tracesplit(1) split traces

SYNOPSIS

tracesplit [ -f bpf | --filter=bpf] [ -c count | --count=count] [ -b bytes | --bytes=bytes] [ -i seconds | --seconds=seconds] [ -s unixtime | --starttime=unixtime] [ -e unixtime | --endtime=unixtime] [ -m maxfiles | --maxfiles=maxfiles] [ -S snaplen | --snaplen=snaplen] [ -z level | --compress-level=level] [ -Z method | --compress-type=method] inputuri [inputuri ...] outputuri

DESCRIPTION

tracesplit splits the given input traces into multiple tracefiles
-f bpf filter
output only packets that match tcpdump style bpf filter

-c count
output count packets per output file. The output file will be named after the basename given in the outputuri with the packet number of the first packet in this file.

-b bytes
output bytes bytes per file

-i seconds
start a new tracefile after "seconds" seconds

-s unixtime
don't output any packets before unixtime

-e unixtime
don't output any packets after unixtime

-m maxfiles
do not create more than "maxfiles" trace files

-S snaplen
Truncate packets to "snaplen" bytes long. The default is collect the entire packet.

-z level
Compress the data using the specified compression level, ranging from 0 to 9. Higher compression levels tend to result in better compression but require more processing power to compress.

-Z compression-method
Compress the data using the specified compression algorithm. Accepted methods are "gzip", "bzip2", "lzo", "xz" or "none". Default value is none unless a compression level is specified, in which case gzip will be used.

EXAMPLES

create a 1MB erf trace of port 80 traffic.
tracesplit -z 1 -Z gzip -f 'port 80' -b $[ 1024 * 1024 ] 
erf:/traces/bigtrace.gz erf:/traces/port80.gz 

LINKS

More details about tracesplit (and libtrace) can be found at http://www.wand.net.nz/trac/libtrace/wiki/UserDocumentation

AUTHORS

Perry Lorier <[email protected]>