-
Notifications
You must be signed in to change notification settings - Fork 50
tracestats
Shane Alcock edited this page Oct 1, 2015
·
2 revisions
tracestats is a libtrace tool that provides a summary of how many bytes/packets match a series of bpf filters.
tracestats [-t | --threads threadcount ] [ -f | --filter bpf ]... inputuri...
-f, --filter
Specifies a bpf filter to provide statistics for.
-t, --threads
Use threadcount processing threads. Defaults to 4 processing threads. Bear in mind that setting this number too high will decrease performance if there is not enough work to keep all the threads occupied.
Find out how much SMTP traffic is present in a trace:
tracestats -f "tcp port 25" erf:trace.erf.gz
Find out how much HTTP traffic is travelling to and from the host 'kodiak':
tracestats -f "tcp port 80 and host kodiak" erf:trace.erf.gz
Compare the amount of traffic the hosts 'yogi' and 'booboo' are doing:
tracestats -f "host yogi" -f "host booboo" erf:trace.erf.gz
-
tracestatsonly produces stats across the entire trace. If you want to see stats at regular intervals, use tracertstats instead. - Because
tracestatsreads the entire trace before printing results, it is not very useful for live capture formats that have no logical end e.g. int:, pcapint:. We hope to correct this in a future release of libtrace. In the interim, tracertstats will prove to be more useful for those formats. -
tracesummary is a tool that runs
tracestatswith a number of useful filters which may be more useful to people who want some general statistics about a trace without having to write lots of bpf filters.