tracetopends reports the endpoints that are doing the most traffic in a trace. Output is written to stdout. (Only in version 3.0.12 and later)


         [ -f exp] 
         [ -A addrtype ]
         [ -n numlines ]
         [ -a ]
         [ -b ]
         [ -s ]
         [ -d ]
         [ -p ]
         [ -h ]
         inputuri ... 


Only count packets that match the bpf filter expression. See tcpdump(1) for the syntax of the bpf filter expression.
Specifies which address defines an endpoint - may be "mac", "v4" or "v6".
Output the top N endpoints, where N is the value for this option.
Sort endpoints based on outgoing traffic. This is the default.
Sort endpoints based on incoming traffic.
Sort endpoints based on application payload bytes.
Sort endpoints based on IP traffic. This is the default.
Sort endpoints based on packets.
Print help information.


Print the 20 IPv4 addresses that are sending the most traffic

tracetopends -n20 -A v4 -s -b erf:trace.erf.gz

Print the 5 MAC addresses that are receiving the most packets

tracetopends -n 5 -A mac -d -p erf:trace.erf.gz


  • This can be run against live interfaces or DAG cards, but no output will be displayed until the program is interrupted with CTRL-C.
  • You want to specify TWO sort parameters: the direction (using -s or -d) and the traffic measure (-a, -b or -p). The default setting is -s and -b.
Last modified 10 years ago Last modified on 09/09/11 13:46:32