Supported Input Formats

Libtrace supports reading from the following trace capture and storage formats:

Live Capture

  • Endace DAG cards
  • pcap interfaces
  • Native Linux PF_PACKET interfaces
  • Native BSD BPF interfaces
  • Receiving packets over a network via the RT protocol

Trace Formats

  • pcap traces
  • ERF (Extensible Record Format) traces
  • Legacy DAG formats, such as those used in various Auckland tracesets
  • TSH and FR+ traces

Supported Output Formats

In addition, libtrace can write traces in the following formats:

  • pcap traces
  • ERF (Extensible Record Format) traces
  • pcap interfaces
  • Native Linux PF_PACKET interfaces

Format URIs

Libtrace input and output sources are specified using URIs which describe both the format and location of the trace, interface or device in question. Below is a definitive list of URIs for all the trace formats supported by libtrace.

Live pcap interface
pcapint:<interface>
pcap trace file
pcapfile:<filename>
Live DAG capture
dag:<DAG device location e.g. /dev/dag0>
ERF trace file
erf:<filename>
Native Linux interface
int:<interface>
Native BSD BPF interface
bpf:<interface>
RT protocol
rt:<host>:<port>
Legacy ATM
legacyatm:<filename>
Legacy Ethernet
legacyeth:<filename>
Legacy Packet over Sonet
legacypos:<filename>
Legacy NZIX
legacynzix:<filename>
ATM Cell Header
atmhdr:<filename>
TSH
tsh:<filename>
FR+
fr+:<filename>

URI's that include a filename usually accept '-' to represent stdin, e.g. erf:- will read ERF records from stdin.

Per format notes

DAG capture card (dag:)

  • Requires the Dag API from endace.

ERF Trace file (erf:)

  • Supports a maximum of 4 interfaces, by convention 0 for outgoing, 1 for incoming, 2 for other, and 3 is unused.
  • There is at least one traceset which is known to have an ERF type of "0", just to be annoying, libtrace attempts to account for this.
  • Does NOT require the dag API to read erf (and compressed erf) traces.

Native Linux interface (int:)

  • Currently supports a fast way of retrieving the timestamp of the packet from kernel space using ancillary data.
  • Supports uploading bpf filters into the kernel since 3.0.5+
  • Supports only incoming and outgoing direction, attempts to set other directions will fail. (3.0.3+)

Internal PCAP tracefile output (pcapfile:)

  • Currently always writes out data compressed, even if compression level 0 is used. This confuses tcpdump which doesn't support compressed traces. You can use "zcat foo.pcap.gz | tcpdump -r-" to read these traces.

RT protocol

  • libtrace does not (yet?) support RT output.
  • The protocol specification? is available so people can write their own servers.

BSD BPF Interface

  • Currently supports capture, but not writing.