FromDump Element Documentation

FromDump -- Click element; reads packets from a tcpdump file

FromDump(FILENAME [, keywords STOP, TIMING, SAMPLE, FORCE_IP, START, START_AFTER, END, END_AFTER, INTERVAL, END_CALL, FILEPOS, MMAP])

Ports: no inputs, 1-2 outputs
Processing: agnostic, but output 1 is push
Drivers: userlevel, ns
Package: userlevel (core)

Reads packets from a file produced by `tcpdump -w FILENAME' or ToDump and emits them from the output, optionally stopping the driver when there are no more packets. FromDump also transparently reads gzip- and bzip2-compressed tcpdump files, if you have zcat(1) and bzcat(1) installed. Keyword arguments are:

STOP

Boolean. If true, then FromDump will ask the router to stop when it is done reading its tcpdump file (or the END time is reached). Default is false.

TIMING

Boolean. If true, then FromDump tries to maintain the timing of the original packet stream. The first packet is emitted immediately; thereafter, FromDump maintains the delays between packets. Default is false.

SAMPLE

Unsigned real number between 0 and 1. FromDump will output each packet with probability SAMPLE. Default is 1. FromDump uses fixed-point arithmetic, so the actual sampling probability may differ substantially from the requested sampling probability. Use the sampling_prob handler to find out the actual probability.

FORCE_IP

Boolean. If true, then FromDump will emit only IP packets with their IP header annotations correctly set. (If FromDump has two outputs, non-IP packets are pushed out on output 1; otherwise, they are dropped.) Default is false.

START

Absolute time in seconds since the epoch. FromDump will output packets with timestamps after that time.

START_AFTER

Argument is relative time in seconds (or supply a suffix like `min', `h'). FromDump will skip the first T seconds in the log.

END

Absolute time in seconds since the epoch. FromDump will stop when encountering a packet with timestamp at or after that time.

END_AFTER

Argument is relative time in seconds (or supply a suffix like `min', `h'). FromDump will stop at the first packet whose timestamp is at least T seconds after the first timestamp in the log.

INTERVAL

Argument is relative time in seconds (or supply a suffix like `min', `h'). FromDump will stop at the first packet whose timestamp is at least T seconds after the first packet output.

END_CALL

Specify a handler to call once the end time is reached, or the dump runs out of packets. This defaults to 'FromDump.active false'. END_CALL and STOP are mutually exclusive.

ACTIVE

Boolean. If false, then FromDump will not emit packets (until the `active' handler is written). Default is true.

FILEPOS

File offset. If supplied, then FromDump will start emitting packets from this (uncompressed) file position. This is dangerous; there's no cheap way to check whether you got the offset wrong, and if you did get it wrong, FromDump will emit garbage.

MMAP

Boolean. If true, then FromDump will use mmap to access the tcpdump file. This can result in slightly better performance on some machines. FromDump's regular file discipline is pretty optimized, so the difference is often small in practice. Default is true on most operating systems, but false on Linux. You can supply at most one of START and START_AFTER, and at most one of END, END_AFTER, and INTERVAL. Only available in user-level processes.

By default, `tcpdump -w FILENAME' dumps only the first 68 bytes of each packet. You probably want to run `tcpdump -w FILENAME -s 2000' or some such. FromDump sets packets' extra length annotations to any additional length recorded in the dump. FromDump is a notifier signal, active when the element is active and the dump contains more packets. If FromDump uses mmap, then a corrupt file might cause Click to crash with a segmentation violation.

count (read-only)

Returns the number of packets output so far.

reset_counts (write-only)

Resets "count" to 0.

sampling_prob (read-only)

Returns the sampling probability (see the SAMPLE keyword argument).

active (read/write)

Value is a Boolean.

encap (read-only)

Returns the file's encapsulation type.

filename (read-only)

Returns the filename supplied to FromDump.

filesize (read-only)

Returns the length of the FromDump file, in bytes, or "-" if that length cannot be determined (because the file was compressed, for example).

filepos (read/write)

Returns or sets FromDump's position in the (uncompressed) file, in bytes.

packet_filepos (read-only)

Returns the (uncompressed) file position of the last packet emitted, in bytes. This handler is useful for elements like AggregateIPFlows that can record statistics about portions of a trace; with packet_filepos, they can note exactly where the relevant portion begins.

extend_interval (write-only)

Text is a time interval. If END_TIME or one of its cousins was specified, then writing to this handler extends END_TIME by that many seconds. Also, ACTIVE is set to true.

reset_timing (write-only)

Resets timing information. Useful when TIMING is true and you skate around in the file by writing filepos.

ToDump, FromDevice.u, ToDevice.u, tcpdump, mmap, AggregateIPFlows, FromTcpdump

Generated by 'click-elem2man' from '../elements/userlevel/fromdump.hh' on 7/Mar/2009.