Because corsaro is designed to be modular, there is an overall global output format and then there are per-plugin output formats. Plugins should attempt to follow the same conventions as Corsaro, but this is not compulsory or enforced.
Corsaro has an optional commandline paramter which allows the output 'mode' to be set to either 'ascii' for (somewhat) human-readable output or 'binary' for a compact binary representation of the data. The binary representation tends to perform slightly better under compression than the ascii does, thus resulting in smaller (compressed) output files.
This page should not be considered a definitive guide to output formats other than that of the global output file. The formats for the two core plugins (FlowTuple and RS DoS) are included for reference. For documentation about other CAIDA-produced plugins please refer to the internal Corsaro wiki, or email corsaro-info@caida.org.
Plugins may output data in whatever format they like, but there are several conventions that Corsaro uses in the output files that while not enforced in any way, should be followed by plugins for compatibility:
![[CAIDA - Center for Applied Internet Data Analysis logo]](https://www.caida.org/images/caida_globe_faded.png)
![[CAIDA]](https://www.caida.org/images/caida_whitewords.png "Go to CAIDA home page"){kind=small}
# in ASCII output to allow easy filtering (e.g. fgrep -v #)uint32_t number giving seconds since the epoch (unix time)In addition to these data conventions, we also use the following conventions in this manual to describe the format of the data:
<trace_uri> would be replaced with a trace uri string in the actual output<version_major[8]> indicates an 8 bit value describing the major version number.The Corsaro global output file follows the following structure:
### Header Format ###
| <magic_number[32]><interval_magic[32]> | <interval_number[16]><interval_start_time[32]> | | <magic_number[32]><data_magic[32]><plugin_id[16]> | | -- plugin data (variable length) | | <magic_number[32]><data_magic[32]><plugin_id[16]> | -- repeats, one per plugin listed in header | <magic_number[32]><interval_magic[32]> | <interval_number[16]><interval_end_time[32]> -- repeats, one per interval in trace
### Trailer Format ###
Magic Numbers:
| Field | ASCII | Hex |
|---|---|---|
| Magic Number | EDGR | 0x45444752 |
| Header Magic | HEAD | 0x48454148 |
| Interval Magic | INTR | 0x494E5452 |
| Data Magic | DATA | 0x44415441 |
| Trailer Magic | FOOT | 0x464F4F54 |
The plugin list in the Binary output format is an array of uint16_t numbers which correspond to the plugin IDs given by the corsaro_plugin_id enum.
Note, the pluin ids 0x4544, 0x4845 and 0x464F are reserved for corsaro use
NONE
NONE
Note, all values are in decimal except the ip addresses, and the TCP flags. IP addresses are given in dotted decimal, and TCP flags are in hex.
### Binary ###
Two bit lengths are given for the dst_ip field. If Corsaro is built using the --with-slash-eight=X option only the three least significant bytes (24 bits) of destination IP addresses are serialized (the assumption being that the most significant byte can easily be re-created upon deserialization). The 32 bit length is for the normal behavior where all 4 bytes of the address is stored.
Magic Number is SIXT (0x53495854) when using /8 optimaizations, SIXU (0x53495855) without.
For a list of class IDs, see corsaro_flowtuple_class_type.
### ASCII ###
### Binary ###
Note, all values are in decimal form except the target IP address, which is given in dotted decimal format.
If Corsaro is built with a version of libtrace that does not include libpacketdump then the initial packet will not be output when using the cors2ascii tool.
### Binary ###
There is a known bug in the binary output of the RS DoS plugin which causes it not to write a magic number to the output file. This has the unfortunate effect of requiring RS DoS files to be correctly named so that plugin detection does not need to inspect the file contents as described in the Corsaro-In section.