Skip to content

tracertstats

Shane Alcock edited this page Oct 1, 2015 · 3 revisions

tracertstats is a libtrace program that performs simple filter-based analysis on a trace. For every filter specified, tracertstats will display packet and byte counts at regular intervals.

Usage

tracertstats  [ -f | --filter bpf ] [ -i | --interval interval ] 
    [ -c | --count count ] [ -o | --output-format csv,txt,png,html ] 
    [ -N | --nobuffer ] [ -m | --merge-inputs ] [ -t | --threads threadcount ]
    inputuri...

Options

-f, --filter Adds another bpf filter.

-i, --interval Output statistics every interval seconds of trace time.

-c, --count Output statistics every count packets.

-o, --output-format Selects the output format. These formats are described in more detail in a subsequent section.

-N, --nobuffer Disables packet buffering within libtrace. This will give smoother, less bursty output when monitoring an input source with a very low packet rate (i.e. < 10 packets per reporting interval).

-m, --merge-inputs Do not create separate output files for each input source; produce a unified output instead. Works best with input sources that are chronologically consecutive (e.g. trace files listed in time order).

-t, --threads Use threadcount processing threads. Defaults to 4 processing threads. Bear in mind that setting this number too high will decrease performance if there is not enough work to keep all the threads occupied.

Output Formats

txt A regular ASCII text file. This is the default output format which is formatted nicely for human readability. This format can use up a lot of horizontal space, so may not work particularly well in 80 character wide terminals.

csv Comma separated values. Suitable for future analysis using a spreadsheet or other program.

png PNG graphic. Produces a png graph which may or may not be comprehensible. This format is dependent on having gdc available at compile time.

html Self explanatory. Produces output suitable for display as a webpage.

Note: All output formats are written to stdout so they may require re-direction.

Applications

Output the number of packets and bytes seen every 5 minutes of trace time:

    tracertstats -i 300 erf:trace.erf.gz

Output the number of SMTP and HTTP packets and bytes seen every minute of trace time as an HTML file:

    tracertstats -i 60 -f "tcp port 25" -f "tcp port 80" -o html erf:trace.erf.gz > smtp_and_http.html

Notes

  • If a simple summary of byte and packet counts for the entire trace is required, tracestats is a better tool.
Clone this wiki locally