Libtrace
Libtrace Command Line
A suite of tools from the Libtrace software package can be used to process packets at a higher level.
tracepktdump
tracepktdump is a tool that can be used to dump packets from a packet trace or capture interface to your terminal in a human-readable format.
To use tracepktdump with the pcap traces in the Swift object store:
user@vm001:~$ tracepktdump pcapfile:swift://<container name>/<object name>
- file format must be included so that tracepktdump knows how to open it, otherwise it will return a
trace_create: Unknown format (swift)error. - list of accepted libtrace file formats
Example
user@vm001:~$ tracepktdump pcapfile:swift://telescope-ucsdnt-pcap-live/datasource=ucsd-nt/year=2020/month=10/day=31/hour=22/ucsd-nt.1604181600.pcap.gz | head
Sat Oct 31 22:00:00 2020
Capture: Packet Length: 60/64 Direction Value: -1
Ethernet: Dest: 3c:fd:fe:19:d8:00 Source: 00:de:fb:ba:06:c7 Ethertype: 0x0800
IP: Header Len 20 Ver 4 DSCP 00 ECN 0 Total Length 40
IP: Id 54321 Fragoff 0
IP: TTL 241 Proto 6 (tcp) Checksum 46313
IP: Source 45.153.203.175 Destination 44.28.27.80
TCP: Source 43922 Dest 82
TCP: Seq 2846108233
To print only a limited number of packets, use the -c command line option:
user@vm001:~$ tracepktdump -c <number of packets> <file type>:swift://<container name>/<object name>
Example
Print the first packet in the file
user@vm001:~$ tracepktdump -c 1 pcapfile:swift://telescope-ucsdnt-pcap-live/datasource=ucsd-nt/year=2020/month=09/day=27/hour=09/ucsd-nt.1601197200.pcap.gz
Sun Sep 27 09:00:00 2020
Capture: Packet Length: 60/64 Direction Value: -1
Ethernet: Dest: 3c:fd:fe:19:d8:00 Source: 00:de:fb:ba:06:c7 Ethertype: 0x0800
IP: Header Len 20 Ver 4 DSCP 00 ECN 0 Total Length 40
IP: Id 65439 Fragoff 0
IP: TTL 242 Proto 6 (tcp) Checksum 37144
IP: Source 45.129.33.49 Destination 44.111.188.246
TCP: Source 40961 Dest 3428
TCP: Seq 1117343245
TCP: Ack 0
TCP: DOFF 5 Flags: SYN Window 1024
TCP: Checksum 13759 Urgent 0
unknown protocol tcp/3428
Unknown Protocol: 3428
00 00 e9 75 10 0a ...u..
- Note:
tracepktdumpwill show time as the time zone of the machine you are processing the file on, but the timestamps in the file are always in UTC.
To filter packets using a BPF filter use the -f option:
user@vm001:~$ tracepktdump --filter=<"filter expression"> <file type>:swift://<container name>/<object name>
- Filter expression must match bpf expression syntax.
Example
user@vm001:~$ tracepktdump --filter="dst port 80" -c 1 pcapfile:swift://telescope-ucsdnt-pcap-live/datasource=ucsd-nt/year=2020/month=09/day=27/hour=09/ucsd-nt.1601197200.pcap.gz
Sun Sep 27 09:00:00 2020
Capture: Packet Length: 60/64 Direction Value: -1
Ethernet: Dest: 3c:fd:fe:19:d8:00 Source: 00:de:fb:ba:06:c7 Ethertype: 0x0800
IP: Header Len 20 Ver 4 DSCP 00 ECN 0 Total Length 40
IP: Id 19072 Fragoff 0
IP: TTL 112 Proto 6 (tcp) Checksum 34088
IP: Source 182.117.108.64 Destination 44.30.44.84
TCP: Source 3639 Dest 80 (http)
TCP: Seq 740174932
TCP: Ack 0
TCP: DOFF 5 Flags: SYN Window 19718
TCP: Checksum 32955 Urgent 0
unknown protocol tcp/80
Unknown Protocol: 80
00 00 92 6a dc 88 ...j..
- Returns the first occurrence (
-c 1) in which the TCP destination port is 80 (--filter="dst port 80")
Other commands are prefixed with trace. Type trace into the command line to list them.
Potentially useful tools include:
tracertstats: trace real-time statistics- designed to run against a live stream of traffic and periodically output how many packets and bytes were observed in a particular time interval.
The Libtrace Wiki has more information about other Libtrace tools.
Writing Software Using Libtrace
Instead of writing a Corsaro plugin, Libtrace can be used to write packet processing software. A good starting point for learning how to write programs using Libtrace can be found at the following links:
