tracesplit will split a single trace into a number of smaller tracefiles.

Usage

tracesplit 
        [ -f exp | --filter=exp ] 
        [ -c num | --count=num ] 
        [ -b num | --bytes=num ] 
        [ -i secs | --interval=secs ]
        [ -s unixtime | --starttime=unixtime ] 
        [ -e unixtime | --endtime=unixtime ] 
        [ -m files | --maxfiles=files ] 
        [ -S snaplen | --snaplen=snaplen ]
        [ -z level | --compress-level=level ]
        [ -Z method | --compress-type=method ]
        inputuri outputuri

Options

-f, --filter

Only output packets that match the bpf filter expression. See tcpdump(1) for the syntax of the bpf filter expression

-c, --count

Output count packets per output file.

-b, --bytes

Output num bytes per output file.

-i, --interval

Start a new file after secs seconds of trace time.

-s, --starttime

Do not output any packets with a timestamp earlier than unixtime

-e, --endtime

Do not output any packets with a timestamp later than unixtime

-m, --maxfiles

Do not create more than files trace files

-S, --snaplen

Truncate packets to snaplen bytes long. The default is to perform no truncation at all.

-z, --compress-level

Compress the output trace using the specified compression level, ranging from 0 (no compression) to 9. Higher compression levels require more CPU to compress data. Defaults to no compression.

-Z, --compress-type

Compress the output trace using the specified compression method. Possible methods are "gzip", "bzip2", "lzo" or "none". The default is "none".

Applications

Create a small 10 minute trace from a larger trace

tracesplit -i 600 -m 1 erf:longtrace.erf.gz erf:10min_trace.erf.gz

Capture a trace to disk with a one hour file rotation

tracesplit -i 3600 int:eth0 erf:trace.erf.gz

Notes

• If tracesplit produces multiple output files, the output URI is used as the base of the output filename. Appended is the timestamp of the first packet in the subtrace.