• HOME
  • About
  • Program Plan
  • Annual Report
  • Joining CAIDA
  • Staff
  • Jobs
  • Legal Agreements
  • How-To
  • Blog
• RESEARCH
  • Routing
  • Topology
  • Security
  • Traffic Analysis
  • Economics and Policy
  • Visualization
• DATA
  • Overview
  • Data Sharing
  • Distribution Statistics
  • How-to
  • Data Usage FAQ
  • Papers using CAIDA Data
  • Acceptable Use Agreement
• TOOLS
  • Overview
• PUBLICATIONS
  • Papers
  • Presentations
  • Blog
  • Visualizations
  • - Animations
  • - Posters
  • Networking Bibliography
• WORKSHOPS
  • Overview
  • CREDS
  • ISMA / AIMS
  • DUST
  • DANCES
  • WIE
  • CAIDA-WIDE-CASFI
  • Collaborative
  • Archive
• PROJECTS
  • Macroscopic Topology
  • Cybersecurity
  • PREDICT
  • Ark
  • Network Telescope
  • IMDC (DatCat)
  • NDN
  • IPv6 Evolution
• FUNDING
  • Cartographic Capabilities
  • iLENS
  • IPv6
  • DALS
  • Dynamic Graphs
  • Routing
  • Named Data Networking
  • Telescope
  • IRNC-SP
  • DatCat
  • PREDICT
  • Program Plan

Download

Corsaro v2.0.0 was released on November 21, 2013. See the CHANGELOG for a detailed list of changes.

Introduction

Corsaro allows high-speed analysis of trace data on a per-packet basis and provides a mechanism for aggregating results based on customizable time intervals. Trace data is read using the libtrace trace processing library, and a high-level IO abstraction layer allows results to be transparently written to compressed files, using threaded IO. The actual trace analysis logic is clearly separated into a set of plugins, several of which are shipped with Corsaro.

In addition to the Core Plugins which are shipped with Corsaro, the plugin framework makes the creation of new plugins as simple as possible. The low overhead involved in creating a new plugin, coupled with the efficiency and reliability of Corsaro means that it can be used both to perform ad-hoc exploratory investigations as well as in a production context to carry out large-scale near-realtime analysis.

Corsaro can be used both as a library and as a stand-alone application for processing any format of trace data that libtrace supports. The Corsaro distribution also includes several other supporting tools for basic analysis of Corsaro output data.

Quick Start

If you want to just dive right in and get started using Corsaro, take a look at the Quick Start guide.

Dependencies

Corsaro requires libtrace version 3.0.14 or higher (3.0.8 or higher can be used if the libwandio patch included in the corsaro distribution is applied).

Usage

usage: corsaro [-alP] -o outfile [-i interval] [-m mode] [-n name]
               [-p plugin] [-f filter] [-r intervals] trace_uri [trace_uri...]
       -a            align the end time of the first interval
       -o <outfile>  use <outfile> as a template for file names.
                      - %P => plugin name
                      - %N => monitor name
                      - see man strftime(3) for more options
       -f <filter>   BPF filter to apply to packets
       -i <interval> distribution interval in seconds (default: 60)
       -l            the input file has legacy intervals (FlowTuple only)
       -m <mode>     output in 'ascii' or 'binary'. (default: binary)
       -n <name>     monitor name (default: gibi.caida.org)
       -p <plugin>   enable the given plugin, -p can be used multiple times (default: all)
                     available plugins:
                      - flowtuple
                     use -p "<plugin_name> -?" to see plugin options
       -P            enable promiscuous mode on the input (if supported)
       -r            rotate output files after n intervals
       -R            rotate corsaro meta files after n intervals
          

Documentation

The online Corsaro Manual is the best source of information about using Corsaro. It contains full API documentation, usage instructions for the Corsaro tools. It also has tutorials about writing Corsaro plugins and using the libcorsaro library to perform analysis on Corsaro-generated data.

Presentations