tracefilter - LibtraceTeam/libtrace GitHub Wiki

tracefilter copies all packets that match a user-specified bpf filter to an output trace, creating a new filtered sub-trace.

Usage

tracefilter inputuri bpffilter outputuri

Applications

Capturing a trace file using a filter:

    tracefilter int:eth0 "tcp port 80" erf:http_only.erf.gz

Filtering an existing trace:

    tracefilter erf:trace.erf.gz "host 192.168.2.110" erf:single_host.erf.gz

Notes

• tracefilter does not support setting the compression level or method. It will always write gzip level 1 compressed output.
• tracefilter is a limited version of tracesplit. If you require more flexibility in your filtering, tracesplit may prove to be a better option.