SYNOPSIS
tracesplit [ -f bpf | --filter=bpf] [ -c count | --count=count] [ -b bytes | --bytes=bytes] [ -i seconds | --seconds=seconds] [ -s unixtime | --starttime=unixtime] [ -e unixtime | --endtime=unixtime] [ -m maxfiles | --maxfiles=maxfiles] [ -S snaplen | --snaplen=snaplen] [ -z level | --compress-level=level] [ -Z method | --compress-type=method] inputuri [inputuri ...] outputuriDESCRIPTION
tracesplit splits the given input traces into multiple tracefiles- -f bpf filter
-
output only packets that match tcpdump style bpf filter
- -c count
-
output count packets per output file. The output file will be named after
the basename given in the outputuri with the packet number of the first packet
in this file.
- -b bytes
-
output bytes bytes per file
- -i seconds
-
start a new tracefile after "seconds" seconds
- -s unixtime
-
don't output any packets before unixtime
- -e unixtime
-
don't output any packets after unixtime
- -m maxfiles
-
do not create more than "maxfiles" trace files
- -S snaplen
-
Truncate packets to "snaplen" bytes long. The default is collect the entire
packet.
- -z level
-
Compress the data using the specified compression level, ranging from 0 to 9.
Higher compression levels tend to result in better compression but require
more processing power to compress.
- -Z compression-method
-
Compress the data using the specified compression algorithm. Accepted methods
are "gzip", "bzip2", "lzo", "xz" or "none". Default value is none unless a
compression level is specified, in which case gzip will be used.
EXAMPLES
create a 1MB erf trace of port 80 traffic.tracesplit -z 1 -Z gzip -f 'port 80' -b $[ 1024 * 1024 ] erf:/traces/bigtrace.gz erf:/traces/port80.gz
LINKS
More details about tracesplit (and libtrace) can be found at http://www.wand.net.nz/trac/libtrace/wiki/UserDocumentation