tcpslice(8)tcpslice(8)NAMEtcpslice - Extracts sections of or merges tcpdump files
SYNOPSIS
/usr/sbin/tcpslice [-dRrt] [-w file] [start-time [end-time]] file...
OPTIONS
Dumps the start and end times specified by the given range and exits.
This option is useful for checking that the given range actually speci‐
fies the times you think it does. If the -R, -r, or -t option has been
specified, the times are dumped in the corresponding format; otherwise,
raw format (-R) is used. Dumps the timestamps of the first and last
packets in each input file as raw timestamps in the form sssssssss.uuu‐
uuu. This option can not be specified in conjunction with the -r or -t
option. Same as the -R option except the timestamps are dumped in
human-readable format, similar to that used by the date(1) command.
This option cannot be specified in conjunction with the -R or -t
options. Same as the -R option except the timestamps are dumped in
tcpslice format, in the ymdhmsu format. See the DESCRIPTION section.
This option cannot be specified in conjunction with the -R or -r
option. Directs the output to file rather than stdout.
DESCRIPTION
The tcpslice program extracts portions of packet-trace files generated
using the tcpdump -w command. It can also be used to concatenate
files.
The tcpslice command copies to stdout all packets from its input
file(s) whose timestamps fall within a given range. The starting and
ending times of the range may be specified on the command line. All
ranges are inclusive. The starting time defaults to the time of the
first packet in the first input file; this is called the first time.
The ending time defaults to ten years after the starting time. Thus,
the command tcpslice trace-file copies trace-file to stdout (assuming
the file does not include more than ten years' worth of data).
There are a number of ways to specify times. The first is using UNIX
timestamps of the form sssssssss.uuuuuu (the format specified by the
tcpdump -tt command). For example, 654321098.7654 specifies 38 seconds
and 765,400 microseconds after 8:51PM PDT, Sept. 25, 1990.
The examples in this reference page use Pacific Daylight Time (PDT);
however, when displaying times and interpreting times symbolically (as
shown in this reference page), tcpslice uses the local time zone,
regardless of the time zone in which the tcpdump file was generated.
The daylight saving setting used is that which is appropriate for the
local time zone at the date in question. For example, times associated
with summer months will usually include daylight saving effects, and
those with winter months will not.
Times may also be specified relative to either the first time (when
specifying a starting time) or the starting time (when specifying an
ending time) by preceding a numeric value in seconds with a plus sign
(+). For example, a starting time of +200 indicates 200 seconds after
the first time, and the two arguments +200 +300 indicate from 200 sec‐
onds after the first time through 500 seconds after the first time.
Times may also be specified in terms of years (y), months (m), days
(d), hours (h), minutes (m), seconds (s), and microseconds(u). For
example, the UNIX timestamp 654321098.7654 discussed earlier could also
be expressed as follows:
1990y9m25d20h51m38s765400u
When specifying times using this style, fields that are omitted default
as follows: If the omitted field is a unit greater than that of the
first specified field, its value defaults to the corresponding value
taken from either first time (if the starting time is being specified)
or the starting time (if the ending time is being specified). If the
omitted field is a unit less than that of the first specified field,
then it defaults to zero.
For example, suppose the input file has a first time of the UNIX time‐
stamp mentioned previously (38 seconds and 765,400 microseconds after
8:51 PM PDT, September 25, 1990). The following example specifies 9:36
PM PDT on the same date:
21h36m
The following example specifies a range from 9:36 PM PDT through 1:54
AM PDT the next day:
21h36m 26d1h54m
Relative times can also be specified when using the ymdhmsu format.
Omitted fields then default to zero (0) if the unit of the field is
greater than that of the first specified field, and to the correspond‐
ing value taken from either the first time or the starting time if the
omitted field's unit is less than that of the first specified field.
Using the first time of the UNIX timestamp mentioned previously, the
following example specifies a range from 10:00 PM PDT on that date
through 11:10PM PDT:
22h +1h10m
The following example specifies a range from 38.7654 seconds after 9:51
PM PDT through 38.7654 seconds after 11:01 PM PDT:
+1h +1h10m
The first hour of the file could be extracted using the following spec‐
ification:
+0 +1h
Note that with the ymdhmsu format there is an ambiguity between using m
for month or for minute. The ambiguity is resolved as follows: if an m
field is followed by a d field, it specifies months; otherwise it spec‐
ifies minutes.
If more than one input file is specified, tcpslice first copies packets
lying in the given range from the first file. It then increases the
starting time of the range to lie just beyond the timestamp of the last
packet in the first file, repeats the process with the second file, and
so on. In this manner, files with interleaved packets are not merged.
For a given file, only packets that are newer than any in the preceding
files will be considered. This mechanism avoids any possibility of a
packet occurring more than once in the output.
RESTRICTIONS
An input filename that beings with a digit or a plus sign (+) can be
confused with a start and end time. Such filenames can be specified
with a leading period and backslash (./); for example, specify the file
04Jul76.trace as
The tcpslice program cannot read its input from stdin, since it uses
random-access to read through its input files.
The tcpslice program does not write to its output to a terminal (as
indicated by isatty(3)). This prevents binary data from displaying on
a user's terminal. You must either redirect stdout or specify an output
file using the -w option.
The tcpslice program does not work properly on tcpdump files spanning
more than one year with files containing portions of packets whose
original length was more than 65,535 bytes or with files containing
fewer than three packets. If you use these files, the following error
message is displayed:
couldn't find final packet in file
These problems are due to the interpolation scheme used by tcpslice to
significantly increase its processing speed when dealing with large
trace files. The tcpslice program can efficiently extract slices from
the middle of trace files of any size, and can also work with truncated
trace files (that is, the final packet in the file is only partially
present, typically caused by tcpdump being killed).
SEE ALSO
Commands: pfstat(1), pfconfig(8), tcpdump(8)
Files: bpf(7), packetfilter(7)tcpslice(8)
