tracefilter copies all packets that match a user-specified bpf filter to an output trace, creating a new filtered sub-trace.


tracefilter inputuri bpffilter outputuri


Capturing a trace file using a filter

tracefilter int:eth0 "tcp port 80" erf:http_only.erf.gz

Filtering an existing trace

tracefilter erf:trace.erf.gz "host" erf:single_host.erf.gz


  • tracefilter does not support setting the compression level or method. It will always write gzip level 1 compressed output.
  • tracefilter is a limited version of tracesplit. If you require more flexibility in your filtering, tracesplit may prove to be a better option.