Skip to content

Tool Tricks

Jump to bottom
salcock edited this page Dec 19, 2014 · 1 revision

The various tools can do some neat things that you might not realise. Here is a list of cool things they can do.

For more specific details on what each tool can do, consult the wikipages for the individual tools.

Things all tools can do

All tools can read off a network with the following formats:

      int:
      bpf:
      pcapint:
      dag:
      ring:

The tools can also read from stdin using the following URIs:

      pcapfile:-
      pcap:-
      erf:-
      legacypos:-
      legacyatm:-
      legacyeth:-

All tools can write to a network with int:, ring: or pcapint:, or to standard out with pcapfile:-, pcap:- or erf:-

Investigate what is in a trace

     tracepktdump erf:trace.erf

NOTE: You probably want to pipe the output through a tool like less for any non-trivial trace.

Get some stats about a interface/trace

      tracertstats int:eth0

Substitute int:eth0 for pcapfile:trace.gz to produce stats on a trace.

Get more detailed stats on a trace

      tracesummary pcapfile:foo.pcap.gz
      tracereport pcapfile:foo.pcap.gz
      tracertstats pcapfile:foo.pcap.gz

Note that tracereport/tracesummary waits for its input to complete, since an interface never completes it won't ever finish tallying results.

Converting traces

See Converting Traces.

To merge two directions back into one file

      tracemerge -i pcapfile:foo-combined.gz pcapfile:foo-in.pcap.gz pcapfile:foo-out.gz

To concatenate traces together

      tracemerge erf:out.gz erf:in-1.gz erf:in-2.gz erf:in-3.gz

Capture a trace file

     traceconvert int:eth0 pcapfile:foo.pcap.gz

Substitute pcapint: for int: if you are not using Linux.

To capture with a filter:

     tracefilter int:eth0 'port 80' pcapfile:foo.pcap.gz

To capture with file rotation, filtering and anonymisation:

     traceanon -sd -c 'foo' int:eth0 pcapfile:- | tracesplit --filter 'port 80' --interval 300 pcapfile:- pcapfile:foo.pcap.gz

This isn't smart enough to do snapping, or anything an advanced capture suite would do. If you need more advanced capturing software use wdcap.

To replay a trace

Warning, this will replay the trace exactly as it was captured -- including IP headers, link level headers, etc.

     traceconvert pcapfile:foo.pcap.gz int:eth0

Speed up trace processing on a dual processor machine

On a dual processor machine you can do decompression on one CPU and the trace processing on another. Having a buffer in between the two will decouple them and get even more cpu usage out of them. At WAND we use the command line:

     zcat tracefile.erf.gz | bfr | ./tool erf:-

NOTE: Libtrace now natively supports threaded IO in 3.0.7, so this is no longer necessary!

1:1 NAT from one IP range to another

This will map 10.1.0.0/16 on eth0 to 192.168.0.0/16 on eth1.

     tracefilter int:eth0 'src 10.1.0.0/16' pcapfile:- | traceanon -s -p 192.168.0.0/16 pcapfile:- int:eth1

     tracefilter int:eth1 'dst 192.168.0.0/16' pcapfile:- | traceanon -d -p 10.1.0.0/16 pcapfile:- int:eth0
Clone this wiki locally