Context Navigation

Changes between Version 7 and Version 8 of ToolTricks

Timestamp:: 11/25/06 12:40:14 (6 years ago)
Author:: perry
Comment:: Cleanup article to put more advanced usages later. Explain how you can do advanced capturing using tracesplit.

Legend:

: Unmodified
: Added
: Removed
: Modified

ToolTricks

-                      v7
+                      v8
 The various tools can do some neat things that you might not realise.  Heres a list of cool things they can do.
+== Things all tools can do ==
+All tools can read off a network with {{{int:}}}/{{{bpf:}}}/{{{pcapint:}}}/{{{dag:}}}, or from stdin with {{{pcapfile:-}}}/{{{pcap:-}}}/{{{erf:-}}}/{{{legacypos:-}}}/{{{legacyatm:-}}}/{{{legacyeth:-}}}.
+All tools can write to a network with {{{int:}}}/{{{pcapint:}}}, or to standard out with {{{pcapfile:-}}}/{{{pcap:-}}}
+== Investigate whats in a trace ==
+{{{
+ tracedump erf:trace.erf
+}}}
+== Get some stats about a interface/trace ==
+{{{
+  tracertstats int:eth0
+}}}
+substitute {{{int:eth0}}} for {{{pcapfile:trace.gz}}} to produce stats on a trace.
+== Get more detailed stats on a trace ==
+{{{
+  tracesummary pcapfile:foo.pcap.gz
+  tracereport pcapfile:foo.pcap.gz
+  tracertstats pcapfile:foo.pcap.gz
+}}}
+Note that {{{tracereport}}}/{{{tracesummary}}} waits for its input to complete, since an interface never completes it won't ever finish tallying results.
+== To merge two directions back into one file ==
+{{{
+  tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz
+}}}
+== To concatenate traces together ==
+{{{
+  tracemerge -s erf:out.gz erf:in-*.gz
+}}}
 == Capture a trace file ==
 …
 }}}
+This isn't smart enough to do snapping, anonymisation, file rotation or anything an advanced capture suite would do.  If you need more advanced capturing software use wdcap.  (It also doesn't flush things to disk as often as it should).
+To capture with file rotation, filtering and anonymisation:
+{{{
+ traceanon -sde 'foo' int:eth0 pcapfile:- | tracesplit --filter 'port 80' --interval 300 pcapfile:- pcapfile:foo.pcap.gz
+}}}
+This isn't smart enough to do snapping, or anything an advanced capture suite would do.  If you need more advanced capturing software use wdcap.
 == To replay a trace ==
 …
  traceconvert pcapfile:foo.pcap.gz int:eth0
 }}}
-== Investigate whats in a trace ==
-{{{
- tracedump erf:trace.erf
-}}}
-== To merge two directions back into one file ==
-{{{
-  tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz
-}}}
-== To concatenate traces together ==
-{{{
-  tracemerge -s erf:out.gz erf:in-*.gz
-}}}
-== Things all tools can do ==
-All tools can read off a network with {{{int:}}}/{{{bpf:}}}/{{{pcapint:}}}/{{{dag:}}}, or from stdin with {{{pcapfile:-}}}/{{{pcap:-}}}/{{{erf:-}}}/{{{legacypos:-}}}/{{{legacyatm:-}}}/{{{legacyeth:-}}}.
-All tools can write to a network with {{{int:}}}/{{{pcapint:}}}, or to standard out with {{{pcapfile:-}}}/{{{pcap:-}}}
 == Speed up trace processing on a dual processor machine ==
 …
 }}}
-== Get some stats about a interface/trace ==
-{{{
-  tracertstats int:eth0
-}}}
-substitute {{{int:eth0}}} for {{{pcapfile:trace.gz}}} to produce stats on a trace.
-== Get more detailed stats on a trace ==
-{{{
-  tracesummary pcapfile:foo.pcap.gz
-  tracereport pcapfile:foo.pcap.gz
-  tracertstats pcapfile:foo.pcap.gz
-}}}
-Note that {{{tracereport}}}/{{{tracesummary}}} waits for its input to complete, since an interface never completes it won't ever finish tallying results.