WAND Network Research Group University of Waikato Crest Of Arms

WAND Research

Quick Links

libtrace

libtrace is a library for trace processing. It supports multiple input methods, including device capture, raw and gz-compressed trace, and sockets; and mulitple input formats, including pcap and DAG.

The latest version is 3.0.4
The latest version can always be retrieved from here
We also maintain a detailed ChangeLog

We have a libtrace-announce mailing list for announcements of new versions of libtrace, and a libtrace-users mailing list for discussions about libtrace.

Usage

The libtrace wiki is the definitive source of information regarding how to use libtrace, including descriptions of the tools that come bundled with libtrace and instructions on how to perform a variety of common tasks. Doxygen generated documentation is also available online.

Libtrace 3 is not backwards compatible with libtrace 2. See our Porting to libtrace 3 guide.

Features

  • Understands PCAP, ERF, DAG, legacy POS, ATM and Ethernet and preliminary WAG formats
  • Read from tracefile, gz-compressed tracefile
  • Native DAG read support
  • BPF filter support on all input formats
  • Format conversion into ERF and PCAP formats
  • Write to tracefile for all formats
  • Write to interface via PCAP or Natively under Linux
  • libpacketdump, a packet dumping library useful for diagnosis
  • Various tools for trace manipulation

New Features in 3.0

  • Zerocopy support. Leading to much much faster performance
  • pcapfile: support for native reading of pcap traces without using libpcap (avoids 2GB file limits, can read compressed traces)
  • Linux native int: capture and write support.
  • pcapint: capture and write support.
  • Refined support for writing output traces, especially pcap traces.
  • New trace configuration system allowing setting of snaplen, filters, promiscous etc.
  • Deals better with large compressed traces.
  • IPv6 protocol decode support, and IPv4/IPv6 neutral functions.
  • Direction tagging for PCAP traces by promotion to the LINUX_SLL linktype
  • Regularised the naming of identifiers. (trace_verb_subject for functions, libtrace_noun_t for types)
  • Windows support
  • New system to deal with trace errors
  • More protocol decodes for libpacketdump.
  • New system for libpacketdump protocol definitions
  • New remote network capture protocol (rt:) to replace the older rtclient: protocol (rtclient: is still supported for backwards compatibility).
  • Deal better with FCS's
  • Major code cleanups/rewrites
  • Tidy ups of the tools
  • Remove obsolete/broken/useless examples
  • Improved documentation

    • Installation instructions

    Download the tarball, unpack, and run 

    ./configure ; make ; make install
    libtrace will install into /usr/local by default. Bearing that in mind, you will probably need to update your library search path to point at /usr/local/lib, if it doesn't already: 
    echo /usr/local/lib >> /etc/ld.so.conf
ldconfig

    There are some configure-time options you can use, aside from the usual configure options for prefix and so on:

    libpacketdump: this is a library to enable rapid debugging of network packets. It will dump out the contents of a libtrace_packet_t to stdout, parsing any layers (such as ethernet or TCP) that it knows about. It is built in a module fashion, so adding support for newer protocols is trivial. We have a tcpdump-like replacement called tracedump that uses libpacketdump.

    Some of the tools have external dependancies such as libgdchart - if these libraries are not present on your system, the parts of the tool that depend on it will not be included.

    DAG support: If you have a DAG card, and wish to compile libtrace with support for native reads from DAG cards, use the --with-dag option: 

      --with-dag=DIR        include DAG support (located in directory DIR, if
		                            supplied)

    Note: Older Distributions may have trouble reading large pcap files using the pcap: file parser. Use the internal "pcapfile:" parser instead.

    Tools

    In the tools directory are some simple libtrace tools for trace manipulation and statistics.

    Feedback

    We are very interested in hearing feedback on libtrace. If you have any requests or comments, or wish to report a bug, please email contact@wand.net.nz

    Feel free to lodge bugs in our bug tracker