tcpslice - Extracts sections of or merges tcpdump files
/usr/sbin/tcpslice [-dRrt] [-w file] [start-time [end-time]] file...
-d Dumps the start and end times specified by the given range and exits.
This option is useful for checking that the given range actually speci-
fies the times you think it does. If the -R, -r, or -t option has been
specified, the times are dumped in the corresponding format; otherwise,
raw format (-R) is used.
-R Dumps the timestamps of the first and last packets in each input file
as raw timestamps in the form sssssssss.uuuuuu. This option can not be
specified in conjunction with the -r or -t option.
-r Same as the -R option except the timestamps are dumped in human-
readable format, similar to that used by the date(1) command. This
option cannot be specified in conjunction with the -R or -t options.
-t Same as the -R option except the timestamps are dumped in tcpslice for-
mat, in the ymdhmsu format. See the DESCRIPTION section. This option
cannot be specified in conjunction with the -R or -r option.
-w Directs the output to file rather than stdout.
The tcpslice program extracts portions of packet-trace files generated
using the tcpdump -w command. It can also be used to concatenate files.
The tcpslice command copies to stdout all packets from its input file(s)
whose timestamps fall within a given range. The starting and ending times
of the range may be specified on the command line. All ranges are
inclusive. The starting time defaults to the time of the first packet in
the first input file; this is called the first time. The ending time
defaults to ten years after the starting time. Thus, the command tcpslice
trace-file copies trace-file to stdout (assuming the file does not include
more than ten years' worth of data).
There are a number of ways to specify times. The first is using UNIX
timestamps of the form sssssssss.uuuuuu (the format specified by the
tcpdump -tt command). For example, 654321098.7654 specifies 38 seconds and
765,400 microseconds after 8:51PM PDT, Sept. 25, 1990.
The examples in this reference page use Pacific Daylight Time (PDT); how-
ever, when displaying times and interpreting times symbolically (as shown
in this reference page), tcpslice uses the local time zone, regardless of
the time zone in which the tcpdump file was generated. The daylight saving
setting used is that which is appropriate for the local time zone at the
date in question. For example, times associated with summer months will
usually include daylight saving effects, and those with winter months will
Times may also be specified relative to either the first time (when speci-
fying a starting time) or the starting time (when specifying an ending
time) by preceding a numeric value in seconds with a plus sign (+). For
example, a starting time of +200 indicates 200 seconds after the first
time, and the two arguments +200 +300 indicate from 200 seconds after the
first time through 500 seconds after the first time.
Times may also be specified in terms of years (y), months (m), days (d),
hours (h), minutes (m), seconds (s), and microseconds(u). For example, the
UNIX timestamp 654321098.7654 discussed earlier could also be expressed as
When specifying times using this style, fields that are omitted default as
+ If the omitted field is a unit greater than that of the first speci-
fied field, its value defaults to the corresponding value taken from
either first time (if the starting time is being specified) or the
starting time (if the ending time is being specified).
+ If the omitted field is a unit less than that of the first specified
field, then it defaults to zero.
For example, suppose the input file has a first time of the UNIX timestamp
mentioned previously (38 seconds and 765,400 microseconds after 8:51 PM
PDT, September 25, 1990). The following example specifies 9:36 PM PDT on
the same date:
The following example specifies a range from 9:36 PM PDT through 1:54 AM
PDT the next day:
Relative times can also be specified when using the ymdhmsu format. Omit-
ted fields then default to zero (0) if the unit of the field is greater
than that of the first specified field, and to the corresponding value
taken from either the first time or the starting time if the omitted
field's unit is less than that of the first specified field. Using the
first time of the UNIX timestamp mentioned previously, the following exam-
ple specifies a range from 10:00 PM PDT on that date through 11:10PM PDT:
The following example specifies a range from 38.7654 seconds after 9:51 PM
PDT through 38.7654 seconds after 11:01 PM PDT:
The first hour of the file could be extracted using the following specifi-
Note that with the ymdhmsu format there is an ambiguity between using m for
month or for minute. The ambiguity is resolved as follows: if an m field
is followed by a d field, it specifies months; otherwise it specifies
If more than one input file is specified, tcpslice first copies packets
lying in the given range from the first file. It then increases the start-
ing time of the range to lie just beyond the timestamp of the last packet
in the first file, repeats the process with the second file, and so on. In
this manner, files with interleaved packets are not merged. For a given
file, only packets that are newer than any in the preceding files will be
considered. This mechanism avoids any possibility of a packet occurring
more than once in the output.
An input filename that beings with a digit or a plus sign (+) can be con-
fused with a start and end time. Such filenames can be specified with a
leading period and backslash (./); for example, specify the file
04Jul76.trace as ./04Jul76.trace.
The tcpslice program cannot read its input from stdin, since it uses
random-access to read through its input files.
The tcpslice program does not write to its output to a terminal (as indi-
cated by isatty(3)). This prevents binary data from displaying on a user's
terminal. You must either redirect stdout or specify an output file using
the -w option.
The tcpslice program does not work properly on tcpdump files spanning more
than one year with files containing portions of packets whose original
length was more than 65,535 bytes or with files containing fewer than three
packets. If you use these files, the following error message is displayed:
couldn't find final packet in file
These problems are due to the interpolation scheme used by tcpslice to sig-
nificantly increase its processing speed when dealing with large trace
files. The tcpslice program can efficiently extract slices from the middle
of trace files of any size, and can also work with truncated trace files
(that is, the final packet in the file is only partially present, typically
caused by tcpdump being killed).
Commands: pfstat(1), pfconfig(8), tcpdump(8)
Files: bpf(7), packetfilter(7)