wiki:ToolTricks

Version 7 (modified by perry, 14 years ago) (diff)

--

The various tools can do some neat things that you might not realise. Heres a list of cool things they can do.

Capture a trace file

 traceconvert int:eth0 pcapfile:foo.pcap.gz

(substitute pcapinf: for int: if your not on Linux.

To capture with a filter:

 tracefilter int:eth0 'port 80' pcapfile:foo.pcap.gz

This isn't smart enough to do snapping, anonymisation, file rotation or anything an advanced capture suite would do. If you need more advanced capturing software use wdcap. (It also doesn't flush things to disk as often as it should).

To replay a trace

Warning, this will replay the trace exactly as it was captured -- including IP headers, link level headers, etc.

 traceconvert pcapfile:foo.pcap.gz int:eth0

Investigate whats in a trace

 tracedump erf:trace.erf

To merge two directions back into one file

  tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz

To concatenate traces together

  tracemerge -s erf:out.gz erf:in-*.gz

Things all tools can do

All tools can read off a network with int:/bpf:/pcapint:/dag:, or from stdin with pcapfile:-/pcap:-/erf:-/legacypos:-/legacyatm:-/legacyeth:-.

All tools can write to a network with int:/pcapint:, or to standard out with pcapfile:-/pcap:-

Speed up trace processing on a dual processor machine

On a dual processor machine you can do decompression on one CPU and the trace processing on another. Having a buffer in between the two will decouple them and get even more cpu usage out of them. At WAND we use the command line:

 zcat tracefile.erf.gz | bfr | ./tool erf:-

Doing decompression in a seperate thread is likely to be added to some later release of libtrace.

1:1 NAT from one IP range to another

This will map 10.1.0.0/16 on eth0 to 192.168.0.0/16 on eth1.

 tracefilter int:eth0 'src 10.1.0.0/16' pcapfile:- | traceanon -s -p 192.168.0.0/16 pcapfile:- int:eth1
 tracefilter int:eth1 'dst 192.168.0.0/16' pcapfile:- | traceanon -d -p 10.1.0.0/16 pcapfile:- int:eth0

Get some stats about a interface/trace

  tracertstats int:eth0

substitute int:eth0 for pcapfile:trace.gz to produce stats on a trace.

Get more detailed stats on a trace

  tracesummary pcapfile:foo.pcap.gz
  tracereport pcapfile:foo.pcap.gz
  tracertstats pcapfile:foo.pcap.gz

Note that tracereport/tracesummary waits for its input to complete, since an interface never completes it won't ever finish tallying results.