-
Notifications
You must be signed in to change notification settings - Fork 51
tracesplit
tracesplit
will split a trace into a number of smaller tracefiles.
tracesplit
[ -f exp | --filter=exp ]
[ -c num | --count=num ]
[ -b num | --bytes=num ]
[ -i secs | --interval=secs ]
[ -s unixtime | --starttime=unixtime ]
[ -e unixtime | --endtime=unixtime ]
[ -m files | --maxfiles=files ]
[ -S snaplen | --snaplen=snaplen ]
[ -z level | --compress-level=level ]
[ -Z method | --compress-type=method ]
inputuri [inputuri ...] outputuri
-f, --filter
Only output packets that match the bpf filter expression. See tcpdump(1) for the syntax of the bpf filter expression.
-c, --count
Output count packets per output file.
-b, --bytes
Output num bytes per output file.
-i, --interval
Start a new file after secs seconds of trace time.
-s, --starttime
Do not output any packets with a timestamp earlier than unixtime.
-e, --endtime
Do not output any packets with a timestamp later than unixtime.
-m, --maxfiles
Do not create more than files trace files.
-S, --snaplen
Truncate packets to snaplen bytes long. The default is to perform no truncation at all.
-z, --compress-level
Compress the output trace using the specified compression level, ranging from 0 (no compression) to 9. Higher compression levels require more CPU to compress data. Defaults to no compression.
-Z, --compress-type
Compress the output trace using the specified compression method. Possible methods are "gzip", "bzip2", "lzo", "xz" or "none". The default is "none".
Create a small 10 minute trace from a larger trace:
tracesplit -i 600 -m 1 erf:longtrace.erf.gz erf:10min_trace.erf.gz
Capture a trace to disk with a one hour file rotation:
tracesplit -i 3600 int:eth0 erf:trace.erf.gz
- If
tracesplit
produces multiple output files, the output URI is used as the base of the output filename. An identifier is appended to the filename based on the method used to split the trace. For example, if splitting by packet count, this will be a packet counter. If splitting using an interval, this will be the number of seconds since the start of the trace, etc. - In libtrace 3.0.9 or later, multiple input traces may be specified on the command line - each is read in turn and split accordingly. This is helpful for applying a filter to an entire traceset, for example.