Index:
[(1)addftinfo(1)
addr2line(1)
afmtodit(1)
alias(1)
alloc(1)
apply(1)
apropos(1)
ar(1)
as(1)
asa(1)
at(1)
atq(1)
atrm(1)
awk(1)
b64decode(1)
b64encode(1)
basename(1)
batch(1)
bc(1)
bdes(1)
bg(1)
biff(1)
bind(1)
bindkey(1)
brandelf(1)
break(1)
breaksw(1)
bsdtar(1)
bsnmpd(1)
bthost(1)
btsockstat(1)
builtin(1)
builtins(1)
bunzip2(1)
byacc(1)
bzcat(1)
bzegrep(1)
bzfgrep(1)
bzgrep(1)
bzip2(1)
c++(1)
c89(1)
c99(1)
cal(1)
calendar(1)
cap_mkdb(1)
case(1)
cat(1)
catman(1)
cc(1)
cd(1)
cdcontrol(1)
chdir(1)
checknr(1)
chflags(1)
chfn(1)
chgrp(1)
chio(1)
chkey(1)
chmod(1)
chpass(1)
chsh(1)
ci(1)
ckdist(1)
cksum(1)
clear(1)
cmp(1)
co(1)
col(1)
colcrt(1)
colldef(1)
colrm(1)
column(1)
comm(1)
command(1)
compile_et(1)
complete(1)
compress(1)
continue(1)
cp(1)
cpio(1)
cpp(1)
crontab(1)
crunchgen(1)
crunchide(1)
crypt(1)
csh(1)
csplit(1)
ctags(1)
ctm(1)
ctm_dequeue(1)
ctm_rmail(1)
ctm_smail(1)
cu(1)
cursor(1)
cut(1)
cvs(1)
date(1)
dc(1)
dd(1)
default(1)
df(1)
dialog(1)
diff(1)
diff3(1)
dig(1)
dirname(1)
dirs(1)
do(1)
domainname(1)
done(1)
dtmfdecode(1)
du(1)
echo(1)
echotc(1)
ed(1)
edit(1)
ee(1)
egrep(1)
elfdump(1)
elif(1)
else(1)
end(1)
endif(1)
endsw(1)
enigma(1)
env(1)
eqn(1)
esac(1)
eval(1)
ex(1)
exec(1)
exit(1)
expand(1)
export(1)
expr(1)
f77(1)
false(1)
fc(1)
fdformat(1)
fdread(1)
fdwrite(1)
fetch(1)
fg(1)
fgrep(1)
fi(1)
file(1)
file2c(1)
filetest(1)
find(1)
finger(1)
flex++(1)
flex(1)
fmt(1)
fold(1)
fontedit(1)
for(1)
foreach(1)
from(1)
fstat(1)
fsync(1)
ftp(1)
g++(1)
g711conv(1)
gate-ftp(1)
gcc(1)
gcore(1)
gcov(1)
gdb(1)
gencat(1)
gensnmptree(1)
getNAME(1)
getconf(1)
getfacl(1)
getopt(1)
getopts(1)
glob(1)
goto(1)
gperf(1)
gprof(1)
grep(1)
grn(1)
grodvi(1)
groff(1)
grog(1)
grolbp(1)
grolj4(1)
grops(1)
grotty(1)
groups(1)
gtar(1)
gunzip(1)
gzcat(1)
gzexe(1)
gzip(1)
hash(1)
hashstat(1)
hd(1)
head(1)
hesinfo(1)
hexdump(1)
history(1)
host(1)
hostname(1)
hpftodit(1)
hup(1)
id(1)
ident(1)
idprio(1)
if(1)
indent(1)
indxbib(1)
info(1)
install-info(1)
install(1)
intro(1)
introduction(1)
ipcrm(1)
ipcs(1)
ipftest(1)
ipnat(1)
ipresend(1)
ipsend(1)
iptest(1)
jobid(1)
jobs(1)
join(1)
jot(1)
kbdcontrol(1)
kbdmap(1)
kcon(1)
kdestroy(1)
kdump(1)
kenv(1)
keylogin(1)
keylogout(1)
kgdb(1)
kill(1)
killall(1)
kinit(1)
klist(1)
kpasswd(1)
krb5-config(1)
ktrace(1)
lam(1)
last(1)
lastcomm(1)
ld-elf.so.1(1)
ld(1)
ld(1)
ldd(1)
leave(1)
less(1)
lesskey(1)
lex++(1)
lex(1)
limit(1)
limits(1)
link(1)
lint(1)
lkbib(1)
ln(1)
loadfont(1)
locale(1)
locate(1)
lock(1)
lockf(1)
log(1)
logger(1)
login(1)
logins(1)
logname(1)
logout(1)
look(1)
lookbib(1)
lorder(1)
lp(1)
lpq(1)
lpr(1)
lprm(1)
lptest(1)
ls-F(1)
ls(1)
lsvfs(1)
m4(1)
mail(1)
mailq(1)
mailx(1)
make(1)
makeinfo(1)
makewhatis(1)
man(1)
manpath(1)
md5(1)
merge(1)
mesg(1)
minigzip(1)
mkdep(1)
mkdir(1)
mkfifo(1)
mklocale(1)
mkstr(1)
mktemp(1)
mmroff(1)
more(1)
mptable(1)
msgs(1)
mt(1)
mv(1)
nawk(1)
nc(1)
ncal(1)
ncplist(1)
ncplogin(1)
ncplogout(1)
neqn(1)
netstat(1)
newaliases(1)
newgrp(1)
nex(1)
nfsstat(1)
nice(1)
nl(1)
nm(1)
nohup(1)
notify(1)
nroff(1)
nslookup(1)
nvi(1)
nview(1)
objcopy(1)
objdump(1)
objformat(1)
od(1)
omshell(1)
onintr(1)
opieinfo(1)
opiekey(1)
opiepasswd(1)
otp-md4(1)
otp-md5(1)
otp-sha(1)
pagesize(1)
passwd(1)
paste(1)
patch(1)
pathchk(1)
pawd(1)
pax(1)
pfbtops(1)
pftp(1)
pgrep(1)
pic(1)
pkg_add(1)
pkg_check(1)
pkg_create(1)
pkg_delete(1)
pkg_info(1)
pkg_sign(1)
pkg_version(1)
pkill(1)
popd(1)
pr(1)
printenv(1)
printf(1)
ps(1)
psroff(1)
pushd(1)
pwd(1)
quota(1)
ranlib(1)
rcp(1)
rcs(1)
rcsclean(1)
rcsdiff(1)
rcsfreeze(1)
rcsintro(1)
rcsmerge(1)
read(1)
readelf(1)
readlink(1)
readonly(1)
realpath(1)
red(1)
ree(1)
refer(1)
rehash(1)
repeat(1)
reset(1)
rev(1)
rfcomm_sppd(1)
rlog(1)
rlogin(1)
rm(1)
rmd160(1)
rmdir(1)
rpcgen(1)
rs(1)
rsh(1)
rtld(1)
rtprio(1)
rup(1)
ruptime(1)
rusers(1)
rwall(1)
rwho(1)
sched(1)
scon(1)
scp(1)
script(1)
sdiff(1)
sed(1)
send-pr(1)
sendbug(1)
set(1)
setenv(1)
setfacl(1)
settc(1)
setty(1)
setvar(1)
sftp(1)
sh(1)
sha1(1)
shar(1)
shift(1)
size(1)
sleep(1)
slogin(1)
smbutil(1)
sockstat(1)
soelim(1)
sort(1)
source(1)
split(1)
sscop(1)
ssh-add(1)
ssh-agent(1)
ssh-keygen(1)
ssh-keyscan(1)
ssh(1)
startslip(1)
stat(1)
stop(1)
strings(1)
strip(1)
stty(1)
su(1)
sum(1)
suspend(1)
switch(1)
systat(1)
tabs(1)
tail(1)
talk(1)
tar(1)
tbl(1)
tcopy(1)
tcpdump(1)
tcpslice(1)
tcsh(1)
tee(1)
telltc(1)
telnet(1)
test(1)
texindex(1)
tfmtodit(1)
tftp(1)
then(1)
time(1)
tip(1)
top(1)
touch(1)
tput(1)
tr(1)
trace(1)
trap(1)
troff(1)
true(1)
truncate(1)
truss(1)
tset(1)
tsort(1)
tty(1)
type(1)
ul(1)
ulimit(1)
umask(1)
unalias(1)
uname(1)
uncomplete(1)
uncompress(1)
unexpand(1)
unhash(1)
unifdef(1)
unifdefall(1)
uniq(1)
units(1)
unlimit(1)
unlink(1)
unset(1)
unsetenv(1)
until(1)
unvis(1)
uptime(1)
usbhidaction(1)
usbhidctl(1)
users(1)
uudecode(1)
uuencode(1)
uuidgen(1)
vacation(1)
vgrind(1)
vi(1)
vidcontrol(1)
vidfont(1)
view(1)
vis(1)
vt220keys(1)
vttest(1)
w(1)
wait(1)
wall(1)
wc(1)
what(1)
whatis(1)
where(1)
whereis(1)
which(1)
while(1)
who(1)
whoami(1)
whois(1)
window(1)
write(1)
xargs(1)
xstr(1)
yacc(1)
yes(1)
ypcat(1)
ypchfn(1)
ypchpass(1)
ypchsh(1)
ypmatch(1)
yppasswd(1)
ypwhich(1)
yyfix(1)
zcat(1)
zcmp(1)
zdiff(1)
zegrep(1)
zfgrep(1)
zforce(1)
zgrep(1)
zmore(1)
znew(1)
tcpslice(1)
NAME
tcpslice -- extract pieces of and/or glue together tcpdump files
SYNOPSIS
tcpslice [-dRrt] [-w file] [start-time [end-time]] file ...
DESCRIPTION
The tcpslice utility extracts portions of packet-trace files generated using tcpdump(1)'s -w flag. It can also be used to glue together several such files, as discussed below. The basic operation of tcpslice is to copy to stdout all packets from its input file(s) whose timestamps fall within a given range. The starting and ending times of the range may be specified on the command line. All ranges are inclusive. The starting time defaults to the time of the first packet in the first input file; we call this the first time. The ending time defaults to ten years after the starting time. Thus, the command tcpslice trace-file simply copies trace-file to stdout (assuming the file does not include more than ten years' worth of data). There are a number of ways to specify times. The first is using Unix timestamps of the form sssssssss.uuuuuu (this is the format specified by tcpdump(1)'s -tt flag). For example, 654321098.7654 specifies 38 seconds and 765,400 microseconds after 8:51PM PDT, Sept. 25, 1990. All examples in this manual are given for PDT times, but when displaying times and interpreting times symbolically as discussed below, tcpslice uses the local timezone, regardless of the timezone in which the tcpdump(1) file was generated. The daylight-savings setting used is that which is appropriate for the local timezone at the date in question. For example, times associated with summer months will usually include day- light-savings effects, and those with winter months will not. Times may also be specified relative to either the first time (when spec- ifying a starting time) or the starting time (when specifying an ending time) by preceding a numeric value in seconds with a `+'. For example, a starting time of +200 indicates 200 seconds after the first time, and the two arguments +200 +300 indicate from 200 seconds after the first time through 500 seconds after the first time. Times may also be specified in terms of years (y), months (m), days (d), hours (h), minutes (m), seconds (s), and microseconds(u). For example, the Unix timestamp 654321098.7654 discussed above could also be expressed as 90y9m25d20h51m38s765400u. When specifying times using this style, fields that are omitted default as follows. If the omitted field is a unit greater than that of the first specified field, then its value defaults to the corresponding value taken from either first time (if the starting time is being specified) or the starting time (if the ending time is being specified). If the omit- ted field is a unit less than that of the first specified field, then it defaults to zero. For example, suppose that the input file has a first time of the Unix timestamp mentioned above, i.e., 38 seconds and 765,400 microseconds after 8:51PM PDT, Sept. 25, 1990. To specify 9:36PM PDT (exactly) on the same date we could use 21h36m. To specify a range from 9:36PM PDT through 1:54AM PDT the next day we could use 21h36m 26d1h54m. 11:01PM PDT. The first hour of the file could be extracted using +0 +1h. Note that with the ymdhmsu format there is an ambiguity between using m for `month' or for `minute'. The ambiguity is resolved as follows: if an m field is followed by a d field then it is interpreted as specifying months; otherwise it specifies minutes. If more than one input file is specified then tcpslice first copies pack- ets lying in the given range from the first file; it then increases the starting time of the range to lie just beyond the timestamp of the last packet in the first file, repeats the process with the second file, and so on. Thus files with interleaved packets are not merged. For a given file, only packets that are newer than any in the preceding files will be considered. This mechanism avoids any possibility of a packet occurring more than once in the output.
OPTIONS
If any of -R, -r or -t are specified then tcpslice reports the timestamps of the first and last packets in each input file and exits. Only one of these three options may be specified. The following options are available: -d Dump the start and end times specified by the given range and exit. This option is useful for checking that the given range actually specifies the times you think it does. If one of -R, -r or -t has been specified then the times are dumped in the corre- sponding format; otherwise, raw format (-R) is used. -R Dump the timestamps of the first and last packets in each input file as raw timestamps (i.e., in the form sssssssss.uuuuuu). -r Same as -R except the timestamps are dumped in human-readable format, similar to that used by date(1). -t Same as -R except the timestamps are dumped in tcpslice format, i.e., in the ymdhmsu format discussed above. -w file Direct the output to file rather than stdout.
SEE ALSO
tcpdump(1)
AUTHORS
Vern Paxson <vern@ee.lbl.gov>, of Lawrence Berkeley Laboratory, Univer- sity of California, Berkeley, CA.
BUGS
An input filename that beings with a digit or a `+' can be confused with a start/end time. Such filenames can be specified with a leading `./'; for example, specify the file `04Jul76.trace' as `./04Jul76.trace'. The tcpslice utility cannot read its input from stdin, since it uses ran- dom-access to rummage through its input files. The tcpslice utility refuses to write to its output if it is a terminal (as indicated by isatty(3)). This is not a bug but a feature, to prevent scheme used by tcpslice to greatly speed up its processing when dealing with large trace files. Note that tcpslice can efficiently extract slices from the middle of trace files of any size, and can also work with truncated trace files (i.e., the final packet in the file is only par- tially present, typically due to tcpdump(1) being ungracefully killed). FreeBSD 5.4 October 14, 1991 FreeBSD 5.4
SPONSORED LINKS
Man(1) output converted with man2html , sed , awk