tracetopends reports the endpoints that are doing the most traffic in a trace. Output is written to stdout. (Only in version 3.0.12 and later)

Usage

tracetopends 
         [ -f exp] 
         [ -A addrtype ]
         [ -n numlines ]
         [ -a ]
         [ -b ]
         [ -s ]
         [ -d ]
         [ -p ]
         [ -h ]
         inputuri ... 

Options

-f

Only count packets that match the bpf filter expression. See tcpdump(1) for the syntax of the bpf filter expression.

-A

Specifies which address defines an endpoint - may be "mac", "v4" or "v6".

-n

Output the top N endpoints, where N is the value for this option.

-s

Sort endpoints based on outgoing traffic. This is the default.

-d

Sort endpoints based on incoming traffic.

-a

Sort endpoints based on application payload bytes.

-b

Sort endpoints based on IP traffic. This is the default.

-p

Sort endpoints based on packets.

-h

Print help information.

Applications

Print the 20 IPv4 addresses that are sending the most traffic

tracetopends -n20 -A v4 -s -b erf:trace.erf.gz

Print the 5 MAC addresses that are receiving the most packets

tracetopends -n 5 -A mac -d -p erf:trace.erf.gz

Notes

• This can be run against live interfaces or DAG cards, but no output will be displayed until the program is interrupted with CTRL-C.
• You want to specify TWO sort parameters: the direction (using -s or -d) and the traffic measure (-a, -b or -p). The default setting is -s and -b.