SYNOPSIS

tracesplit [ -f bpf | --filter=bpf] [ -c count | --count=count] [ -b bytes | --bytes=bytes] [ -i seconds | --seconds=seconds] [ -s unixtime | --starttime=unixtime] [ -e unixtime | --endtime=unixtime] [ -m maxfiles | --maxfiles=maxfiles] [ -S snaplen | --snaplen=snaplen] [ -z level | --compress-level=level] [ -Z method | --compress-type=method] inputuri [inputuri ...] outputuri

DESCRIPTION

tracesplit splits the given input traces into multiple tracefiles

-f bpf filter

output only packets that match tcpdump style bpf filter

-c count

output count packets per output file. The output file will be named after the basename given in the outputuri with the packet number of the first packet in this file.

-b bytes

output bytes bytes per file

-i seconds

start a new tracefile after "seconds" seconds

-s unixtime

don't output any packets before unixtime

-e unixtime

don't output any packets after unixtime

-m maxfiles

do not create more than "maxfiles" trace files

-S snaplen

Truncate packets to "snaplen" bytes long. The default is collect the entire packet.

-z level

Compress the data using the specified compression level, ranging from 0 to 9. Higher compression levels tend to result in better compression but require more processing power to compress.

-Z compression-method

Compress the data using the specified compression algorithm. Accepted methods are "gzip", "bzip2", "lzo", "xz" or "none". Default value is none unless a compression level is specified, in which case gzip will be used.

EXAMPLES

create a 1MB erf trace of port 80 traffic.

tracesplit -z 1 -Z gzip -f 'port 80' -b $[ 1024 * 1024 ] 
erf:/traces/bigtrace.gz erf:/traces/port80.gz 

LINKS

More details about tracesplit (and libtrace) can be found at http://www.wand.net.nz/trac/libtrace/wiki/UserDocumentation

AUTHORS

Perry Lorier <[email protected]>