| Version 2 (modified by spa1, 14 years ago) (diff) |
|---|
tracesplit will split a single trace into a number of smaller tracefiles.
Usage
tracesplit [ -f exp | --filter=exp ] [ -c num | --count=num ] [ -b num | --bytes=num ] [ -i secs | --interval=secs ] [ -s unixtime | --starttime=unixtime ] [ -e unixtime | --endtime=unixtime ] [ -m files | --maxfiles=files] inputuri outputuri
Options
- -f, --filter
- Only output packets that match the bpf filter expression. See tcpdump(1) for the syntax of the bpf filter expression
- -c, --count
- Output count packets per output file.
- -b, --bytes
- Output num bytes per output file.
- -i, --interval
- Start a new file after secs seconds of trace time.
- -s, --starttime
- Do not output any packets with a timestamp earlier than unixtime
- -e, --endtime
- Do not output any packets with a timestamp later than unixtime
- -m, --maxfiles
- Do not create more than files trace files
Applications
Create a small 10 minute trace from a larger trace
tracesplit -i 600 -m 1 erf:longtrace.erf.gz erf:10min_trace.erf.gz
Capture a trace to disk with a one hour file rotation
tracesplit -i 3600 int:eth0 erf:trace.erf.gz
Notes
- As tracesplit is capable of producing multiple output files, the output URI is used as the base of the output filename. Appended is the packet number, timestamp or byte number of the first packet in the subtrace, depending on what criteria was used to determine the split. For example:
tracesplit -c 100 erf:original.erf.gz erf:split.erf.gz
will produces files called split.erf.gz-1, split.erf.gz-101, split.erf.gz-201, etc.
