NAME

addrtype - SiLK Plug-In to label IPs as internal or external

SYNOPSIS

  rwfilter [--stype=ID] [--dtype=ID] ...

  rwcut --fields=stype,dtype ...

  rwsort --fields=stype,dtype ...

  rwuniq --fields=stype,dtype ...

DESCRIPTION

The Address Type plug-in provides a way to map an IP address to an integer denoting the IP as internal, external, or non-routable. With this plug-in SiLK flow records can be partitioned (rwfilter(1)), displayed (rwcut(1)), sorted (rwsort(1)), and counted (rwuniq(1)) by the type of address.

The Address Type is a specialized form of the Prefix Map, pmapfilter(3), where the following labels are assumed to exist and to have the indicated values:

0: denotes a (non-routable) IP addresss
1: denotes an IP address internal to the monitored network
2: denotes an IP address external to the monitored network

Creating the pmap file that maps IPs to one of these labels is described in the MAPPING FILE section below.

OPTIONS

The Address Type plug-in provides the following options to the indicated applications.

rwfilter Switches

--stype=ID: When ID is 0, pass the record if its source address is non-routable. When ID is 1, pass the record if its source address is internal. When ID is 2, pass the record if its source address is external (i.e., routable and not internal). When ID is 3, pass the record if its source address is not internal (non-routable or external).
--dtype=ID: As --stype for the destination IP address.

rwcut, rwsort, and, rwuniq Switches

--fields=FIELDS: FIELDS refers to a list of fields to use for the operation. The Address Type plug-in makes two additional fields, stype (alias 16) and dtype (17) available for display, sorting, and counting using the rwcut(1), rwsort(1), and rwuniq(1) tools:

MAPPING FILE

To denote an address as non-routable, internal, or external at your site, you will need to create the address_types.pmap file and install it in the appropriate location (see the FILES section below).

The rwpmapbuild(1) tool creates a pmap file from a text file. A template for the text file is available in $SILK_PATH/share/silk/addrtype-templ.txt. The text file used to create address_types.pmap must include the following section to ensure that IPs are mapped to the integer values that the addrtype.so expects:

  #    Numerical mappings of labels

  label 0             non-routable
  label 1             internal
  label 2             external

  #    Default to "external" for all un-defined ranges.

  default             external

The remainder of the file can list CIDR blocks and a label for each block:

  # RFC1918 space
  10.0.0.0/8          non-routable
  172.16.0.0/12       non-routable
  192.168.0.0/16      non-routable

  # My IP space (CMU)
  128.2.0.0/16        internal

Once the text file is saved to disk, use rwpmapbuild to create address_types.pmap:

  rwpmapbuild --input addresses.txt --output address_types.pmap

FILES

SiLK applications look for the Address Type plug-in the the following locations. ($SILK_PATH is value of the SILK_PATH environment variable, if it is set; the use of /usr/local/ assumes the tool exists in the /usr/local/bin/ directory.)

  $SILK_PATH/share/lib/silk/addrtype.so
  $SILK_PATH/share/lib/addrtype.so
  $SILK_PATH/lib/addrtype.so
  /usr/local/share/lib/silk/addrtype.so
  /usr/local/share/lib/addrtype.so
  /usr/local/lib/addrtype.so

If the fields and/or switches are not available in an application, verify that addrtype.so is installed in the correct location. To aid in debugging, one may invoke:

  env SILK_DYNLIB_DEBUG=1 rwcut

to print the directory paths where rwcut is looking for addrtype.so.

The tools will look for the data file that maps IPs to labels in the following locations:

  $SILK_PATH/share/silk/address_types.pmap
  $SILK_PATH/share/address_types.pmap
  /usr/local/share/silk/address_types.pmap
  /usr/local/share/address_types.pmap

BUGS

Prefix map files do not support IPv6 addresses.