanced capture suite would do. If you need more advanced capturing software use wdcap. (It also doesn't flush things to disk as often as it should).

To replay a trace

Warning, this will replay the trace exactly as it was captured -- including IP headers, link level headers, etc.

 traceconvert pcapfile:foo.pcap.gz int:eth0

Investigate whats in a trace

 tracedump erf:trace.erf

To merge two directions back into one file

  tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz

To concatenate traces together

  tracemerge -s erf:out.gz erf:in-*.gz

Things all tools can do

All tools can read off a network with int:/bpf:/pcapint:/dag:, or from stdin with pcapfile:-/pcap:-/erf:-/legacypos:-/legacyatm:-/legacyeth:-.

All tools can write to a network with int:/pcapint:, or to standard out with pcapfile:-/pcap:-