Skip to content

tracertstats

Jump to bottom
Shane Alcock edited this page Dec 7, 2018 · 3 revisions

tracertstats is a libtrace program that performs simple filter-based analysis on a trace. For every filter specified, tracertstats will display packet and byte counts at regular intervals.

Usage

tracertstats  [ -f | --filter bpf ] [ -i | --interval interval ] 
    [ -c | --count count ] [ -o | --output-format csv,txt,png,html ] 
    [ -N | --nobuffer ] [ -m | --merge-inputs ] [ -t | --threads threadcount ]
    [ -d | --report-drops ]
    inputuri...

Options

-f, --filter Adds another bpf filter.

-i, --interval Output statistics every interval seconds of trace time.

-c, --count Output statistics every count packets.

-o, --output-format Selects the output format. These formats are described in more detail in a subsequent section.

-N, --nobuffer Disables packet buffering within libtrace. This will give smoother, less bursty output when monitoring an input source with a very low packet rate (i.e. < 10 packets per reporting interval).

-m, --merge-inputs Do not create separate output files for each input source; produce a unified output instead. Works best with input sources that are chronologically consecutive (e.g. trace files listed in time order).

-t, --threads Use threadcount processing threads. Defaults to 4 processing threads. Bear in mind that setting this number too high will decrease performance if there is not enough work to keep all the threads occupied.

-d, --report-drops Include cumulative counts of the number of dropped and missing packets on each line of output. Dropped packets are packets that are dropped by the capture device. Missing packets are packets that were captured successfully but were not processed by tracertstats (occurs with multi-host capture setups like ndag). Option was added in libtrace 4.0.6.

Output Formats

txt A regular ASCII text file. This is the default output format which is formatted nicely for human readability. This format can use up a lot of horizontal space, so may not work particularly well in 80 character wide terminals.

csv Comma separated values. Suitable for future analysis using a spreadsheet or other program.

png PNG graphic. Produces a png graph which may or may not be comprehensible. This format is dependent on having gdc available at compile time.

html Self explanatory. Produces output suitable for display as a webpage.

Note: All output formats are written to stdout so they may require re-direction.

Applications

Output the number of packets and bytes seen every 5 minutes of trace time:

    tracertstats -i 300 erf:trace.erf.gz

Output the number of SMTP and HTTP packets and bytes seen every minute of trace time as an HTML file:

    tracertstats -i 60 -f "tcp port 25" -f "tcp port 80" -o html erf:trace.erf.gz > smtp_and_http.html

Notes

  • If a simple summary of byte and packet counts for the entire trace is required, tracestats is a better tool.
Clone this wiki locally