NAME¶

tracesplit - split traces

SYNOPSIS¶

tracesplit splits the given input traces into multiple tracefiles

-f bpf filter: output only packets that match tcpdump style bpf filter
-c count: output count packets per output file. The output file will be named after the basename given in the outputuri with the packet number of the first packet in this file.
-b bytes: output bytes bytes per file
-i seconds: start a new tracefile after "seconds" seconds
-s unixtime: don't output any packets before unixtime
-e unixtime: don't output any packets after unixtime
-m maxfiles: do not create more than "maxfiles" trace files
-S snaplen: Truncate packets to "snaplen" bytes long. The default is collect the entire packet.
-z level: Compress the data using the specified compression level, ranging from 0 to 9. Higher compression levels tend to result in better compression but require more processing power to compress.
-Z compression-method: Compress the data using the specified compression algorithm. Accepted methods are "gzip", "bzip2", "lzo", "xz" or "none". Default value is none unless a compression level is specified, in which case gzip will be used.

create a 1MB erf trace of port 80 traffic.

tracesplit -z 1 -Z gzip -f 'port 80' -b $[ 1024 * 1024 ] 
erf:/traces/bigtrace.gz erf:/traces/port80.gz

More details about tracesplit (and libtrace) can be found at http://www.wand.net.nz/trac/libtrace/wiki/UserDocumentation

Perry Lorier <perry@cs.waikato.ac.nz>

January 2011

tracesplit (libtrace)

Source file:	tracesplit.1.en.gz (from libtrace-tools 3.0.22-0.2)
Source last updated:	2024-02-28T20:45:34Z
Converted to HTML:	2024-10-21T18:50:09Z