-
Notifications
You must be signed in to change notification settings - Fork 50
Converting Traces
libtrace comes with a program (traceconvert) that lets you convert from any trace type that libtrace understands, to any trace type libtrace can output.
Example usage:
traceconvert legacyatm:auck4-20010220-210122-0.gz pcapfile:auck4-20010220-210122-0.pcap.gz
Note: Traceconvert outputs compressed files (which tcpdump can't natively understand). Use tcpdump -r <(zcat auck4-20010220-210122-0.pcap.gz) to read these files.
Note 2: Instead of converting to pcap you can use libtrace directly to access these files and enjoy the benefits of file format, link and network layer independence, a high level API, and transparent fast decompression/compression.
Note 3: Some tracesets have one file per direction, ending in -0 for one direction, and -1 for the reverse. These can be merged and converted at the same time with tracemerge.
tracemerge -z 1 pcapfile:auck4-20010220-210122-combined.gz legacyatm:auck4-20010220-210122-0.gz legacyatm:auck4-20010220-210122-1.gz
Abilene I (also known as IPLS I)
These are in legacy Packet over Sonet format:
traceconvert legacypos:IPLS-KSCY-20020814-090000-0.gz pcapfile:IPLS-KSCY-20020814-090000-0.pcap.gz
Libtrace does not currently support the DAG2 trace format. We have a program dag2toerf that will translate these files (losslessly) to erf which can be read by libtrace.
traceconvert legacyatm:auck2-20000125-143640-0.gz pcapfile:auck2-20000125-143640-0.pcap.gz
traceconvert legacyatm:auck4-20010220-210122-0.gz pcapfile:auck4-20010220-210122-0.pcap.gz
This traceset have been withdrawn in favor of Auckland VII.
An ATM cell header trace collected at the University of Auckland OC3c ATM link. This trace does not include any IP payload. libtrace currently cannot parse this traceset. Similar to Auckland VII.
There are two types of traces, some are ATM and some are Ethernet. For the traces ending in -0 or -1 use:
traceconvert legacyatm:auck6-20010510-162311-0.gz pcapfile:auck6.pcap.gz
For the traces ending in -e0 or -e1 use:
traceconvert legacyeth:auck6-20010510-162311-e0.gz pcapfile:auck6.pcap.gz
These traces are an ERF timestamp followed by the first 4 bytes of the ATM header, which we refer to as the ATM header format. Converting to PCAP is not very useful for these traces and probably won't work well, but you're welcome to try.
traceconvert atmhdr:auck7-20010724-100000-0.hdr.gz pcapfile:auck7-20010724-100000-0.hdr.pcap.gz
These traces are in standard ERF format.
traceconvert erf:auck8-20031215-220000.gz pcapfile:auck8-20031215-220000.pcap.gz
These traces are in ERF format, but incorrectly have the "type" field set to unknown. Support for these traces were added in libtrace 3.0.1.
traceconvert erf:leip1-20021121-200000-0.gz pcapfile:leip1.pcap.gz
These traces are in legacy Packet over Sonet format:
traceconvert legacypos:leip2-20030221-121359-0.gz pcapfile:leip2-20030221-121359-0.pcap.gz
These traces are in legacy ethernet format.
traceconvert legacyeth:nzixII-20000710-000000.gz pcapfile:nzixII-20000710-000000.pcap.gz
These traces are in erf format:
traceconvert erf:sdsc1-20040130-132000-0.gz pcapfile:sdsc1-20040130-132000-0.pcap.gz
Note: These traces appear to be snapped poorly, or have some kind of RX error. Large parts of some packets appear to be obliterated with \x00's.
These traces are in standard ERF format
traceconvert erf:waikato1-20050525-000000-0.gz pcapfile:waikato1-20050525-000000-0.pcap.gz