Skip to main content
The sort command rearranges events so they are grouped by tracking ID, allowing you to follow individual packets through the networking stack.

Usage

retis sort [INPUT] [OPTIONS]

Overview

Retis can track packets across the networking stack, generating multiple events for the same packet (e.g., in IP stack, TCP stack, OvS, netfilter). The sort command uses tracking information to identify unique packets and group related events together. An “event series” is a collection of events that share the same tracking ID (belong to the same packet).

Arguments

INPUT
path
default:"retis.data"
Input file containing events to sort.Can be:
  • A single file path
  • A range of rotated files (e.g., events.data[0-5])
retis sort events.data
retis sort  # Uses retis.data

Options

--max-buffer
integer
default:"1000"
Maximum number of events to buffer while sorting.Sorting requires buffering events while waiting for other events from the same series. If many events are interleaved, you may need to increase the buffer size.A value of zero means the buffer can grow endlessly.
retis sort --max-buffer 5000
retis sort --max-buffer 0  # Unlimited
--out
path
Write sorted event series to a file.The output file will contain series in JSON format and cannot be the same as the input file.
retis sort --out sorted.data
retis sort -o sorted.data
--print
boolean
Write events to stdout even if --out is used.
retis sort --out sorted.data --print
--format
enum
default:"multi-line"
Format used when printing events.Options:
  • multi-line - Detailed output (default)
  • single-line - Compact output
retis sort --format single-line
--utc
boolean
Print timestamps as UTC instead of monotonic timestamps.
retis sort --utc
-e
boolean
Print link-layer information from packets.
retis sort -e

Examples

# Sort and display to stdout
retis sort

Output Example

Sorted output shows event series with indentation indicating related events: 
136852156905 (3) [swapper/3] 0 [k] ip_local_deliver #1fdd03636dffff889641716940 (skb ffff889642506300)
  172.16.42.1.39677 > 172.16.42.2.8080 tos 0x0 ttl 64 id 17803 off 0 [DF] len 31 proto UDP (17)
  ns 0x1/4026531833 if 2 (eth0) rxif 2
  ct_state NEW status 0x100 udp orig [172.16.42.1.39677 > 172.16.42.2.8080]
  ↳ 136852318052 (3) [swapper/3] 0 [k] __nft_trace_packet #1fdd03636dffff889641716940 (skb ffff889642506300)
      172.16.42.1.39677 > 172.16.42.2.8080 tos 0x0 ttl 64 id 17803 off 0 [DF] len 31 proto UDP (17)
      ns 0x1/4026531833 if 2 (eth0) rxif 2
      table firewalld (4) chain filter_INPUT_POLICIES (124) handle 284 drop
      ct_state NEW status 0x100 udp orig [172.16.42.1.39677 > 172.16.42.2.8080]
  ↳ 136852333279 (3) [swapper/3] 0 [tp] skb:kfree_skb #1fdd03636dffff889641716940 (skb ffff889642506300) drop (NETFILTER_DROP)
      172.16.42.1.39677 > 172.16.42.2.8080 tos 0x0 ttl 64 id 17803 off 0 [DF] len 31 proto UDP (17)
      ns 0x1/4026531833 if 2 (eth0) rxif 2
The symbol indicates events that belong to the same packet series.

How Tracking Works

Retis tracks packets using multiple methods:
  1. Core tracking - Generates unique identifiers by tracking socket buffer data
  2. skb-tracking collector - Reports tracking information in events (must be enabled during collection)
  3. OVS collector - Tracks packets through OpenVSwitch upcalls
The skb-tracking collector must be enabled during collection for sort to work properly.

Buffer Size Considerations

The --max-buffer option controls how many events are held in memory:
  • Too small: Events from the same packet may be split across multiple series
  • Too large: Higher memory usage
  • Zero: Unlimited buffer, highest accuracy but unbounded memory
For heavily interleaved traffic (many concurrent flows), increase the buffer size.

Paging

Output is automatically piped through a pager when longer than the terminal: 
# Use a specific pager
PAGER=more retis sort

# Disable paging
NOPAGER=1 retis sort

Common Use Cases

Track packet through stack

# Collect with tracking, then sort
retis collect -c skb-tracking,skb -f "tcp port 443" -o
retis sort

Analyze packet drops

# Follow dropped packets through the stack
retis collect -c skb-tracking,skb-drop --probe tp:skb:kfree_skb -o
retis sort --format multi-line

Export sorted series

# Save sorted output for later analysis
retis sort --out sorted.data
retis print sorted.data

Limitations

  • Input file must contain unsorted events (not already sorted)
  • Cannot sort in-place (output file must differ from input)
  • Requires skb-tracking collector to be enabled during collection
  • Old event format files cannot be saved with --out

See Also

  • collect - Collect events with tracking
  • print - Display events or series
  • python - Custom event analysis

Build docs developers (and LLMs) love

Get started for freeTalk to us