Parallel Libtrace HOWTO: Meta Packet Callback - LibtraceTeam/libtrace GitHub Wiki

Meta Packet callbacks are only available from libtrace 4.0.7 onwards

Some packet capture formats, such as PCAP-NG and Endace DAG, are able to insert records into the packet stream that describe some properties of the capture process itself rather than an actual captured packet.

These records are typically referred to as meta-data records. For simplicity's sake, in libtrace we treat them as a special type of packet called a 'meta packet'. However, we also recognise that the processing that one might want to do on a meta packet is often entirely distinct from the processing you would want to do on a conventional packet. Therefore, parallel libtrace allows you to set a callback function that will invoked whenever the input stream provides libtrace with a meta packet.

A meta packet callback looks the same as a standard packet callback and all of the same rules apply, such as making sure your callback returns the meta packet if it is no longer needed after the callback is complete. An example meta packet callback is given below:

static libtrace_packet_t *per_meta_callback(libtrace_t *libtrace,
        libtrace_thread_t *t, void *global, void *tls,
        libtrace_packet_t *packet) {

    libtrace_meta_t *iface_name;
    struct counters *c;

    /* As usual, cast our 'tls' to the appropriate pointer type */
    c = (struct counters *)tls;
    
    /* This will give us a pointer to a meta data structure containing the
     * interface name, if there is one in this meta packet.
     */
    iface_name = trace_get_interface_name_meta(packet);

    if (iface_name == NULL)
        return packet;

    /* TODO something useful with this interface name... */

    trace_destroy_meta(iface_name);
    return packet;
}

.
.
.
    /* somewhere in main where we configure our callbacks */
    trace_set_meta_packet_cb(processing, per_meta_packet);

More information on what libtrace allows you to do with meta packets and the fields within them is available here .

We've covered all the possible callback functions now, but there is one more API function that you may find useful. Move on to learn about how to stop a parallel trace .