-
Notifications
You must be signed in to change notification settings - Fork 51
ChangeLog
Shane Alcock edited this page Jun 19, 2024
·
56 revisions
-
pcapfile
: preserve nanosecond timestamp resolution from original input file when writing pcap files. -
ndag
: fix very minor memory leak.
-
ndag
: fix bug that prevented the most recently received packets from being readable if the multicast source does not send any further packets.
-
ndagtcp
: fix miscalculation of ERF header length that would prevent packets from being able to be decoded correctly. -
traceucast
: do not exit if the client disconnects, instead try to reconnect and resume unicasting. -
traceucast
: fix memory errors when attempting to send a captured packet that is larger than 10K bytes. -
ndagtcp
: fix issue that would cause input to silently stop reading if it received a packet larger than 10K bytes. -
ndagtcp
: fix lock-up that occurred when trying to halt a program that was reading from an ndagtcp input. -
ndagtcp
: fix erroneous "Malformed beacon" message when an ndagtcp input reconnects to traceucast. -
traceucast
: fix getaddrinfo memory leak. -
traceucast
: fix endless reconnection loop bug. -
traceucast
: fix race condition that would prevent Ctrl-C from halting traceucast properly.
- Added new tool: traceucast, a TCP unicast variant of tracemcast.
- Added new input format:
ndagtcp:
, for receiving packets sent by traceucast.
- libpacketdump: fix premature free when decoding IPMM IRIs received via an etsilive input.
- tracemcast: fix bug where the sequence number was not being incremented for each sent datagram.
- object cache data structure: fix potential segfault after resizing the cache.
- pcapfile: fix issue where packets owned by "dead" pcapfile trace would have an invalid pcap version.
- Fix segmentation fault when closing an
ndag
input that had set a hasher function and was configured to use multiple processing threads. - Disable setting a hasher function on
ndag
inputs, as this is not generally a good idea anyway (ndag
inputs are already hashed by the ndag sender). - Fix problem where trace_write_packet() would throw an error on
ring
outputs because a write could not be completed without blocking and there was no mechanism for trying the write again later.
- Added new supported file format:
etsifile
-- to read and write binary files containing ASN.1 encoded ETSI LI intercept records.
- Fixed issue where idle per packets threads would use 100% CPU constantly.
- Fixed numerous build issues on Mac OS X caused by changes in the BPF headers.
- Fixed bug where packets returned by trace_event() for certain live formats would not work with subsequent API calls.
- Fixed problems with compiling XDP support on more recent buildchains.
- Fixed compilation issues for XDP module when using more recent versions of libbpf and libxdp
- Replace outdated macros in configure script
- libpacketdump can now decode ETSI LI email CCs and IRIs
- Fixed compilation issues when building against DPDK 21.11
- Incorporate various build system patches from Gentoo
- Fix ./configure syntax error on Mac OS
- Fixed issue that was preventing packets received via
etsilive:
from being converted to the pcap format. - Renamed internal method
pfring_get_link_type()
that was preventing compilation against recent pfring releases. - Fixed numerous thread mutex bugs that had been reported by Ryan Cai.
- traceanon: Framed-IP-Netmask, Acct-Session-Id and Acct-Authentic RADIUS AVPs are no longer encrypted by default.
- traceanon: NAS-Port-ID and Chargeable-User-Identity AVPs are encrypted using printable characters only.
- Added support for PF_RING zero-copy -- this is now the official libtrace
pfring:
format, and the original non-zero-copy version is now available viapfringold:
.
- PF_RING formats now default to promiscuous capture mode, which is consistent with other live formats.
- Fixed incorrect statistics counters for PF_RING formats.
- Fixed various libpacketdump crashes or infinite loops when presented with bogus packet content.
- Fixed bug where
pfringold:
was not setting theorder
field for packets. - Fixed bug where writing packets to a virtual interface via
ring:
would cause libtrace to hang. - Fixed bug where DPDK port stats could not be reset if using Napatech DPDK.
- Fixed race condition in the
etsilive:
format. - Fixed various memory errors and leaks in the
etsilive:
format. - Fixed race condition in
tracertstats
when processing a user interrupt.
- Improved capture speed for
pfringold:
. -
ring:
format now supportstrace_flush_output()
method.
- Added support for PF_RING (via
pfring
). - Allow input configuration options to be specified as part of the libtrace URI. Options are specified as comma-separated
key=value
strings and end with a:
character, e.gcoremap=[1,2]:int:eth0
. - New API function
trace_hold_packet()
, which allows users to safely retain a reference to a packet that has been received via a format for later use. - Added coremap option,
trace_set_coremap()
, to bind per-packet threads to physical CPU cores
- Fixed bug where XDP packet buffers were not released back to the fill queue properly.
- Fixed thread-safety issues with freeing XDP packets.
- Fixed bug where libtrace would unload XDP programs that were not loaded by libtrace.
- Fixed crash when sending packets via DPDK.
- Fixed crash when closing a pcap input that is NULL due to an error on initialisation.
- Fixed read of freed memory when an error occurs in
trace_create_output()
. - Fixed bogus bitshifting when expanding a toeplitz hash key.
- Fixed DAG transmit functionality to actually work.
- Fixed multiple issues with
trace_get_outermost_vlan()
andtrace_get_outermost_mpls()
. - Fixed various bugs when promoting or demoting pcap packets from one linktype to another.
- tracertstats should now correctly process trace files as fast as possible (but can be configured to run in "trace-time" instead).
- Fixed inconsistencies when running tracertstats against the same trace file multiple times.
- Fix concurrency bug which would cause an error result when calling
trace_apply_filter()
in a parallel program. - Fix possible packet buffer leak when reading a packet via
pcap:
. - Fixed packet header structures with incorrect field definitions (
libtrace_8021q_t
,libtrace_atm_cell_t
,libtrace_atm_nni_cell_t
,libtrace_atm_capture_cell_t
,libtrace_atm_nni_capture_cell_t
). If you use these in your code you may need to update your code to use the new field names.
- XDP now uses the undirectional hasher by default and moves hashing to the network card
- XDP: warn users if flow director rules are found on the interface during initialisation.
- XDP: push hashing onto the NIC where possible.
- Improve receive performance for Linux native formats by ensuring internal structures are properly cache aligned.
- A single libtrace program should now be able to run against multiple concurrent DPDK inputs (requires sensible use of the
coremap
option). - DPDK support now extended to Mellanox DPDK libraries.
- Improved DPDK detection, including detection of DPDK meson builds for DPDK version 20.11 and newer
- Fixed bug where reading a pcapng trace file would result in an endless stream of "NULL meta pointer" error messages.
- Fixed bug where libpacketdump would truncate packets that had been captured using the Linux SLL format, such as the
any
interface.
- Added read and write support for interfaces using AF_XDP (
xdp:
). You can use the built-in eBPF program or provide your own. - Added basic API for parsing RADIUS messages:
trace_get_radius()
,trace_get_radius_avp()
andtrace_get_radius_username()
. -
tracediff
can now write the differing packets to libtrace outputs (one output per input trace), instead of just using libpacketdump to print them on the terminal.
- Fixed bug in
traceends
that was causing invalid byte counts to be reported. - Fixed DPDK build issues on Fedora, Centos and FreeBSD systems.
- Fixed bug where multi-threaded programs that receive no packets on one or more threads for a long period of time would silently exit.
-
tracediff
can now use a window to "look ahead" for possible packet matches, rather than directly comparing packets in the same position in their respective input traces. - Added option to
tracereplay
to control the transmit batch size for replayed packets.
- Added support for DPDK vdevs as a libtrace input and output format.
- Fix segfault in libpacketdump when the next header is incorrectly inferred to be a meta-data header.
- Fix misleading display of Netacq-Edge polygon IDs in libpacketdump.
- DPDK: separate snap length calculation from buffer size calculation.
- DPDK: resolve issues with feature detection in cases where the device fails to initialise; also only enable features if they are supported by the underlying device.
- DPDK: fix linking problems when using a system version of DPDK.
- Fix bugs that occur when a dedicated hasher thread is used with a parallel input format.
- Fix bug where tracesplit would attempt to gather statistics from a destroyed trace object.
- DPDK: Fix issue where the initial packets were not being transmitted when using dpdk as an output format.
- DPDK: Make sure shared memory and huge pages are properly removed once libtrace stops.
-
tracereplay
can now replay raw IP traces onto Ethernet links (by substituting in a fake Ethernet header). - Updated DPDK support to work with DPDK 19.11 and 20.02.
- DPDK: improve error messaging so that libtrace errors are distinct from internal DPDK error messages.
- Added new tool for multicasting captured packets from a single capture source to multiple clients:
tracemcast
. - Updated libtrace and libpacketdump to be able to parse tagged packets produced by the
corsarotagger
software.
- Fix packet truncation bug when a packet has a larger capture length than wire length due to the addition of post-capture meta-data.
- Minor performance improvement when calling
trace_get_wire_length()
on a packet multiple times.
- Fix bug where trace_apply_filter() would not work correctly with a parallel trace input.
- Fix bug where non-parallel ETSI programs would fail to halt nicely.
- Fix libpacketdump being unable to decode Ethernet within MPLS properly.
- Fix libtrace (trace_get_layer3()) being unable to decode Ethernet within MPLS properly.
- tracereplay now strips VLAN and MPLS headers before trying to replay a packet from a trace file.
- Fix bug where the simple circular buffer would leak shared memory files.
- Fix segfault when using trace_apply_filter() on a packet which came from an input trace that is now "closed".
- Fix bug where libtrace could try to flush a NULL pcap file handle.
- Added new API function (
trace_get_errstr()
) which will map a given libtrace error number to a printable error message.
- Fixed
SIOCGSTAMP undeclared
error when building against newer Linux kernels. - Fixed corruption bug when running multiple concurrent
etsilive:
input processes.
- Bumped TTL of nDAG multicast group joining messages to 4, so they can be routed outside of the immediate subnet (i.e. through the host when libtrace is run within a container).
- Fixed
traceanon
build error on systems that did not have libcrypto installed. - Fixed DPDK detection in
configure
when the DPDK package was installed on either Debian buster and Ubuntu disco. - Updated DPDK code to compile against more recent DPDK releases, such as 18.11.
- Fixed segmentation fault when failing to open a DAG device.
- Fixed issue where a
pcapng
packet that does not match any of our known data types ends up having an uninitialised data type. - Fix some compilation errors when using DPDK on FreeBSD (may still be linking problems if you have built DPDK using the ports tree, though).
- Fix infinite decoding loop if libpacketdump sees an SCTP option with a length of zero.
-
traceanon
is now capable of anonymising RADIUS traffic within packet traces. The anonymisation will obfuscate the data within AVPs that can be considered 'sensitive', including user names, IP addresses and password hashes. Counter fields such as byte and packet counters are by default untouched, but traceanon can be configured to anonymise those as well if required. -
traceanon
can now be configured using a YAML configuration file, instead of CLI arguments. This change is due to the increased number of configuration options introduced by the RADIUS anonymisation feature. Instructions on how to write a configuration file can be found on thetraceanon
manpage, as well as on this wiki page.
- Fixed bug where ndag multicast sockets would bind to all addresses on an interface, rather than just the address of the multicast group.
- Fixed segfault that can occur when pausing a trace input that has not been able to create its per packet processing threads for some reason.
Credit for all of the new features in this release goes to Jacob Van Walraven.
- Added new API functions for exploring meta-data that is either attached to a specific packet or included in a trace as separate records (e.g. ERF provenance or pcap-ng meta-data). Many meta-data fields have a specific accessor function that can be called directly (e.g.
trace_get_interface_fcslen()
). You can also usetrace_get_section()
to get an array containing all meta-data items within a particular section, which will allow you to get access to any fields for which we have not implemented direct access functions. - Added new API functions to instant decoding all of the post-layer 2, pre-layer 3 headers in a packet so you can now easily explore any / all VLAN, MPLS, etc. headers in a packet without having to effectively re-implement
trace_get_layer3()
in your own code. Seetrace_get_layer2_headers()
for more details. - Added support for both reading and writing TZSP sniffing streams.
- Fixed uninitialised bytes in message structure sent via
trace_post_reporter
-- thanks to Mark Weiman for fixing this. - Fixed build errors caused by attempting to
#include pcap-int.h
. - Fixed bug where a corrupt ERF record could cause a libtrace program to become un-haltable.
- Fixed bug in error tracking when creating a fanout socket for the
ring
andint
formats. - Fixed potential segfault when halting a libtrace program that was reading from a
ring:
input. - Fixed uninitialised mutex when copying a packet.
- Improved parallel performance by skipping some needless per-packet sanity checks.
- Added write support for
pcapng:
format.
- Fixed incorrect counting of input sources when using
etsilive:
for reading packets. - Fixed bug where
trace_event()
API was ignoring all received packets. - Fixed bug where
tracereplay
would segfault. - Fixed packet corruption bug in
tracesplit
when using the "jump to IP header" mode (#60). - Fixed bug where we could end up trying to close a NULL pcap output.
- Fixed build problems when building with dpdk enabled (#86).
- Fixed bug that was causing
recvmmsg
detection to fail at configure time. - Fixed bug where ETSI live sockets created later on are uninitialised.
- Fixed memory leak when using BPF filters with
ring:
inputs (#87). - Fixed a variety of potential crashes and buffer overflows revealed by Perry's fuzzing experiments (#90, #91, #92, #93, #94, #95, #97)
- Replaced numerous internal assertion checks with error return values instead, i.e. instead of a libtrace function assert failing and crashing your program, it will now return an error (or set the error status on the trace) and allow the user to deal with the error however they want.
- Similarly, tidied up some of the error messaging to be clearer about what has gone wrong and added a variety of new error types.
- Improved
ring:
read performance when used with the parallel API by reading multiple packets per function call. - Added option to report numbers of dropped and missing packets (cumulative) in
tracertstats
. - Ported
traceends
andtracetopends
to use the parallel API. - Improvements to
ndag
packet reading performance.
- Fixed bug where clients would obtain an exclusive lock on an nDAG multicast group.
- Fixed bogus payload length calculations on outgoing packets when the IP length field is filled in by the NIC prior to sending.
- Fixed bug where any non-negative return value other than zero from a pstart callback would be treated as an error.
- Fixed bug where packets that have been invalidated by a call to
trace_ppause()
are still treated as valid. - Fixed bug where parallel
ring:
inputs would assert fail when the input is halted. - Reduced likelihood of dropping packets on an
ndag:
input during initialisation phase. - Fixed build error for DPDK format due to missing header file.
- Fix race condition that can occur when two threads attempt to call
trace_create()
ortrace_create_dead()
at the same time.
- Improved
etsilive:
decoding performance. - Avoid invalidating packets received via
ring:
following a pause until the trace is restarted. - Added caching for packet framing length.
NOTE: libwandio 4.0.0 is required to build this version of libtrace. Older versions of libwandio will not work.
- Added
trace_increment_packet_refcount()
andtrace_decrement_packet_refcount()
functions to the parallel API. These functions can be used to track references to a libtrace packet across multiple threads, so that a shared packet can be released once all threads have finished with it. Packets where the reference count is decremented to zero are automatically released. - Add new built-in data structure: simple circular buffer.
- Added new format for receiving and decoding packets encapsulated in the ETSI Lawful Intercept streaming format (requires libwandder).
- Added support for decoding ETSI Lawful Intercept records to libpacketdump (requires libwandder).
- Add
trace_flush_output()
API function to force a libtrace output to dump any buffered output to disk. Flushed files may still not be properly readable afterwards, but this will help give the appearance that the output file is growing in situations where the output rate is slow.
- Fixed bug in
ndag:
which was causing the stream to be treated as inactive when there are buffered records available. - Fixed build errors caused by
pthread_attr_setaffinity_np()
being a glibc-only extension -- thanks to Tim Dawson for contributing this patch. - Fixed bug where uninitialised internal message queues were being destroyed -- thanks to EaseTheWorld for reporting this.
- Fixed lack of error being returned when a user tries to change the number of perpkt threads on a paused trace.
- Fixed problems in tracereplay caused by trying to replay packets with no contents (e.g. meta-data records).
- Fix bug where packets received via a
ring:
interface were being released twice. - Fix rounding error in
trace_event_trace()
which would cause sleep intervals to be rounded down to zero. - Fix rounding error in
pcapng_get_timespec()
which would cause all packet timestamps to be truncated to the previous second. - Fix deadlock when calling
trace_pstop()
on a trace that has already been stopped. - Fix bug where two concurrent
ring:
inputs would be assigned to the same fanout group, causing the second input to fail to start. - Fixed errors in manpages for tracesplit, traceanon and tracemerge (regarding the correct names for the various compression methods) -- thanks to Hendrik Leppelsack for reporting this problem.
- Fixed some uninitialised memory errors when valgrinding a parallel libtrace program.
- Fixed potential buffer overruns in pcapng reading code.
- Fixed bug that was preventing
trace_pstop()
from working as intended onpcapint:
. - Fixed potential build errors relating to the absence (or not) of
strndup()
,strncasecmp()
andsnprintf()
.
- Updated DPDK support to be able to compile against DPDK 18.02.1
- tracereplay is now able to reduce inter-packet gaps in the replayed stream by a user-specified speedup factor, so the trace can be replayed faster but with the same relative gaps between packets.
- Added new API function:
trace_get_perpkt_thread_id()
, which allows callers to get the ID number of the packet processing thread that they are currently in. - Message Queue data structure API is now publicly exported.
- Toeplitz Hash API is now publicly exported.
- Added dpdkndag: capture format, which allows a libtrace program to capture and parse nDAG records that are intercepted on a DPDK-capable interface.
- Moved
trace_prepare_packet()
into the external API.
- Fixed bug where captures from GRE tunnel interfaces would fail due to unknown ARPHRD type.
- Fixed problems when reading ERF provenance records from a DAG or ERF source -- thanks to Anthony Coddington at Endace for resolving this issue.
- Fixed bug where nDAG packets could be corrupted if all of the receive buffers are full.
- Fixed assertion failure when libwandio fails but does not set errno to a useful value -- thanks to Robert Zeh for patching this bug.
- Fixed minor memory leak when a user does not provide a hash function when calling
trace_set_hasher()
. - Fixed missing
pthread_spinlock.h
error that occurred whenever a user tried to include message_queue.h or ring_buffer.h. - Fixed bug where some key data structures were not initialised when doing DPDK output.
- Fixed bug where DPDK memory buffers were too small to hold a full packet, causing payload to be truncated.
- Fixed uninitialised write index in format_ndag, which could cause some nDAG captures to appear corrupt.
- Updated
dag:
format to use the 64 bit API -- this means that we can support capture on DAG streams that have large amounts of memory attached. - Improved nDAG performance by avoiding unnecessary calls to recvmmsg when there is no data available on the socket.
- Improved nDAG performance by caching the byteswapped versions of some frequently accessed fields.
-
tracertstats
will now handle SIGINT and SIGTERM signals cleanly.
- Added ability to read pcapng trace files (and convert them into other formats).
- Added input format for receiving and processing packets emitted by an nDAG multicaster.
- Fixed bug that would cause the IPv6 fragment offset to be calculated incorrectly.
- Fixed return value bug with pcap_write_packet().
- Fixed bad assertion failure when halting parallel programs with SIGINT.
- Fixed compilation issues caused by mismatched BPF presence macros when pcap-bpf.h is missing.
- Fixed libpacketdump bug where it was reading past the end of captured IPv6 headers.
- Fixed several issues in the libpacketdump parser for SCTP.
- Fixed assertion failure in traceanon if the cryptopan key is too short.
- Fixed compilation error with traceanon if libssl version >= 1.1.0.
- Fix bug where the wrong parallel read function would be used in some specific configurations.
- DPDK shared libraries are now correctly detected by the configure script.
- DPDK support has been extended to cover the most recent stable release.
- Added ability to parse SIT (IPv6 within IPv4) packets inside SLL.
- Added
trace_clear_statistics()
API function. - Added support for IPv6 in PPP.
- Added native support for bidirectional and balanced hashing to DPDK inputs.
- Fixed bug where ring: and int: parallel inputs would not respond to
trace_pstop()
on older kernels. - Fixed bug where
trace_interrupt()
would not trigger on busy inputs (including files). - Fixed bug where DPDK inputs would cause the event API to hang.
- Fixed bug where ring: and int: parallel formats could end up repeatedly polling.
- Fixed performance issue with tracertstats when used on live formats.
- Fixed bug where libtrace's default hasher was always sending packets to the same thread.
- Fixed race conditions when using parallel API to read from a file format.
- Fixed bug where the ordered combiner would appear to send packets to the reporter thread out of order, due to the packet ordering being based on a non-monotonic clock.
- Fixed bug where
trace_get_payload_from_gre()
would not correctly parse PPTP GRE.
- Received packet counters are now valid for pcap inputs.
- Improved performance by removing mutex from packet reading code.
- Don't install extra header files directly into /usr/local/include; these are now installed into a libtrace-specific directory. This should resolve some namespace collision issues with some of our poorly-named header files.
- New licensing -- Libtrace now uses the LGPL v3 rather than GPL v2, so it is now possible for people to link against libtrace without having to make their own code available under the GPL.
- All new parallel API, written by Richard Sanger, that makes it easy to split packet processing tasks over multiple threads. If a capture format has support for native parallelism, e.g. DPDK, DAG streams, parallel libtrace will take advantage of these. The parallel API is contained and documented in "libtrace_parallel.h" -- include this header file to access the parallel API.
- The previous single-threaded API is still supported, so all of your old libtrace programs should compile and run against libtrace 4 without modification.
- Libwandio is no longer built in to libtrace and is now its own separate library. You can download libwandio from http://research.wand.net.nz/software/libwandio.php . Thanks to Alistair King for helping remove libwandio from libtrace.
- New API function:
trace_strip_packet()
, which attempts to remove any VLAN, MPLS or other layer 2.5 headers from a captured packet. - Converted traceanon, tracertstats and tracestats tools to use the new parallel API.
- Fixed bug where libpacketdump would print ICMP checksums in the wrong place.
- Fixed inability to correctly parse ERF records that contained extension headers.
- Fixed problem where traceanon wouldn't handle keyboard interrupts nicely.
- Fixed memory leak if we fail to guess the format for an input trace (Thanks to Vincenzo Caruso for reporting this bug).
- Fixed double free when destroying a DAG input.
Bugs squashed since the beta release:
- Fixed bug that prevented multiple ring: or int: parallel inputs from being used on a single host concurrently.
- Fixed memory leak when using a heavily filtered RT input.
- Fixed bug where the ordered combiner would emit packets out of order.
- Fixed bug where thread message queues were not being destroyed when the parent trace was destroyed.
- Fixed race condition when modifying BPF headers on FreeBSD 9 systems.
- Use default DPDK device driver thresholds instead of our previously hard-coded values.
- Fixed potential infinite loop when parsing extended RadioTap headers.
- Fixed bad decoding of RadioTap headers with extended presence.
- Fixed bug where pausing a pcap: trace file would cause any resumption to return to the start of the file rather than resuming from where it left off.
- Fixed segfault when destroying a packet associated with a trace has reached EOF.
- Fixed memory management in trace_construct_packet (Thanks to Perry Lorier for submitting code to do this).
- Fixed bug where pcap file descriptors were being leaked (Thanks to Tomas Konir for reporting this bug).
- Fixed bug where trace_create_packet() would segfault if the system runs out of memory.
- Added BPF filtering option to traceanon.
- Use libcrypto for traceanon IP address encryption rather than our own rijndael implementation. This adds a dependency on libcrypto, but should result in faster encryption operations.
- Added a --jump option to tracesplit which can be used to strip any headers preceding the Nth layer 3 header; useful for decapsulating tunnelled IP traffic (Thanks to Perry Lorier for adding this feature).
- Added protocol decoding functions for GRE and VXLAN encapsulation protocols (trace_get_payload_from_gre, trace_get_vxlan_from_udp and trace_get_payload_from_vxlan) (Thanks to Perry Lorier for developing these functions).
- DPDK format now supports DPDK 1.7.1 and 1.8.0.
- Libtrace should now correctly build against the DAG 5 libraries (Thanks to Dan Collins for reporting this bug).
- Fixed performance issue with ring: due to unnecessary polling.
- Updated DUCK format to support the new DUCK structure included in DAG 5.
- Correctly flush the DAG stream buffer when opening the DAG device. This fixes a problem where the DAG dropped packet count would include packets that arrived since libtrace last accessed the DAG card.
- Fixed leak of memory allocated for storing a DAG device name (Thanks to Dan Collins for reporting this bug).
- Fixed bug where DPDK PCI addresses were using decimal instead of hexadecimal.
- Ensure memory for DPDK is allocated from the same NUMA node as the main thread, otherwise problems can occur with memory allocation.
- Fixed broken LIBTRACE_SVN_REVISION macro.
- Fixed tracesummary bug caused by not using proper POSIX shell expansion.
- Fixed whitelisting of DPDK ports cards with DPDK 1.7, which allows more than one port to load the driver.
- Libwandio will now report an error if it is reading from a truncated gzip-compressed file (thanks to Alistair King for reporting this issue).
- Fixed repetitive error reporting in the tracestats tool.
Thanks to Mike Schiffman, Alistair King and Apostolis Glenis for reporting bugs and providing useful feedback / patches.
- trace_interrupt() now works properly for int:, ring:, bpf:, and dag: formats.
- Fixed bad wire lengths for packets captured using int: with a pre-configured snap length.
- Disallow setting invalid directions on pcap packets.
- Fixed parallel build problems with the wandiocat tool.
- Fixed confusing error reporting when using a bogus BPF filter with int:.
- Fixed infinite loop bug when using the event API with a BPF filter on a pcapint: input.
- Fixed crash when performing very large reads in libwandio.
- Fixed double-counting of accepted packets when using the event API.
- Corrected bad math for determining the number of filtered packets for bpf:.
- Experimental DPDK code now supports more recent versions of DPDK.
Thanks to Nevil Brownlee and Alistair King for their invaluable bug reports.
- Added new API function: trace_get_fragment_offset, which returns the fragment offset for a packet in bytes.
- Added support to libwandio for reading and writing files compressed using LZMA (a.k.a. the 'xz' format). Thanks to Perry Lorier for contributing most of the code for this.
- Added new tool to libwandio: wandiocat. This tool is essentially 'cat' using libwandio, so can natively decompress and compress files using any supported compression method.
- Fixed broken snaplen option for ring: input.
- Fixed trace_get_source_port and trace_get_destination_port returning bogus port numbers when given a fragmented packet.
- Fixed timestamp byte ordering on big endian architectures.
- Removed assert failure if a bad compression level or method is provided when configuring an output trace.
- Fixed broken compiler feature checking in configure script.
- Fixed potential segfaults in OSPF libpacketdump parser if the packet is truncated midway through the OSPF header. This unfortunately required the 'len' field in the libtrace_ospf_t structure to be renamed to 'ospf_len' -- if you are using libtrace to process OSPF packets, please make sure you update your code accordingly.
- Added support for reading the pcap nanosecond file format (thanks to Martin Bligh for providing the original patch) (r1852).
- Fix linking issue on FreeBSD 10, due to creating the distribution tarball with an old version of libtool.
- Fixed incorrect decoding of RadioTap and 802.11 headers by libpacketdump on big-endian architectures (r1850, r1851).
- Fixed bug in set_capture_length for ring: format, which was modifying the wire length rather than the capture length (r1849).
- Fixed bugs relating to inconsistent BYTE_ORDER macros across different OS's (r1841).
- Fix bad GCC version check in configure script (r1856).
- Fixed a number of potential (albeit unlikely) buffer overrun bugs in tracereport and tracesplit (r1863, r1865).
- Fixed bad smoothing parameter in the rate-dir example (r1862).
- Explicitly defined the -1 values used for linktype and direction when libtrace cannot determine the value, e.g. TRACE_DIR_UNKNOWN for unknown direction (r1859)
Thanks to Perry Lorier for providing patches to fix the bugs found by the Mayhem team.
- Added new format URI for reading trace files: rawerf. This is a special format that will always treat the provided file as an uncompressed ERF trace, without attempting any auto-detection of compression. If you are working exclusively with uncompressed ERF traces, it is recommended that you explicitly use this format to avoid the possibility of being hit by the bug reported in #351 (r1830).
- Added an extra byte to the gzip auto-detection check, which should decrease the likelihood of a false positive when an uncompressed packet header just happens to match the gzip signature (r1828).
- Fixed crashes in traceanon if certain arguments are specified incorrectly -- as reported by the Mayhem team from Carnegie Mellon University (r1832,r1833).
- Fixed crashes in tracertstats if bad input URIs are provided -- as reported by the Mayhem team from Carnegie Mellon University (r1834,r1835).
- Added ability to globally disable compression auto-detection via the LIBTRACEIO environment variable (r1831).
- Added functions trace_get_source_address_string and trace_get_destination_address_string that will extract the IP address from a packet and convert it into a string. (r1797)
- Added functions trace_checksum_layer3 and trace_checksum_transport which will calculate the checksum for a given packet. They will also return a pointer to the checksum field in the header so it can be updated, compared, etc. (r1799)
- Added function trace_get_icmp6 and trace_get_payload_from_icmp6, which should make working with ICMPv6 easier. (r1794)
- Added support for OpenBSD Loopback captures - thanks to Kaio Rafael for submitting a patch to do this. (r1820)
- Fixed bug where trace_event was broken for int: inputs. (r1793)
- Fixed error in tracesplit where the input trace structure would not be completely destroyed if a stopping condition was reached. (r1796)
- Fixed error where some of the threading data structures in libwandio were not freed properly. (r1795)
- trace_get_payload_length now correctly handles ICMPv6 packets -- thanks to John Dickinson for reporting this bug and submitting a patch. (r1792)
- Fixed bug where tracereplay was not calculating new TCP or UDP checksums for modified packets correctly. (r1800)
- Fixed bug where legacy NZIX timestamps would be incorrect if the TZ environment variable is not set on the system (r1825)
- Fixed bug where traceanon was not correctly anonymising IP headers embedded in ICMP messages (r1826)
- Fixed oversight where ICMP checksums were not being anonymised in traceanon (r1826)
- Added examples to examples/tutorial that demonstrate trace_get_transport and trace_get_payload_from_ip. (r1798)
- Better error reporting if libtrace fails to open an output file. (r1789)
- Better error reporting if int: or ring: outputs fail to transmit a packet. (r1790)
- Thanks to the new checksumming code, tracereplay should now update checksums for IPv6 packets. (r1800)
- Libprotoident decoder with ICMP now prints the value of the ICMP checksum. (r1801)
- Stopped libpacketdump from installing so many useless files and symlinks - thanks to Robert Edmonds for patching this. (r1818)
- Added a new trace format (ring:) - ring: is a replacement for int: that uses PACKET_MMAP ring buffers to greatly improve performance when capturing from a live interface. (r1771, r1774)
- Packets captured using int:, ring: and bpf: and exported over RT can now be decoded by any system, regardless of what OS it is running. Previously, only Linux systems would be able to decode int: or ring: packets sent over RT, for example. (r1780, r1782)
- Fixed conversion errors when converting packets captured using pcapint:any to other formats -- Thanks to Simon Wadsworth for reporting this bug (r1768)
- Fixed bug where a Linux Native output had been using internal format data for a Linux Native input (r1770)
- Fixed double free bug that occurred when using trace_event to read a trace file (r1773)
- Fixed bug where advanced pcap functions weren't being correctly detected on FreeBSD (and possibly other systems) (r1788)
- Added support to rt: for receiving packets captured using the bpf: format (r1775, r1778)
- Fixed bug in tracereplay where it would try to update the transport checksum for packets without a complete transport header (Thanks to Alistair King for reporting this bug) (r1766)
- Fixed configure bug that was preventing transmit using a pcap interface from working correctly (Thanks to Alistair King for reporting this bug) (r1767)
- Fixed wrap-around bug in trace_get_payload_length() which resulted in ridiculous payload lengths (r1758)
- Fixed build error where iow-lzo.c would require (and not be able to find) libtrace.h (r1760)
- Fixed build error where libpacketdump could not find wandio.h (r1761)
- Fixed bug where TRACE_RT_LAST would overflow the 32-bit integer being used to store the RT packet type (r1763, #322)
- Fixed bug where Linux Native input would give errors when being used to monitor a loopback interface (Thanks to Asad Arfeen for reporting this bug) (r1764)
- libtrace_sll_header_t data structure is now exported via libtrace.h, so it can be used in user code (r1759)
- Better detection and reporting of cases where the user is trying to read a compressed format that their libtrace build doesn't support (r1762)
- Fixed flex detection failure on some systems (r1743)
- Fixed bug where cached values for "remaining" were being returned after the capture length had been changed (r1746)
- Fixed bug where BPF filters were not being applied to RT inputs that were using the event API (r1747)
- Fixed typo in the BPF JIT code (r1750)
- Added support for --with-FOO configure options for zlib, bzip2, lzo and ncurses (r1748)
- Replaced assert failure when a pcapfile input is corrupted with a more graceful BAD_PACKET error (r1751)
- Added new error types (BAD_FILTER and RT_FAILURE) so we can avoid using BAD_PACKET in cases where that isn't really the problem (r1752)
- wandio functions are now exported through a separate shared library and can be used to do general file I/O (r1756, r1757)
- Libtrace API functions for decoding OSPFv2 packets, including LSA and Router Link decoders (r1735, r1736)
- Libpacketdump decoders for OSPFv2 packets (r1737)
- New API function: trace_interrupt. Calling this function will cause a live capture that is blocking due to waiting on packets to immediately stop. This is useful when running your own signal handler (r1729).
- Fixed bug where occasionally a trace file written using zlib would not be flushed correctly, resulting in a truncated trace (r1742)
- Fixed annoying warnings that were caused by multiple definitions of ERF types when building with DAG support (r1725)
- Fixed bug where pcap interface format would reject a BPF filter when filter was actually legit (r1729)
- Fixed tools that would not respond to Ctrl-C if stuck waiting for packets on a live interface (r1730)
- Fixed bug where trace_get_link_type was not using the cached link type value (r1731)
- Fixed bug in libpacketdump where we were attempting to incorrectly decode IPv6 fragments (r1733)
- Fixed bug introduced in 3.0.12 where the FCS was being incorrectly deducted from the "remaining" value when calling trace_get_payload_from_ip (r1734)
- Capture length for pcap packets is now cached when the packet is first read, rather than when trace_get_capture_length is first called (r1726)
- Added a LIBTRACEIO options ("buffers") which can be used to configure the number of IO buffers used for threaded reading. Also bumped default buffer space from 5 MB to 50 MB (r1727).
- Updated pcap interfaces to use pcap_create and pcap_activate APIs in libpcap 1.0 (r1728)
- Optimisations to trace_apply_filter (r1729)
- Optimisations to tracestats (r1730)
- Wire length is now cached for each packet (r1731)
- Trace files created by programs running via sudo now belong to the user who was running sudo rather than root (r1732)
- Added new tools: tracetopends and traceends (r1717)
- Fixed bug in trace_get_payload_from_ip6 that would return the wrong payload if extension headers were present (r1712, #314)
- Fixed bug with payload length calculation if the packet has additional padding (r1716)
- Fixed build issue when building DAG format modules on Fedora Core systems (r1715)
- Fixed bug where trace_get_layer2 would return a meta-data header instead NULL when no layer 2 payload was present (r1714, #263)
- Added more caching to further improve performance in some cases (r1716)
- Reworked trace_get_layer2 to be faster (r1716)
- Added libpacketdump decoders for some IPv6 extension headers (hop by hop, routing and destination options) (r1713)
- ECN bits in the TCP header are now directly accessible in the same fashion as other TCP flags. NOTE: this will break existing code that accessed the reserved bits that we have replaced with ECN flags, especially anything that attempted to access ECN prior to this release! (r1707)
- Fixed bug where libtrace would fail at guessing the trace format for small trace files (r1708)
- Fixed bug where using a BPF filter on a live DAG interface via the event API would result in bad packet lengths (r1706)
- Fixed bug where BPF filters would cause an RT input source to fail (r1702)
- Fixed bug where trace_event would not update the time to sleep properly if called before the timer has expired (r1700)
- Fixed bug where constructed packets did not have their cached values initialised correctly (r1698)
- Tracepktdump now reports any errors that occur while reading packets (r1703)
- Tidied up linking process so that components only link against libraries that they actually use - should make Debian packaging easier (r1701)
- Tracetop now reports traffic based on wire length rather than capture length (r1699)
- Fixed problems with processing Linux SLL Ethernet captures (r1691, r1695)
- Libpacketdump also now processes Linux SLL headers correctly (r1692, r1696)
- Fixed build problem where libtrace would fail to detect whether it needed to link against libdl (r1693)
- Tidied up errors in tracetop and tracediff manpages (r1694)
- Significantly improved performance of libtrace event API (r1691)
- Transport headers and payload length are now cached for each packet, saving time on subsequent lookups (r1691)
- Fixed bug in the threaded I/O that was affecting users on 32-bit machines - should bring an end to the random segmentation faults when reading trace files from disk (r1685, #292)
- Corrected problem with missing manpages for tracereplay and tracetop tools (r1682, r1688, #293)
- Fixed bug where the accepted packet counter would be incorrect (r1684)
- Fixed bug where an invalid free could occur in trace_create() (r1687, #228)
- tracesplit can now accept multiple input URIs which are read in turn (r1680)
- Added a new API function called trace_get_payload_length() that returns the length of the original payload content (i.e. the size of the post-transport header payload prior to any snapping) (r1661)
- Fixed bug where converting from int: to pcapfile: would result in losing four bytes of payload (r1673) - Thanks to Nevil Brownlee for reporting this bug.
- Fixed segfault that occurred when trying to read from int: inputs without permission (r1653, #279)
- Fixed segfault in tracertstats when an invalid output format is specified (r1660)
- Fixed errors in payload length calculations for v6 in v4 and truncated or corrupted TCP headers (r1662, r1663)
- Fixed bug where libtrace would attempt to write NONDATA packets, which could not be converted into an appropriate packet type for most trace formats (r1664)
- Fixed incorrect parsing of IPv6 extension headers (r1665, r1666)
- Fixed compilation error when building against DAG 2.5 drivers (r1668, #286) - Thanks to Guillaume Vu-Brugier for reporting this bug.
- Fixed linking error when building against certain versions of libpcap that install pcap-int.h (r1669, #287) - Thanks to Guillaume Vu-Brugier for reporting this bug.
- Fixed libpacketdump compilation error that occurred on some systems, e.g. Fedora (r1674) - Thanks to Nevil Brownlee for reporting this bug.
- Added IPv6 and IPv6 fragmentation header decoders to libpacketdump (r1654,r1656,r1667)
- traceanon can now read cryptopan keys from a file (r1659)
- Replaced IO subsystem with wandio abstraction (r1391,r1394,r1395,r1396,r1397,r1398,r1400)
- IO / compression / decompression is now performed in a separate thread, resulting in improved performance
- Modular design makes it easy to add support for new compression formats
- Added native support for reading and writing bzip files (r1391)
- Added native support for writing lzo files (r1530,r1531,r1534)
- JITing of BPF bytecode using LLVM, leading to faster BPF filtering (r1586,r1588)
- Added enums for post-IP protocols and Ethertypes (r1386,r1387,r1388,r1389)
- Write support added for DAG cards - thanks to Daniel Lawson (r1406,r1414,r1418)
- Added new trace tool: tracetop. Shows the top N flows each second (r1408,r1409,r1411,r1412,r1413,r1415,r1416,r1417)
- Added new trace tool: tracereplay. Attempts to replay trace files in trace time (r1460 to r1476)
- Added new trace tool: tracediff. Displays packets that differ between two trace files (r1494)
- Added trace_get_timespec() function (r1421)
- If the format is not specified as part of the URI, libtrace can now attempt to guess the trace format (r1401,r1403)
- Libpacketdump can now decode CHDLC and PPP/HDLC headers (r1538)
- Added all the code examples from the libtrace tutorial to the examples directory (r1502)
- Fixed bug where packets read from a DAG card that did not match the filter were causing lengthy sleep events under the event API (r1483)
- Fixed various tools that were not reporting the occurrence of a read error (r1486,#270)
- Fixed segfault caused by malformed URIs (r1393,r1399)
- Fixed bug where reading a zero-length payload from a PCAP trace would result in an EOF being incorrectly reported (r1490)
- Fixed bug where filtered packet count was not initialised to zero (r1393)
- trace_get_payload_from_ip() now returns NULL when the IP version is incorrect rather than asserting (r1402)
- Fixed segfault when writing packets to a Linux native socket, caused by byte ordering issue (r1405)
- Fixed bug where custom pcap event function was not being used (r1422)
- Fixed misplaced assertion in the pcap file reading code (r1423)
- Fixed bug where trace_event would never get a packet event under recent versions of libpcap (r1426)
- Fixed assertion failure when an unknown linktype is encountered by libpacketdump (r1459)
- Fixed error caused by LCP packets that are common in some trace sets, e.g. Leipzig (r1482)
- Increased size of RT packet buffer to fix problems caused by jumbograms (r1493)
- Fixed errors caused by 32- and 64-bit incompatibility when sending Linux Native packets using the RT protocol (r1498,r1499)
- trace_get_*_port() functions now always return 0 for ICMP packets (r1500)
- Fixed problems with decoding HDLC and CHDLC headers (r1536)
- Fixed segfault when reading PCAP packets that had no packet content (r1537)
- Fixed bug where PCAP packets would be written with a larger capture length than the wire length (r1549)
- Fixed segfault in the TCP segment report in tracereport caused by segments larger than 1500 bytes (r1539, r1540)
- Fixed bug with restarting a PCAP trace file (r1574)
- Fixed bugs relating to the size of the TSH packet records (r1577)
- Fixed bug where we were not accounting for the FCS in legacy Ethernet captures (r1581)
- Fixed bug where libpacketdump could not decode Linux SLL properly due to using an "undefined" function (r1583)
- Fixed bug where libpacketdump was not skipping IP options before attempting to decode the next header (r1600)
- Fixed bug where padding was being treated as part of a truncated header (r1602)
- Fixed assertion when converting a packet with a corrupt wire length to PCAP (r1603)
- More fixes for missing #includes (r1425)
- trace_get_source_address() and trace_get_destination_address() now return link layer addresses in the absence of an IP header wherever possible (r1410)
- trace_get_ short-cut functions now return NULL if the entire header (minus options) is not present in the packet (r1491)
- Added missing set_capture_length() functionality for Linux Native (r1495)
- traceanon can now write compressed traces (r1550)
- traceanon now replaces checksums with zeroes (r1567)
- traceanon, tracesplit and tracemerge now support all libtrace compression types for output (r1568,r1570,r1571)
- tracereport no longer does the flow report by default (r1551)
- Added support for new ERF types (r1507)
- Added linktype for Experimental Ethernet (r1497)
- Added --count option to tracereport (r1427,#248)
- Added --merge-inputs option to tracertstats (r1440)
- Added support for ARPHRD_NONE (r1451)
- Added a libpacketdump decoder for ubiquity headers (r1488)
- Improved libpacketdump's method of searching for decoders (r1584)
- More efficient arrangement of internal structures (r1442,r1443)
- Tidied up exported symbols (r1454,r1456)
- General code maintenance (r1404,r1407,r1517)
- Tidied up manpages (r1492,r1569,r1572)
- Improved documentation (r1419,r1420,r1496,r1501,r1506,r1507,r1508,r1509,r1510,r1513,r1515,r1516,r1517,r1518,r1519,r1520,r1521,r1522,r1523,r1524,r1543,r1578)
- Fixed compilation errors caused by missing #includes (r1382)
- Added trace_get_payload_from_pppoe() to external API (r1383)
- autoconf now correctly detects libgdc properly for tracertstats (r1384)
- Fixed some warnings on recent versions of gcc (r1385)
- Bug fix with respect to loss counter caching (r1312)
- Major fixes to PoS traces (#261,r1371,r1378,r1379)
- Windows fixes (r1322,r1323)
- Code cleanups (r1324,r1325,r1326,r1333,r1355)
- Dag 2.5:
- Dropped packet counter fixes (with multithread locking) (r1326,r1329)
- Event api issues (r1327)
- Multiple stream support (and compatibility for dag 2.4) (r1328)
- Better detection of dag version numbers (r1343)
- New ERF types added (r1328,r1331)
- Coloured ethernet ERF type support (r1328)
- Fixes to the ERF Etherhack (r1328)
- Bug fix for unsupported configuration options for erf traces (r1330)
- Bug fix for set_capture_length() not updating the capture length cache (r1331)
- Bug fix for more capture length cache entries (r1346)
- Cleaned up the way managing packet's memory was done internally (r1332,r1335,r1336)
- Added RT type for bpf: traces (r1332)
- Bug fix for closing a pcapfile: trace file that was never trace_start()'d (r1334) (reported by Nevil Brownlee)
- Fix compile error with bpf: on OpenBSD (r1336)
- Fix compile errors with old compilers (r1337,r1339,r1340,r1341,r1345)
- libpacketdump cleanups (r1338,r1339)
- libpacketdump constification (r1351)
- traceanon code cleanups (r1342)
- tracertstats code cleanups (r1344)
- tracertstats documentation cleanups (r1369)
- int: code cleanups (r1347,r1352)
- tracesplit documentation cleanups (r1348)
- tracesplit error handling fixes (r1364)
- Cleanup examples (r1365)
- Deal better with creating compressed files (r1349)
- Deal with raw IP capture (r1350)
- Provide API's for dealing with VLAN and MPLS headers (r1353, r1359, r1372)
- get_payload_from_X API's now return NULL if the header is incomplete with remaining == 0. If there is no payload then they return where the payload would be, and remaining == 0. (r1376)
- Fix bug with trace_get_erf_timestamp() where UINT_MAX ends up being signed (reported by yuri from isi) (r1357)
- Force 64bit for filesizes (r1358)
- Add support for PPPoE, and skip PPPoE headers in trace_get_layer3() (r1360)
- Improve support for VLANs (r1363)
- Improve tracesplit's dealing with rotations based on starttime, and better debugging output (r1366)
- assert() on bad packets that aren't caught before we return them back to the user (r1367)
- Cleanup libpacketdump GRE parser (r1368, r1370)
- Support specifying compression levels (r1373)
- Better fixes for endianness issues (r1375)
- removed traceflow, to be replaced with maji (ipfix collector) available seperately (r1377)
- Deprecate wtf:/wag: format. These traces no longer exist. (r1264)
- Cleanup bpf: capture format (r1265,r1266,1317)
- add LINUX_SLL header support to get_source_mac() (r1267)
- deprecate trace_get_link() and replace it with the newer trace_get_packet_buffer()/trace_get_layer2() (r1268,r1269,r1270,r1271,r1272)
- Bug: Don't crash when destroying an output trace that failed to initialise (r1273,r1274,#258)
- Use Linux's in kernel BPF filter if available (r1275)
- Add support for Cisco HDLC over PoS (r1276,r1277)
- Allow BPF bytecode to be used to construct a filter (r1278)
- Code cleanups (r1279,r1282,r1283,r1284,r1288,r1289,r1290,r1297,r1309,r1315)
- Fix libtrace_ip's bitfields (r1280,r1281,r1287)
- Fix pcapfile output bug (r1285)
- Documentation cleanups (r1286,r1295,r1296,r1306)
- Discard RT packets when writing pcapfile: files (r1291)
- Add a new "stats" example program (r1292,r1294)
- Build system cleanups (r1293,r1305,r1318)
- Avoid using assert() to report errors (r1298,r1299,r1300)
- RT packet issues (r1301)
- Properly deal with the packet parsing/length cache when using the event system (r1302)
- Add a new loss counter framework (r1303,r1304,r1307,r1308,r1310,r1311,r1312,r1316)
- Bug: Event framework not generating sleep events when reading traces from disk (r1313)
- Be more strict about returning NULL from trace_get_payload_from_X() functions (r1314)
- Code cleanups w.r.t warnings (r1211,r1212,r1213,r1214,r1216,r1217,r1218,r1219,r1224,r1225,r1255)
- tracesplit_dir now provides a warning of the number of packets that had an unknown direction at the end of the trace (r1215)
- Fix a segfault in tracereport with rxerrors, non ip (r1221, r1227)
- Add support for decoding 802.2 LLC/SNAP and Ethernet II in 802.11 frames (r1222,r1226)
- Documentation fixes and clarifications (r1223,r1235,r1236,r1245,r1248,r1249)
- Fix bug with trace_get_payload_from_80211() and 3 vs 4 frame formats (r1226)
- Deal correctly with uri's with parse errors causing segfaults on cleanup (r1229)
- Minor tidyups to protocol decoders (r1230,r1232)
- Add more information to libtracepktdump (r1231,r1256)
- Correctly deal with PPP captures (r1233)
- Cache trace_get_capture_length() and trace_get_l3() which are both heavily used internally (r1234)
- Build system cleanups (r1237,r1250)
- Add a GRE tracepktdump decoder (r1238)
- Add a preliminary PPPoE tracepktdump decoder (r1241)
- Add more information to tracereport (r1239,r1247)
- Fix bug in legacy decoder with wire lengths (r1239)
- Fix bug in trace_ether_ntoa (r1240)
- Add legacynzix: trace format (r1243)
- Don't assert() on bad packets (instead return BADPACKET) for erf traces (r1244)
- Add TRACE_OPTION_EVENT_REALTIME to allow the event framework to playback traces in realtime (r1246)
- Rename TRACE_META_FREQ to TRACE_OPTION_META_FREQ to follow naming convention (r1246)
- Correctly deal with errors when using trace_set_option (r1247)
- Deal better with signals when writing packets to files (#254,r1251,r1252,r1253)
- Add support for dag 3.x (r1254)
- Improved dag 2.5+ support (r1254,r1255)
- dag2.5+ supports setting the snaplen from libtrace (r1254)
- Add support for setting direction on linux int: formats (r1257,r1258)
- Consider loopback packets outgoing, not incoming (r1257)
- Fix trace_get_source_mac() for wireless frames (#253,r1259)
- Add support for interfaces_per_input to tracemerge (r1260)
- Fix tracereport direction report (r1261)
- Deprecated wag: and wtf formats (r1262,r1263)
- Fixed make install for libpacketdump (#246,r1173,r1186)
- Add support for tsh: and rf+ tracefiles. (r1174,r1175,r1176,r1180,r1181,r1194)
- Update support for radiotap (r1177)
- Add a new tool traceflow(1) (r1178),r1196,r1197)
- More correctly deal with pcap LINKTYPE's vs DLT's (r1179,r1182,r1183)
- Major cleanups of tracereport (#247,r1184), new reports (#236,r1191), Make sure reports write to files (r1202,r1203,r1204)
- libpacketdump Decoder cleanups (r1185,r1187)
- trace_event() memory leak fixes (r1188,r1189)
- Fix segfaults with bad arguments in tracesplit(1) (#244,r1190)
- Don't suffix a number if we are only generating one file (r1198)
- Support snapping packets (r1199)
- Minor bugs in libtrace error handling (r1192,r1193)
- Misc cleanups and bug fixes (r1206,r1207,r1208)
- Added missing manpages to release tarball (r1141,r1148)
- Update manpages (r1153)
- Fixed TCP option length calculation in libpacketdump (r1142)
- tracereport has had a massive tidy up (r1143,r1144,r1146,r1147,r1149,r1150,r1151,r1152)
- getopt support for disabling/enabling reports. (r1145)
- Documentation cleanups (r1154)
- Fix 0 byte gzwrite(3)'s were causing the compressed file checksum to fail (r1155)
- RT closing issues (r1156)
- Metadata available (r1157,r1158,r1159,r1160,r1167)
- tracedump renamed tracepktdump due to naming conflict in debian (r1161,r1162)
- Implement better PoS decoding in libtrace for erf, legacypos. (r1163,1164,r1168)
- Build fixes for MacOS (r1171, r1172)
- Add and update man pages (r1081,r1082,r1108)
- Don't start traces that are in the error state (r1084)
- initialise variables used by trace_event() (r1089)
- General code cleanups (warnings etc) (r1090,r1116,r1120,r1121,r1122,r1123,r1124,r1125,r1126,r1127,r1128,r1131,r1135)
- export RT types to allow symbolic debugging (r1091,r1092,r1093,r1094,r1095)
- memory leak in trace_construct_packet (r1102)
- trace_event free()ing returned packet buffer (r1119,#238)
- trace_config() error handling (r1130,r1132)
- error handling when opening files for write (r1136,r1137,r1138)
- build fixes (r1131)
- Format modules:
- pcap (r1117)
- Legacypos (r1085,r1087, r1088)
- legacyatm (r1083,r1085,r1087, r1088)
- legacyeth (r1087,r1085,r1088)
- dag 2.4 (r1098,r1114,r1115)
- dag 2.5 (r1107,r1110,r1111,r1112,r1113,r1114,r1115)
- libpacketdump
- legacy trace decodes (r1086)
- 802.11 (r1099,r1134)
- arp (r1103,r1109)
- ICMP Echo sequence numbers (r1105)
- protocols
- radio tap (r1100)
- get_payload_from_80211 (r1104)
- sit (r1118,#237)
- tools
- tracesplit
- cleanup on ^C (r1101)
- maximum number of files (r1129)
- tracestats
- Deal with invalid filters more elegantly (r1133)
- tracesummary
- Use correct filters by default (r1133)
- windows portability issues (r1130)
- Display ToS bits in libpacketdump as DSCP/ECN (r1071)
- Fix bug where the final packets were not being flushed out in some of the tools (r1072)
- Fix bug where DLT_NULL was being used instead of DLT_RAW for raw IP packets (r1073)
- Fix compile warnings (r1074, r1076, r1077)
- Fix bug with tracesplit segfaulting if given more than 2 options. (r1075)
- Fix bug with legacyatm: not signalling end of file correctly (r1078)
- More tests (r1079)
- int: ignored overridden promisc flags (r1058)
- Build fixes (r1059,r1060,r1068,r1069,r1070)
- Add proper decode support for ATM cells (r1061)
- pcap:/pcapfile:/trace_filter_apply() now will "demote" a packet, stripping off any header that pcap doesn't understand. (r1062,r1063,r1064,r1067)
- rejiggered the build system:
- libpacketdump (r965,r966,r967,r968,r969,r972,r978,r979,r981,r986,r993,r1044,r1046)
- main (r973,r975,r976,r980,r1002,r1012,r1019,r1022,r1032)
- swig (r974)
- libtrace (r977,r1035)
- tests (r1049,r1054)
- Clarification of errors: (r970,r971,r1055)
- new wireless metadata API support for libtrace (r982,r983,r984,r985,r987,r988,r994,r995,r1003,r1004,r1007,r1008,r1009,r1015,r1027,r1028,r1029.r1030,r1042)
- Capture methods:
- rtclient: protocol fixup/removal (r989,r1032)
- pcapfile: protocol write support (r990,r992,r1047,r1048)
- bpf: capture support for the BSD's (r997)
- rt: cleanups (r1002,r1016)
- Fix bug with trace_perror_output (r991)
- Cleanup warnings (r996,r998,r999,r1000,r1001,r1021,r1043,r1045,r1050,r1051,r1052,r1053)
- Cleanup and distribute the sample code (r1005,r1006)
- Documentation/Comments fixed (r1010,r1039)
- Protocol decoders:
- Added MPLS decoding support (r1011,r1020,r1036)
- Fixed LINUX_SLL decoding (r1014,r1017,r1037,r1038)
- Export new functions:
- trace_get_payload_from_ip6 (r1013)
- trace_create_dead() should call trace_init() (Closes #228) (r1018)
- removed packet->size due to it's value being underspecified. (r1023,r1026)
- libpacketdump decoders: (r1040,r1041)
- IP tidyups (r1024)
- 802.11 (r1024,r1034)
- 802.1x (r1031)
- tracesplit tidyups to deal better with old NLANR traces (r950)
- pcap: uris should deal with packets that are corrupt/missing a linklayer (r951)
- Code cleanups/build system cleanups (r952, r953, r956, r958, r963)
- when linking against libpacketdump, you need to provide -lfl (r959)
- libpacketdump should deal with packets that are corrupt/missing a linklayer (r954)
- Tom Young's linux int: performance improvements (r955, r960)
- if libpacketdump can't decode a linklayer itself, it should ask libtrace to decode it (r957)
Most of this release was bug fixes for MacOS portability, mostly dealing with endianness issues
- Alpha version of python bindings (r917)
- Cosmetic changes to help (r904)
- Wag length (r908)
- Coping with Dag rx errors (r909)
- Bugs in promote packet (direction tagging pcap files) (r910,r926,r927,r929)
- Bugs in erf/demote packet (converting from direction tagged pcap files) (r924,r925,r928,r941)
- Changed the build system for libpacketdump, removed C++ dependancies where unneeded, and general code tidy ups (r911,r913,r914,r916,r919,r936,r947)
- Portability fixes for MacOS (r916,r918,r921,r922,r931,r933,r942,r944)
- General code cleanups (r930,r932,r935)
- More error checking on protocol decode (r934)
- Better test cases, disable broken test (r937,r938,r939)
- General Build system fixes (r940,r943,r945,r946,r948)
- Added better error handling for pcap/duck/rt formats (r875,r880,r885,r886)
- Fixed problems with TRACE_TYPE enum (some values had been shuffled around) (r876)
- Fixed protocol decodes for 802.11 and LLC/Snap (r879)
- Added better unit tests for protocol decoding, writing files, and did some general cleanups (r882,r883,r884,r899)
- Massive build system overhaul (r887,r892,r893,r896)
- Update documentation (r888,r891)
- Minor cleanups (r889,r894,r895,r900,r901)
- trace_get_{source,destination}_address() now include the port number in the sin{,6}_port field. (r897)
See http://research.wand.net.nz/software/libtrace2-changelog.php for details of changes that occurred prior to libtrace 3