|-D||Do not discard duplicate packets seen when merging multiple trace files.|
|-d||Dump the start and end times specified by the given range and exit. This option is useful for checking that the given range actually specifies the times you think it does. If one of -R, -r or -t has been specified then the times are dumped in the corresponding format; otherwise, raw format ( -R) is used.|
|-e||Specify a number of seconds to wait after the last packet was seen before considering a session to be expired (default: 0 = do not expire inactive sessions). This is only effective when the -s option is used to track sessions.|
Specify the name
format of PCAP files to which each session will be extracted (default: NULL = do
not extract sessions to separate files). This is only effective when the -s option is used to track sessions.
|-l||When merging more than one file, merge on the basis of relative time, rather than absolute time. Normally, when merging files is done, packets are merged based on absolute time stamps. With -l packets are merged based on the relative time between the start of the file in which the packet is found and the time stamp of the packet itself. The time stamp of packets in the output file is calculated as the relative time for the packet within its file plus first time.|
|-R||Dump the timestamps of the first and last packets in each input file as raw timestamps (i.e., in the form sssssssss.uuuuuu).|
|-r||Same as -R except the timestamps are dumped in human-readable format, similar to that used by date(1).|
Enable session tracking for the specified
types which is a comma-separated list of the following:
|-t||Same as -R except the timestamps are dumped in tcpslice format, i.e., in the ymdhmsu format discussed above.|
|-v||Turn on verbose mode. Currently this only affects session tracking ( -s ) messages: if specified at least once, sessions openings and closings are displayed regardless of the time (by default the closings are only displayed past end-time ); if specified at least twice, subsessions (sessions initiated by other sessions) openings and closings are also displayed.|
|-w||Direct the output to file rather than stdout.|
The original author was:
Vern Paxson, of Lawrence Berkeley Laboratory, University of California, Berkeley, CA.
It is currently being maintained by tcpdump.org.
The current version is available at:
The original distribution is available via anonymous ftp:
Please send problems, bugs, questions, desirable enhancements, etc. to:
Please send source code contributions as git pull requests through the project page above.
An input filename that beings with a digit or a + can be confused with a start/end time. Such filenames can be specified with a leading ./; for example, specify the file 04Jul76.trace as ./04Jul76.trace.
tcpslice cannot read its input from stdin, since it uses random-access to rummage through its input files.
tcpslice refuses to write to its output if it is a terminal (as indicated by isatty(3)). This is not a bug but a feature, to prevent it from spraying binary data to the users terminal. Note that this means you must either redirect stdout or specify an output file via -w.
tcpslice will not work properly on tcpdump files spanning more than one year; with files containing portions of packets whose original length was more than 65,535 bytes; nor with files containing fewer than two packets. Such files result in the error message: couldnt find final packet in file. These problems are due to the interpolation scheme used by tcpslice to greatly speed up its processing when dealing with large trace files. Note that tcpslice can efficiently extract slices from the middle of trace files of any size, and can also work with truncated trace files (i.e., the final packet in the file is only partially present, typically due to tcpdump being ungracefully killed).
Adding -l has broken some compatibility with older versions, since tcpslice now merges its input files, rather than (approximately) concatenating them together as it did previously.
It would sometimes be convenient if you could specify a clock offset to use with the -l option.
It would be nice if tcpslice supported more general editing of trace files.
|-->||TCPSLICE (1)||2 January 2014|