wiki:TraceMerge

Version 4 (modified by spa1, 14 years ago) (diff)

--

tracemerge is a libtrace tool that will merge together two (or more) traces into a single trace file.

Usage

tracemerge [ -i | --set-interface ] [ -u | --unique-packets ] outputuri inputuri...

Options

-i, --set-interface
Replace the direction/interface bit in the format header based on which input trace the packet comes from, e.g. direction is 0 for packets from the first input file, 1 for packets from the second file, etc.
-u, --unique-packets
Ignore duplicate packets with identical timestamps

Applications

Concatenating traces

tracemerge erf:merged_trace.gz erf:small_traces-1.gz erf:small_traces-2.gz erf:small_traces-3.gz

Merging two directions back into a single trace

tracemerge -i erf:merged_trace.gz erf:outgoing.gz erf:incoming.gz

Note: most libtrace applications regard a direction of 0 as outgoing and a direction of 1 as incoming, so be sure to specify the input URIs in the correct order.

Notes

  • The output trace format does not have to match the input formats, e.g. tracemerge pcapfile:merged_trace.pcap.gz erf:small_traces-1.gz erf:small_traces-2.gz will work. There is also no requirement for the input traces to all be of the same format either. These properties hold true for all libtrace applications, although format header information can be lost converting from one format to another, e.g. pcap headers have no space to store the ERF rxerror variable.
  • As the name implies, tracemerge will produce a trace where the packets are all in timestamp order.