Using DAG cards to capture packets
Two utilities (dagsnap and dagconvert) can be used to capture packets with a DAG card and convert captured data to tcpdump format.
For example, with the following command
: root@sonar3:~# dagsnap -v -d dag0 -s 60 -o /opt/tmp/dag.snap
we will capture for 60 seconds and store data into a file. Data is stored in raw ERF format. dagconvert can be used to convert this to tcpdump (PCAP) format, for example:
: root@sonar3:~# dagconvert -v -T erf:pcap -i /opt/tmp/dag.snap -o /opt/tmp/dag.dump
One can also combine both commands to avoid saving packets in ERF format. Like this, for example:
: root@sonar3:~# dagsnap -v -d dag0 -s 60 |dagconvert -T erf:pcap -o /opt/tmp/dag.dump
Usage:
dagsnap (DAG 2.5.7.1) $Revision: 1.1 $
dagsnap - Endace DAG card capture utility.
Usage: dagsnap [options]
Options:
-?,--usage
-h,--help this page.
-d,--device <device> DAG device to use.
-v,--verbose increase verbosity.
-V,--version display version information.
-j,--maxwrite maximize disk write performance - will only write in chunks
-m,--maxdata <mebibytes> maximum amount of data to write per call in MiB (default 4).
-o,--fname <filename> output file name (default is stdout).
-s,--runtime <seconds> runtime in seconds.
-w,--wait <waitseconds> delay(wait) in seconds before capture and aftre the stream is initia
lized.
With -v three columns are printed per second.
1. The cumulative total of data written out.
2. The buffer occupancy. Small values indicate no packet loss.
3. The rate at which data is currently being written.
dagconvert (DAG 2.5.7.1) $Revision: 1.1 $
dagconvert - Endace DAG file conversion utility.
Usage: dagconvert [options] [extra-args]
-d <device> DAG device name
-h,--help,--usage display help (this page)
-v,--verbose increase verbosity
--version display version information
-i <filename> input file(s)
The redirection operator '<' can also be used for single file
input, provided the input is not of PCAP type.
To select multiple input files, use this option repeatedly.
-o <filename> output file
-r N[k|m|g|t] change output file after N Bytes.
k, m, g, t suffixes for kilobytes, megabytes, gigabytes, terabytes.
-s <snaplen> output snap length
-t <seconds> capture period in seconds
-T <in_type:out_type> input and output types (see list of types below)
-A <int> output record alignment (ERF only)
-V select variable length output (ERF only)
-F select fixed length output (ERF only)
-G specify GMT offset in seconds (pcap only)
-c 0|16|32 specify number of bits in FCS checksum (pcap only)
-f <list> comma separated list of filters (see list of filters below)
-b <BPF> specify a BPF style filter
-p 0|1|2|3 specify an interface to write into output ERF records
Supported types:
dag ERF direct from DAG device (input only)
erf ERF (extensible record format) file (input and output)
atm legacy ATM file (input only)
eth legacy Ethernet file (input only)
pos legacy PoS file (input only)
null produces no input or output
pcap libpcap format file (input and output)
prt ASCII text packet dump (output only)
Supported filters:
rx filter out rx errors (link layer)
ds filter out ds errors (framing)
trunc filter out truncated packets
a,b,c,d filter on indicated interface(s)
If the optional <extra-args> are present, they are passed through to the DAG card.
– Main.MatjazStraus - 01 Oct 2007