tracestats (1)

tracestats [ -f | --filter bpf ]... inputuri...

tracestats reads one or more traces and outputs summaries for each trace of how many packets/bytes match each bpf filter, as well as totals. If instead of doing this for the entire trace, but to do it for portions then use tracertstats(1) instead.

-f bpf-filter

-\^-filter bpf-filter

Add another bpf filter

tracestats -\^-filter 'host sundown' \
	-\^-filter 'port http' \
	-\^-filter 'port ftp or ftp-data' \
	-\^-filter 'port smtp' \
	-\^-filter 'tcp[tcpflags] & tcp-syn!=0' \
	-\^-filter 'not ip' \
	-\^-filter 'ether[0] & 1 == 1' \
	-\^-filter 'icmp[icmptype] == icmp-unreach' \
	erf:/traces/trace1.gz \
	erf:/traces/trace2.gz \

More details about tracestats (and libtrace) can be found at http://www.wand.net.nz/trac/libtrace/wiki/UserDocumentation

libtrace(3), tracemerge(1), tracefilter(1), traceconvert(1), tracesplit(1), tracesplit_dir(1), tracereport(1), tracertstats(1), tracepktdump(1), traceanon(1), tracesummary(1), tracereplay(1), tracediff(1), traceends(1), tracetopends(1)

Perry Lorier <[email protected]>