wiki:TraceTopEnds

tracetopends reports the endpoints that are doing the most traffic in a trace. Output is written to stdout. (Only in version 3.0.12 and later)

Usage

tracetopends 
         [ -f exp] 
         [ -A addrtype ]
         [ -n numlines ]
         [ -a ]
         [ -b ]
         [ -s ]
         [ -d ]
         [ -p ]
         [ -h ]
         inputuri ... 

Options

-f
Only count packets that match the bpf filter expression. See tcpdump(1) for the syntax of the bpf filter expression.
-A
Specifies which address defines an endpoint - may be "mac", "v4" or "v6".
-n
Output the top N endpoints, where N is the value for this option.
-s
Sort endpoints based on outgoing traffic. This is the default.
-d
Sort endpoints based on incoming traffic.
-a
Sort endpoints based on application payload bytes.
-b
Sort endpoints based on IP traffic. This is the default.
-p
Sort endpoints based on packets.
-h
Print help information.

Applications

Print the 20 IPv4 addresses that are sending the most traffic

tracetopends -n20 -A v4 -s -b erf:trace.erf.gz

Print the 5 MAC addresses that are receiving the most packets

tracetopends -n 5 -A mac -d -p erf:trace.erf.gz

Notes

  • This can be run against live interfaces or DAG cards, but no output will be displayed until the program is interrupted with CTRL-C.
  • You want to specify TWO sort parameters: the direction (using -s or -d) and the traffic measure (-a, -b or -p). The default setting is -s and -b.
Last modified 9 years ago Last modified on 09/09/11 13:46:32