Changes between Version 1 and Version 2 of TraceSplit

Timestamp:

02/28/07 10:14:48 (14 years ago)

Author:

spa1

Comment:

--

TraceSplit

@@ -2 +2 @@
 
 === Usage ===
-{{{tracesplit [ -f exp | --filter=exp ] [ -c num | --count num ] [ -b num | --bytes num ] [ -i secs | --interval secs ] }}}
+{{{ tracesplit [ -f exp | --filter=exp ] [ -c num | --count=num ] [ -b num | --bytes=num ] [ -i secs | --interval=secs ] }}}
+{{{     [ -s unixtime | --starttime=unixtime ] [ -e unixtime | --endtime=unixtime ] [ -m files | --maxfiles=files] inputuri outputuri }}}
+
+=== Options ===
+ {{{-f, --filter}}}::
+   Only output packets that match the bpf filter expression. See tcpdump(1) for the syntax of the bpf filter expression
+ {{{-c, --count}}}::
+   Output __count__ packets per output file.
+ {{{-b, --bytes}}}::
+   Output __num__ bytes per output file.
+ {{{-i, --interval}}}::
+   Start a new file after __secs__ seconds of trace time.
+ {{{-s, --starttime}}}::
+   Do not output any packets with a timestamp earlier than __unixtime__
+ {{{-e, --endtime}}}::
+   Do not output any packets with a timestamp later than __unixtime__
+ {{{-m, --maxfiles}}}::
+   Do not create more than __files__ trace files
+
+=== Applications ===
+==== Create a small 10 minute trace from a larger trace ====
+{{{
+tracesplit -i 600 -m 1 erf:longtrace.erf.gz erf:10min_trace.erf.gz
+}}}
+
+==== Capture a trace to disk with a one hour file rotation ====
+{{{
+tracesplit -i 3600 int:eth0 erf:trace.erf.gz
+}}}
+
+=== Notes ===
+ * As {{{tracesplit}}} is capable of producing multiple output files, the output URI is used as the base of the output filename. Appended is the packet number, timestamp or byte number of the first packet in the subtrace, depending on what criteria was used to determine the split. For example:
+{{{
+tracesplit -c 100 erf:original.erf.gz erf:split.erf.gz
+}}}
+   will produces files called split.erf.gz-1, split.erf.gz-101, split.erf.gz-201, etc.