 |
Index for
Section 8 |
|
 |
Alphabetical
listing for T |
|
 |
Bottom of
page |
|
tcpslice(8)
NAME
tcpslice - Extracts sections of or merges tcpdump files
SYNOPSIS
/usr/sbin/tcpslice [-dRrt] [-w file] [start-time [end-time]] file...
OPTIONS
-d Dumps the start and end times specified by the given range and exits.
This option is useful for checking that the given range actually
specifies the times you think it does. If the -R, -r, or -t option has
been specified, the times are dumped in the corresponding format;
otherwise, raw format (-R) is used.
-R Dumps the timestamps of the first and last packets in each input file
as raw timestamps in the form sssssssss.uuuuuu. This option can not be
specified in conjunction with the -r or -t option.
-r Same as the -R option except the timestamps are dumped in human-
readable format, similar to that used by the date(1) command. This
option cannot be specified in conjunction with the -R or -t options.
-t Same as the -R option except the timestamps are dumped in tcpslice
format, in the ymdhmsu format. See the DESCRIPTION section. This
option cannot be specified in conjunction with the -R or -r option.
-w Directs the output to file rather than stdout.
DESCRIPTION
The tcpslice program extracts portions of packet-trace files generated
using the tcpdump -w command. It can also be used to concatenate files.
The tcpslice command copies to stdout all packets from its input file(s)
whose timestamps fall within a given range. The starting and ending times
of the range may be specified on the command line. All ranges are
inclusive. The starting time defaults to the time of the first packet in
the first input file; this is called the first time. The ending time
defaults to ten years after the starting time. Thus, the command tcpslice
trace-file copies trace-file to stdout (assuming the file does not include
more than ten years' worth of data).
There are a number of ways to specify times. The first is using UNIX
timestamps of the form sssssssss.uuuuuu (the format specified by the
tcpdump -tt command). For example, 654321098.7654 specifies 38 seconds and
765,400 microseconds after 8:51PM PDT, Sept. 25, 1990.
The examples in this reference page use Pacific Daylight Time (PDT);
however, when displaying times and interpreting times symbolically (as
shown in this reference page), tcpslice uses the local time zone,
regardless of the time zone in which the tcpdump file was generated. The
daylight saving setting used is that which is appropriate for the local
time zone at the date in question. For example, times associated with
summer months will usually include daylight saving effects, and those with
winter months will not.
Times may also be specified relative to either the first time (when
specifying a starting time) or the starting time (when specifying an ending
time) by preceding a numeric value in seconds with a plus sign (+). For
example, a starting time of +200 indicates 200 seconds after the first
time, and the two arguments +200 +300 indicate from 200 seconds after the
first time through 500 seconds after the first time.
Times may also be specified in terms of years (y), months (m), days (d),
hours (h), minutes (m), seconds (s), and microseconds(u). For example, the
UNIX timestamp 654321098.7654 discussed earlier could also be expressed as
follows:
1990y9m25d20h51m38s765400u
When specifying times using this style, fields that are omitted default as
follows:
· If the omitted field is a unit greater than that of the first
specified field, its value defaults to the corresponding value taken
from either first time (if the starting time is being specified) or
the starting time (if the ending time is being specified).
· If the omitted field is a unit less than that of the first specified
field, then it defaults to zero.
For example, suppose the input file has a first time of the UNIX timestamp
mentioned previously (38 seconds and 765,400 microseconds after 8:51 PM
PDT, September 25, 1990). The following example specifies 9:36 PM PDT on
the same date:
21h36m
The following example specifies a range from 9:36 PM PDT through 1:54 AM
PDT the next day:
21h36m 26d1h54m
Relative times can also be specified when using the ymdhmsu format.
Omitted fields then default to zero (0) if the unit of the field is greater
than that of the first specified field, and to the corresponding value
taken from either the first time or the starting time if the omitted
field's unit is less than that of the first specified field. Using the
first time of the UNIX timestamp mentioned previously, the following
example specifies a range from 10:00 PM PDT on that date through 11:10PM
PDT:
22h +1h10m
The following example specifies a range from 38.7654 seconds after 9:51 PM
PDT through 38.7654 seconds after 11:01 PM PDT:
+1h +1h10m
The first hour of the file could be extracted using the following
specification:
+0 +1h
Note that with the ymdhmsu format there is an ambiguity between using m for
month or for minute. The ambiguity is resolved as follows: if an m field
is followed by a d field, it specifies months; otherwise it specifies
minutes.
If more than one input file is specified, tcpslice first copies packets
lying in the given range from the first file. It then increases the
starting time of the range to lie just beyond the timestamp of the last
packet in the first file, repeats the process with the second file, and so
on. In this manner, files with interleaved packets are not merged. For a
given file, only packets that are newer than any in the preceding files
will be considered. This mechanism avoids any possibility of a packet
occurring more than once in the output.
RESTRICTIONS
An input filename that beings with a digit or a plus sign (+) can be
confused with a start and end time. Such filenames can be specified with a
leading period and backslash (./); for example, specify the file
04Jul76.trace as ./04Jul76.trace.
The tcpslice program cannot read its input from stdin, since it uses
random-access to read through its input files.
The tcpslice program does not write to its output to a terminal (as
indicated by isatty(3)). This prevents binary data from displaying on a
user's terminal. You must either redirect stdout or specify an output file
using the -w option.
The tcpslice program does not work properly on tcpdump files spanning more
than one year with files containing portions of packets whose original
length was more than 65,535 bytes or with files containing fewer than three
packets. If you use these files, the following error message is displayed:
couldn't find final packet in file
These problems are due to the interpolation scheme used by tcpslice to
significantly increase its processing speed when dealing with large trace
files. The tcpslice program can efficiently extract slices from the middle
of trace files of any size, and can also work with truncated trace files
(that is, the final packet in the file is only partially present, typically
caused by tcpdump being killed).
SEE ALSO
Commands: pfstat(1), pfconfig(8), tcpdump(8)
Files: bpf(7), packetfilter(7)
|
Index for
Section 8 |
|
|
Alphabetical
listing for T |
|
 |
Top of
page |
|