wiki:TraceMerge

Version 7 (modified by salcock, 10 years ago) (diff)

Added compression options to tracemerge

tracemerge is a libtrace tool that will merge together two (or more) traces into a single trace file.

Usage

tracemerge 
        [ -i | --set-interface ] 
        [ -u | --unique-packets ] 
        [ -z level| --compress-level=level ]
        [ -Z method | --compress-type=method ] 
        outputuri inputuri... 

Options

-i, --set-interface
Replace the direction/interface bit in the format header based on which input trace the packet comes from, e.g. direction is 0 for packets from the first input file, 1 for packets from the second file, etc.
-u, --unique-packets
Ignore duplicate packets with identical timestamps
-z, --compress-level
Sets the amount of compression performed on the output file. This value can range from 0 (no compression) to 9. Higher compression levels require more CPU to compress data. Defaults to no compression.
-Z, --compress-type
Sets the compression algorithm to be used when writing the output trace. Possible methods are "gzip", "bzip2", "lzo" or "none". Defaults to "none".

Applications

Concatenating traces

tracemerge erf:merged_trace.gz erf:small-1.gz erf:small-2.gz erf:small-3.gz

Merging two directions back into a single trace

tracemerge -i erf:merged_trace.gz erf:outgoing.gz erf:incoming.gz

Note: most libtrace applications regard a direction of 0 as outgoing and a direction of 1 as incoming, so be sure to specify the input URIs in the correct order.

Notes

  • The output trace format does not have to match the input formats, e.g.
    tracemerge pcapfile:merged_trace.pcap.gz erf:small-1.gz erf:small-2.gz
    
    will work. There is also no requirement for the input traces to all be of the same format either. These properties hold true for all libtrace applications, although format header information can be lost converting from one format to another, e.g. pcap headers have no space to store the ERF rxerror variable.
  • As the name implies, tracemerge will produce a trace where the packets are all in timestamp order.