Extensible Record Format (ERF)

Contents

  1. Extensible Record Format (ERF)
    1. Overview
    2. Packet Format
      1. Timestamp
      2. Type
      3. Flags
      4. rlen
      5. lctr
      6. wlen
      7. Extension Headers
      8. Payload
    3. Example traffic
    4. Wireshark
    5. Preference Settings
    6. Example capture file
    7. Display Filter
    8. External links
    9. Discussion

Overview

Endace DAG monitoring interface cards produce trace files in their own native format, know as the Extensible Record Format (ERF).

The ERF file consists of a series of records. Each record describes one packet. An ERF file consists only of ERF records; there is no special file header. This allows concatenation and splitting to be preformed arbitrarily on ERF record boundaries.

Packet Format

Generic ERF header

Byte 3

Byte 2

Byte 1

Byte 0

timestamp

timestamp

type

flags

rlen

lctr/color

wlen

extension headers (optional)

payload

Timestamp

The time of arrival of the cell, a ERF 64-bit timestamp. Single little-endian 64-bit fixed point number. The high 32-bits contain the integer number of seconds since the start of time (unix epoch time). The lower 32-bits contain the binary fraction of the second allowing an ultimate resolution of approximately 233 picoseconds.

Type

Bits

Description

7

Extension header present.

6:0

Extension header type.

Flags

Bits

Description

7

Reserved

6

Reserved

5

DS error. An internal error generated inside the card annotator. Not present on the wire.

4

RX error. An error in the received data. Present on the wire

3

Truncated record (depreciated)

2

Varying length record... just leave this on, otherwise packets should be padded

1:0

Binary enumeration of capture interface. 11, interface 3/D 10 interface 2/C 01 interface 1/B 00 interface 0/A

rlen

Record length in bytes. Total length of the record transferred over the PCI bus to storage. The timestamp of the next ERF record starts exactly rlen bytes after the start of the timestamp of the current ERF record.

lctr

Depending upon the ERF type this is either a loss counter or color field. The loss counter records the number of packets lost between the DAG card and the stream buffer due to overloading on the PCI bus. The loss is recorded between the current record and the previous record captured on the same stream/interface.

wlen

Wire length. Packet length "on the wire" including some protocol overhead. The exact interpretation of this quantity depends on the physical medium. This may contain padding.

Extension Headers

Extension headers in the ERF record allow extra data relating to each packet to be transported to the host. Extension header(s) are present if bit 7 of the type field is 1.

Payload

Payload is the actual data in the record. It can be calculated by: payload = rlen - ERF header - Extension headers (optional) - Protocol header - padding.

Example traffic

erf.png

Wireshark

The dissector works for all ERF files. It also supports saving of pcap or other generic data from within wireshark of Ethernet or HDLC types. In the Ethernet type, if there is no existing checksum then one will be generated and added because some tools expect ERF files to have one. There is expert info for ERF, HDLC, and if there are more extension headers that are not loaded (maximum of 8 are loaded).

Preference Settings

(XXX add links to preference settings affecting how PROTO is dissected).

Example capture file

Display Filter

Discussion

ERF (last edited 2011-10-31 01:01:14 by AndrewKampjes)