If you want to just dive right in and run corsaro on an interface or existing pcap files, this is the place to start.
The latest version of Corsaro is 1.0.2.
You will also need to have libtrace installed before building Corsaro.
The following commands will build and install Corsaro with the default configuration, assuming that libtrace has been installed into a default location.
tar zxf corsaro-1.0.0.tar.gz cd corsaro-1.0.0 ./configure make make install
Note, you may need to use sudo make install if you do not have write access to /usr/local/.
This will build Corsaro with the FlowTuple and RS DoS plugins only.
For a more detailed description of the configuration options (and to enable more plugins), see the Installation section.
To run the corsaro tool on an existing pcap file to generate FlowTuple and RS DoS output data, use the following command:
![[CAIDA - Cooperative Association for Internet Data Analysis logo]](http://www.caida.org/images/caida_globe_faded.png)
![[CAIDA]](http://www.caida.org/images/caida_whitewords.png "Go to CAIDA home page"){kind=small}
corsaro -m binary -o /path/to/output/file.%P.cors.gz \
/path/to/pcap/file.pcap.gz
Replace /path/to/output/file with an actual path to the desired output directory. Note that the %P is required and will be replaced with a string representing each component that generates an output file (e.g. log, flowtuple, etc).
Replace /path/to/pcap/file with an actual path to a pcap (or any format supported by libtrace) file.
The -m binary option tells Corsaro to write output data in a compact binary format where possible. Omitting this option is permitted, but not recommended as Corsaro will default to the ASCII output mode. ASCII output is much more verbose, and as such Corsaro can take longer to process the trace file and the resulting disk usage could be significantly higher.
Running this command will process the given trace file and create four output files, using the output file template given. Each file will have the %P replaced with the name of the component that created it. That is, global, log, flowtuple, and dos.
Corsaro currently has preliminary support for processing packets directly from a live interface. To use this functionality, replace the pcap file path with:
pcapint:<interface>
The corsaro section of this manual contains a more detailed description of the Corsaro command-line tool.
Once Corsaro has processed the trace file, the resulting data can then be viewed using the included cors2ascii tool. Note, the log file is always written in uncompressed ASCII format, so can be directly viewed using less etc.
To view the FlowTuple output, use the following command:
cors2ascii /path/to/output/file.flowtuple.cors.gz | less
This will convert the binary data to a (somewhat) readable ASCII representation.
See the cors2ascii section for a more detailed description of the tool, and the File Formats page for a description of the ASCII output.
This guide provides a very brief description of using Corsaro to analyze trace data, which should enable you to get started using it quickly.
For more information, take a look through the rest of this manual, starting with the Installation section for practical help getting started, or the Architecture section for a description of how the system is designed, and how to extend it.