wiki:TraceSplit

Version 5 (modified by salcock, 10 years ago) (diff)

--

tracesplit will split a trace into a number of smaller tracefiles.

Usage

tracesplit 
        [ -f exp | --filter=exp ] 
        [ -c num | --count=num ] 
        [ -b num | --bytes=num ] 
        [ -i secs | --interval=secs ]
        [ -s unixtime | --starttime=unixtime ] 
        [ -e unixtime | --endtime=unixtime ] 
        [ -m files | --maxfiles=files ] 
        [ -S snaplen | --snaplen=snaplen ]
        [ -z level | --compress-level=level ]
        [ -Z method | --compress-type=method ]
        inputuri [inputuri ...] outputuri

Options

-f, --filter
Only output packets that match the bpf filter expression. See tcpdump(1) for the syntax of the bpf filter expression
-c, --count
Output count packets per output file.
-b, --bytes
Output num bytes per output file.
-i, --interval
Start a new file after secs seconds of trace time.
-s, --starttime
Do not output any packets with a timestamp earlier than unixtime
-e, --endtime
Do not output any packets with a timestamp later than unixtime
-m, --maxfiles
Do not create more than files trace files
-S, --snaplen
Truncate packets to snaplen bytes long. The default is to perform no truncation at all.
-z, --compress-level
Compress the output trace using the specified compression level, ranging from 0 (no compression) to 9. Higher compression levels require more CPU to compress data. Defaults to no compression.
-Z, --compress-type
Compress the output trace using the specified compression method. Possible methods are "gzip", "bzip2", "lzo" or "none". The default is "none".

Applications

Create a small 10 minute trace from a larger trace

tracesplit -i 600 -m 1 erf:longtrace.erf.gz erf:10min_trace.erf.gz

Capture a trace to disk with a one hour file rotation

tracesplit -i 3600 int:eth0 erf:trace.erf.gz

Notes

  • If tracesplit produces multiple output files, the output URI is used as the base of the output filename. Appended is the timestamp of the first packet in the subtrace.
  • Multiple input traces may be specified on the command line - each is read in turn and split accordingly. This is helpful for applying a filter to an entire traceset, for example.