[Coral-dev] CoralReef 3.8.4 released

Ken Keys coral-info at caida.org
Thu Jun 26 17:06:52 PDT 2008 

CoralReef 3.8.4 is now available at
http://www.caida.org/tools/measurement/coralreef/.

CoralReef is a comprehensive software package from CAIDA for passive
monitoring normal network interfaces as well as special purpose ATM
and POS interfaces, and reading "crl", "tsh", pcap (tcpdump), and
dagtools tracefiles.  It includes FreeBSD drivers for Apptel POINT
(OC12 and OC3 ATM) and FORE FATM (OC3 ATM) cards, the ability to
work with drivers for Endace DAG (OC3, OC12 and OC48, POS and ATM)
cards on linux, programming APIs for C and perl, and software
applications for capture, analysis, and reporting of ATM, IP, and
TCP/UDP traffic.

Direct questions to coral-info at caida.org.

Version 3.8.4 contains many bugfixes and a few new minor features:

* crl_anf now supports binary output format with the -b option.
* crl_anf and crl_flow now support dumping via forked child processes with
  the -R option.
* Parses new protocol: LLC encapsulation of Bridged Ethernet/802.3 PDUs
  (RFC 1483 section 4.2, RFC 2684 section 5.2).
* Recognizes (but does not parse) new protocols: Reverse ARP, Cisco SLARP in
  CHDLC, and CLNP/ES-IS in CHDLC.
* The coral errfile is unbuffered.
* Fixed: read timestamps incorrectly from pcap interfaces and traces on some
  64-bit platforms.
* Added workaround for libpcap filter bug that caused crl_dnsstat to ignore
  vlan packets.
* Fixed: crl_to_pcap with a DAG ATM file as input would create a pcap file with
  snaplen=0, which confused most tools that tried to read the file.
* Workaround for limitation in Wireshark:  when original length of packet is
  unknown, crl_to_pcap sets it to 65535 (0xffff) instead of 4294967295
  (0xffffffff) in its output pcap file.  Old files with large lengths can be
  made wireshark-friendly simply by running them through the new crl_to_pcap.
* crl_to_dag now emulates a quirk of DAG cards that sometimes write an
  incorrect record length, for compatibility with dag tools that expect the
  quirk.  Files produced by older versions of crl_to_dag with payloads
  stripped may contain records without the expected quirk.  The dagbits tool
  will report "warning: len change 20->28" when it expects the quirk; if that
  is followed by other errors, the quirk was not found, and subsequent results
  will be invalid.  Current CoralReef apps can read both quirked and
  non-quirked files; a non-quirked file may be converted to a quirked file for
  compatibility with dag tools simply by running it through crl_to_dag.
* crl_print_pkt prints packet number.
* Protocol parser is more forgiving of certain malformed TCP and UDP packets,
  so they are not unnecessarily truncated during payload truncation (e.g., the
  -l4 option of crl_to_pcap or crl_to_dag), and they can be decoded by
  crl_print_pkt.
* Protocol printer can decode DNSSEC resource records (DNSKEY RRSIG NSEC DS).
* Protocol printer now detects certain kinds of invalid DNS data and prints an
  error message instead of attempting to decode it.
* Fixed: packet printer incorrectly printed DNS TTL values greater than 65535
  (~18.2 hours) and several other DNS values greater than 2147483647.
* Improved printing of malformed IPv4 packets that appear to contain an IPv6
  extension header.
* The crl_to_pcap and crl_to_dag apps with an -l option, and the
  coral_pkt_truncate() function, no longer discard a layer just because it has
  an incompletely captured header.
* Fixed: anonymization on certain rare types of malformed packets or truncated
  packets with unusual encapsulations could could corrupt subsequent packets.
* Packet anonymizer keeps first 8 bytes of IPv6 headers instead of discarding
  IPv6 packets.
* Fixed anonymizer to treat RAW_IP packets as the appropriate IP version,
  instead of discarding the packet.
* Earlier reporting of non-readability of files in compound sources.
* Fixed possible corrupt pcap output when reading compound gzipped pcap input
  (e.g., "crl_to_pcap pcap:[ *.pcap.gz ]").
* Added packet loss counter to crl_anf and crl_flowest/flowbloom output.
* Increased hashing efficiency in crl_flowest/flowbloom.
* Made random seed in crl_flowest/flowbloom work properly.
* Added -P3 option to crl_flowest/flowbloom to output protocol tables
  separately.
* Changed parse_bgp_dump to properly parse both old and new RouteViews formats.
* Fixed buffer overflow in crl_flow when using very long command lines.
* Added timezone tag to end of date range for RRDtool graphs in create_graphs.
* Fixed problem in merge_protos when last_ds value is empty.
* Fixed: store_monitor_data not properly updating timestamps due to mmap()
  in RRDtool 1.3.
* Fixed: crl_stats compilation failure without time.h
* Changed Tables classes to properly parse and scale packet and flow
  sampling multipliers (from crl_anf) separately, as well as calculating
  'other' flow counts from crl_flowest/flowbloom.
* Fixed build error "Undefined symbols: __Unwind_Resume" on OS X with gcc 4.0.1


-- 
Ken Keys
coral-info at caida.org
CoralReef:  http://www.caida.org/tools/measurement/coralreef/

More information about the Coral-dev mailing list