tcpslice - Extracts sections of or merges tcpdump files
/usr/sbin/tcpslice [-dRrt] [-w file] [start-time [endtime]]
file...
Dumps the start and end times specified by the given range
and exits. This option is useful for checking that the
given range actually specifies the times you think it
does. If the -R, -r, or -t option has been specified, the
times are dumped in the corresponding format; otherwise,
raw format (-R) is used. Dumps the timestamps of the
first and last packets in each input file as raw timestamps
in the form sssssssss.uuuuuu. This option can not
be specified in conjunction with the -r or -t option.
Same as the -R option except the timestamps are dumped in
human-readable format, similar to that used by the date(1)
command. This option cannot be specified in conjunction
with the -R or -t options. Same as the -R option except
the timestamps are dumped in tcpslice format, in the
ymdhmsu format. See the DESCRIPTION section. This option
cannot be specified in conjunction with the -R or -r
option. Directs the output to file rather than stdout.
The tcpslice program extracts portions of packet-trace
files generated using the tcpdump -w command. It can also
be used to concatenate files.
The tcpslice command copies to stdout all packets from its
input file(s) whose timestamps fall within a given range.
The starting and ending times of the range may be specified
on the command line. All ranges are inclusive. The
starting time defaults to the time of the first packet in
the first input file; this is called the first time. The
ending time defaults to ten years after the starting time.
Thus, the command tcpslice trace-file copies trace-file to
stdout (assuming the file does not include more than ten
years' worth of data).
There are a number of ways to specify times. The first is
using UNIX timestamps of the form sssssssss.uuuuuu (the
format specified by the tcpdump -tt command). For example,
654321098.7654 specifies 38 seconds and 765,400 microseconds
after 8:51PM PDT, Sept. 25, 1990.
The examples in this reference page use Pacific Daylight
Time (PDT); however, when displaying times and interpreting
times symbolically (as shown in this reference page),
tcpslice uses the local time zone, regardless of the time
zone in which the tcpdump file was generated. The daylight
saving setting used is that which is appropriate for
the local time zone at the date in question. For example,
times associated with summer months will usually include
daylight saving effects, and those with winter months will
not.
Times may also be specified relative to either the first
time (when specifying a starting time) or the starting
time (when specifying an ending time) by preceding a
numeric value in seconds with a plus sign (+). For example,
a starting time of +200 indicates 200 seconds after
the first time, and the two arguments +200 +300 indicate
from 200 seconds after the first time through 500 seconds
after the first time.
Times may also be specified in terms of years (y), months
(m), days (d), hours (h), minutes (m), seconds (s), and
microseconds(u). For example, the UNIX timestamp
654321098.7654 discussed earlier could also be expressed
as follows:
1990y9m25d20h51m38s765400u
When specifying times using this style, fields that are
omitted default as follows: If the omitted field is a unit
greater than that of the first specified field, its value
defaults to the corresponding value taken from either
first time (if the starting time is being specified) or
the starting time (if the ending time is being specified).
If the omitted field is a unit less than that of the first
specified field, then it defaults to zero.
For example, suppose the input file has a first time of
the UNIX timestamp mentioned previously (38 seconds and
765,400 microseconds after 8:51 PM PDT, September 25,
1990). The following example specifies 9:36 PM PDT on the
same date:
21h36m
The following example specifies a range from 9:36 PM PDT
through 1:54 AM PDT the next day:
21h36m 26d1h54m
Relative times can also be specified when using the
ymdhmsu format. Omitted fields then default to zero (0)
if the unit of the field is greater than that of the first
specified field, and to the corresponding value taken from
either the first time or the starting time if the omitted
field's unit is less than that of the first specified
field. Using the first time of the UNIX timestamp mentioned
previously, the following example specifies a range
from 10:00 PM PDT on that date through 11:10PM PDT:
22h +1h10m
The following example specifies a range from 38.7654 seconds
after 9:51 PM PDT through 38.7654 seconds after 11:01
PM PDT:
+1h +1h10m
The first hour of the file could be extracted using the
following specification:
+0 +1h
Note that with the ymdhmsu format there is an ambiguity
between using m for month or for minute. The ambiguity is
resolved as follows: if an m field is followed by a d
field, it specifies months; otherwise it specifies minutes.
If more than one input file is specified, tcpslice first
copies packets lying in the given range from the first
file. It then increases the starting time of the range to
lie just beyond the timestamp of the last packet in the
first file, repeats the process with the second file, and
so on. In this manner, files with interleaved packets are
not merged. For a given file, only packets that are newer
than any in the preceding files will be considered. This
mechanism avoids any possibility of a packet occurring
more than once in the output.
An input filename that beings with a digit or a plus sign
(+) can be confused with a start and end time. Such filenames
can be specified with a leading period and backslash
(./); for example, specify the file 04Jul76.trace as
The tcpslice program cannot read its input from stdin,
since it uses random-access to read through its input
files.
The tcpslice program does not write to its output to a
terminal (as indicated by isatty(3)). This prevents
binary data from displaying on a user's terminal. You must
either redirect stdout or specify an output file using the
-w option.
The tcpslice program does not work properly on tcpdump
files spanning more than one year with files containing
portions of packets whose original length was more than
65,535 bytes or with files containing fewer than three
packets. If you use these files, the following error message
is displayed:
couldn't find final packet in file
These problems are due to the interpolation scheme used by
tcpslice to significantly increase its processing speed
when dealing with large trace files. The tcpslice program
can efficiently extract slices from the middle of trace
files of any size, and can also work with truncated trace
files (that is, the final packet in the file is only partially
present, typically caused by tcpdump being killed).
Commands: pfstat(1), pfconfig(8), tcpdump(8)
Files: bpf(7), packetfilter(7)
tcpslice(8)
[ Back ] |
