[Coral-dev] CoralReef 3.8.4 released
Ken Keys
coral-info at caida.org
Thu Jun 26 17:06:52 PDT 2008
CoralReef 3.8.4 is now available at
http://www.caida.org/tools/measurement/coralreef/.
CoralReef is a comprehensive software package from CAIDA for passive
monitoring normal network interfaces as well as special purpose ATM
and POS interfaces, and reading "crl", "tsh", pcap (tcpdump), and
dagtools tracefiles. It includes FreeBSD drivers for Apptel POINT
(OC12 and OC3 ATM) and FORE FATM (OC3 ATM) cards, the ability to
work with drivers for Endace DAG (OC3, OC12 and OC48, POS and ATM)
cards on linux, programming APIs for C and perl, and software
applications for capture, analysis, and reporting of ATM, IP, and
TCP/UDP traffic.
Direct questions to coral-info at caida.org.
Version 3.8.4 contains many bugfixes and a few new minor features:
* crl_anf now supports binary output format with the -b option.
* crl_anf and crl_flow now support dumping via forked child processes with
the -R option.
* Parses new protocol: LLC encapsulation of Bridged Ethernet/802.3 PDUs
(RFC 1483 section 4.2, RFC 2684 section 5.2).
* Recognizes (but does not parse) new protocols: Reverse ARP, Cisco SLARP in
CHDLC, and CLNP/ES-IS in CHDLC.
* The coral errfile is unbuffered.
* Fixed: read timestamps incorrectly from pcap interfaces and traces on some
64-bit platforms.
* Added workaround for libpcap filter bug that caused crl_dnsstat to ignore
vlan packets.
* Fixed: crl_to_pcap with a DAG ATM file as input would create a pcap file with
snaplen=0, which confused most tools that tried to read the file.
* Workaround for limitation in Wireshark: when original length of packet is
unknown, crl_to_pcap sets it to 65535 (0xffff) instead of 4294967295
(0xffffffff) in its output pcap file. Old files with large lengths can be
made wireshark-friendly simply by running them through the new crl_to_pcap.
* crl_to_dag now emulates a quirk of DAG cards that sometimes write an
incorrect record length, for compatibility with dag tools that expect the
quirk. Files produced by older versions of crl_to_dag with payloads
stripped may contain records without the expected quirk. The dagbits tool
will report "warning: len change 20->28" when it expects the quirk; if that
is followed by other errors, the quirk was not found, and subsequent results
will be invalid. Current CoralReef apps can read both quirked and
non-quirked files; a non-quirked file may be converted to a quirked file for
compatibility with dag tools simply by running it through crl_to_dag.
* crl_print_pkt prints packet number.
* Protocol parser is more forgiving of certain malformed TCP and UDP packets,
so they are not unnecessarily truncated during payload truncation (e.g., the
-l4 option of crl_to_pcap or crl_to_dag), and they can be decoded by
crl_print_pkt.
* Protocol printer can decode DNSSEC resource records (DNSKEY RRSIG NSEC DS).
* Protocol printer now detects certain kinds of invalid DNS data and prints an
error message instead of attempting to decode it.
* Fixed: packet printer incorrectly printed DNS TTL values greater than 65535
(~18.2 hours) and several other DNS values greater than 2147483647.
* Improved printing of malformed IPv4 packets that appear to contain an IPv6
extension header.
* The crl_to_pcap and crl_to_dag apps with an -l option, and the
coral_pkt_truncate() function, no longer discard a layer just because it has
an incompletely captured header.
* Fixed: anonymization on certain rare types of malformed packets or truncated
packets with unusual encapsulations could could corrupt subsequent packets.
* Packet anonymizer keeps first 8 bytes of IPv6 headers instead of discarding
IPv6 packets.
* Fixed anonymizer to treat RAW_IP packets as the appropriate IP version,
instead of discarding the packet.
* Earlier reporting of non-readability of files in compound sources.
* Fixed possible corrupt pcap output when reading compound gzipped pcap input
(e.g., "crl_to_pcap pcap:[ *.pcap.gz ]").
* Added packet loss counter to crl_anf and crl_flowest/flowbloom output.
* Increased hashing efficiency in crl_flowest/flowbloom.
* Made random seed in crl_flowest/flowbloom work properly.
* Added -P3 option to crl_flowest/flowbloom to output protocol tables
separately.
* Changed parse_bgp_dump to properly parse both old and new RouteViews formats.
* Fixed buffer overflow in crl_flow when using very long command lines.
* Added timezone tag to end of date range for RRDtool graphs in create_graphs.
* Fixed problem in merge_protos when last_ds value is empty.
* Fixed: store_monitor_data not properly updating timestamps due to mmap()
in RRDtool 1.3.
* Fixed: crl_stats compilation failure without time.h
* Changed Tables classes to properly parse and scale packet and flow
sampling multipliers (from crl_anf) separately, as well as calculating
'other' flow counts from crl_flowest/flowbloom.
* Fixed build error "Undefined symbols: __Unwind_Resume" on OS X with gcc 4.0.1
--
Ken Keys
coral-info at caida.org
CoralReef: http://www.caida.org/tools/measurement/coralreef/
More information about the Coral-dev
mailing list