Skip to content
This repository has been archived by the owner on Jan 31, 2020. It is now read-only.
/ corsaro Public archive

Corsaro is a software suite for performing large-scale analysis of trace data. It was specifically designed to be used with passive traces captured by darknets, but the overall structure is generic enough to be used with any type of passive trace data.

License

Notifications You must be signed in to change notification settings

CAIDA/corsaro

Repository files navigation

READ THIS!

This repository has been deprecated and made read-only. Ongoing Corsaro development is happening at the CAIDA/corsaro3 repository.

Existing users should upgrade to Corsaro3. For help with this, please contact corsaro-info@caida.org. There will no longer be any updates to this code, and support will be limited to assisting users process/convert existing Corsaro V2 data.

Contact corsaro-info@caida.org with any questions.

Introduction

Corsaro is a software suite for performing large-scale analysis of trace data. It was specifically designed to be used with passive traces captured by darknets, but the overall structure is generic enough to be used with any type of passive trace data.

Because of the scale of passive trace data, Corsaro has been designed from the ground up to be fast and efficient, both in terms of run-time and output data size. For more details about the design goals of Corsaro, see the Goals section.

Corsaro allows high-speed analysis of trace data on a per-packet basis and provides a mechanism for aggregating results based on customizable time intervals. Trace data is read using the libtrace trace processing library, and a high-level IO abstraction layer allows results to be transparently written to compressed files, using threaded IO. The actual trace analysis logic is clearly separated into a set of plugins, several of which are shipped with Corsaro. For more information about how the pieces of Corsaro fit together, see the Architecture section.

In addition to the Core Plugins which are shipped with Corsaro, the plugin framework makes the creation of new plugins as simple as possible. The low overhead involved in creating a new plugin, coupled with the efficiency and reliability of Corsaro means that it can be used both to perform ad-hoc exploratory investigations as well as in a production context to carry out large-scale near-realtime analysis. To learn how to create a plugin, or perform analysis on existing Corsaro results, see the Tutorials section.

Corsaro can be used both as a library and as a stand-alone application for processing any format of trace data that libtrace supports. The Corsaro distribution also includes several other supporting tools for basic analysis of Corsaro output data. For information on using the Corsaro application and the other tools included, see the Tools section.

Download

The latest version of Corsaro is 2.0.0, released on November 21 2013.

We also maintain a detailed Change Log.

Quick Start

If you want to just dive right in and get started using Corsaro, take a look at the Quick Start guide.

Dependencies

Corsaro is written in C and should compile with any ANSI compliant C Compiler which supports the C99 standard. Please email corsaro-info@caida.org with any issues.

Corsaro requires libtrace version 3.0.14 or higher. (3.0.8 or higher can be used if the libwandio patch included in the corsaro distribution is applied).

Usage

Corsaro has many different usage scenarios which are outlined in this manual, but if you are looking to just run the analysis engine with the bundled plugins, see the Corsaro section of the Tools page.

Documentation

The online Corsaro Documentation is the best source of information about using Corsaro. It contains full API documentation, usage instructions for the Corsaro tools. It also has tutorials about writing Corsaro plugins and using the libcorsaro library to perform analysis on Corsaro-generated data.

About

Corsaro is a software suite for performing large-scale analysis of trace data. It was specifically designed to be used with passive traces captured by darknets, but the overall structure is generic enough to be used with any type of passive trace data.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 3

  •  
  •  
  •