Skip to content

FromTcpdump

Jump to bottom Edit New page
Tom Barbette edited this page Oct 3, 2018 · 2 revisions

FromTcpdump Element Documentation

NAME

FromTcpdump — Click element; reads packets from an ASCII tcpdump output file

SYNOPSIS

FromTcpdump(FILENAME [, KEYWORDS])

Ports: no inputs, 1 output
Processing: agnostic
Drivers: userlevel

DESCRIPTION

Reads textual TCP/IP packet descriptors from an ASCII tcpdump output file, then creates packets resembling those descriptors and pushes them out the output. Optionally stops the driver when there are no more packets.

The file may be compressed with gzip(1) or bzip2(1); FromTcpdump will run zcat(1) or bzcat(1) to uncompress it.

FromTcpdump reads from the file named FILENAME unless FILENAME is a single dash `-', in which case it reads from the standard input. It will not uncompress the standard input, however.

FromTcpdump doesn't parse many of the relevant parts of the file. It handles fragments badly, for example. Mostly it just does TCP and some rudimentary UDP.

Keyword arguments are:

  • STOP — Boolean. If true, then FromTcpdump will ask the router to stop when it is done reading. Default is false.
  • ACTIVE — Boolean. If false, then FromTcpdump will not emit packets (until the `active' handler is written). Default is true.
  • ZERO — Boolean. Determines the contents of packet data not set by the dump. If true (the default), this data is zero. If false, it is random garbage.
  • CHECKSUM — Boolean. If true, then output packets' IP, TCP, and UDP checksums are set. If false (the default), the checksum fields contain random garbage.
  • SAMPLE — Unsigned real number between 0 and 1. FromTcpdump will output each packet with probability SAMPLE. Default is 1. FromTcpdump uses fixed-point arithmetic, so the actual sampling probability may differ substantially from the requested sampling probability. Use the sampling_prob handler to find out the actual probability. If MULTIPACKET is true, then the sampling probability applies separately to the multiple packets generated per record.

Only available in user-level processes.

NOTES

FromTcpdump is a notifier signal, active when the element is active and the dump contains more packets.

tcpdump's binary output is generally much better than the output of FromTcpdump. Unfortunately, some people just throw it away.

ELEMENT HANDLERS

  • sampling_prob (read-only) — Returns the sampling probability (see the SAMPLE keyword argument).
  • active (read/write) — Value is a Boolean.
  • encap (read-only) — Returns `IP'. Useful for ToDump's USE_ENCAP_FROM option.
  • filesize (read-only) — Returns the length of the FromTcpdump file, in bytes, or "-" if that length cannot be determined.
  • filepos (read-only) — Returns FromTcpdump's position in the file, in bytes.
  • stop (write-only) — When written, sets `active' to false and stops the driver.

SEE ALSO

tcpdump, FromDump, FromIPSummaryDump

Generated by click-elem2man from ../elements/analysis/fromtcpdump.hh:14 on 2018/10/03.

Add a custom footer
Clone this wiki locally