Use of the SiLK system and related source code is subject to the terms of the following licenses:
GNU Public License (GPL) Rights pursuant to Version 2, June 1991
Government Purpose License Rights (GPLR) pursuant to DFARS 252.225-7013 NO WARRANTY ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES. LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE DELIVERABLES UNDER THIS LICENSE. Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie Mellon University, its trustees, officers, employees, and agents from all claims or demands made against them (and any related losses, expenses, or attorney’s fees) arising out of, or relating to Licensee’s and/or its sub licensees’ negligent use or willful misuse of or negligent conduct or willful misconduct regarding the Software, facilities, or other rights or assistance granted by Carnegie Mellon University under this License, including, but not limited to, any claims of product liability, personal injury, death, damage to property, or violation of any laws or regulations. Carnegie Mellon University Software Engineering Institute authored documents are sponsored by the U.S. Department of Defense under Contract F19628-00-C-0003. Carnegie Mellon University retains copyrights in all material produced under this contract. The U.S. Government retains a non-exclusive, royalty-free license to publish or reproduce these documents, or allow others to do so, for U.S. Government purposes only pursuant to the copyright license under the contract clause at 252.227.7013. |
The SiLK Reference Guide contains the manual page for each analysis tool, utility, plug-in, file format, and collection facility in the SiLK Collection and Analysis Suite.
This document is meant for reference only. The SiLK Analysis Handbook provides both a tutorial for learning about the tools and examples of how they can be used in analyzing flow data. See the SiLK Installation Handbook for instructions on installing SiLK at your site.
This reference guide is broken into sections like the traditional UNIX manual: end-user analysis tools and utilities are described in Section 1; the plug-ins that augment the behavior of some tools are presented in Section 3; Section 5 contains information about file formats; miscellaneous information is in Section 7; and commands for the installer and administor of SiLK appear in Section 8.
This section provides the manual page for each analysis tool and utility that the users of SiLK may employ in their day-to-day work.
Map sensor name to sensor number or vice versa
mapsid [--site-config-file=FILENAME] [--print-classes]
[{ <sensor-name> | <sensor-number> } ...] |
mapsid is a utility that maps sensor names to sensor numbers or vice versa depending on the input arguments. When no arguments are given, the mapping of all sensor numbers to names is printed. When a numeric argument is given, the number to name mapping is printed for the specified argument. When a name is given, its numeric id is printed. For convenience when typing in sensor names, the case is irrelevant.
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as –arg=param or –arg param, though the first form is required for options that take optional parameters.
For each sensor, print the classes for which the sensor collects data.
Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the directory specified in the SILK_DATA_ROOTDIR environment variable; the data root directory that is compiled into SiLK (use the –version switch to view this value); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application’s directory.
Name to number mapping:
$ mapsid beta
BETA -> 1 |
Number to name mapping:
$ mapsid 3
3 -> DELTA |
Print all mappings:
$ mapsid
0 -> ALPHA 1 -> BETA 2 -> GAMMA 3 -> DELTA 4 -> EPSLN 5 -> ZETA .... |
This environment variable is used as the value for the –site-config-file when that switch is not provided.
When the –site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, mapsid looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.
This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, mapsid checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.
rwfilter(1), rwcut(1)
Convert an integer IP to dotted-decimal notation
num2dot [--ip-fields=FIELDS] [--delimiter=C]
|
num2dot is a filter to speedup sorting of IP numbers and yet result in both a natural order (i.e., 29.23.1.1 will appear before 192.168.1.1) and readable output (i.e., dotted decimal rather than an integer representation of the IP number).
It is designed specifically to deal with the output of rwcut(1). Its job is to read stdin and convert specified fields (default field 1) separated by a delimiter (default ’∣’) from an integer number into a dotted decimal IP address. Up to three IP fields can be specified via the –ip-fields=FIELDS option. The –delimiter option can be used to specify an alternate delimiter.
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as –arg=param or –arg param, though the first form is required for options that take optional parameters.
Column number of the input that should be considered IP numbers. Column numbers start from 1. If not specified, the default is 1.
The character that separates the columns of the input. Default is ’∣’.
In addition to the default fields of 1-12 produced by rwcut, you also want to prefix each row with an integer form of the destination IP and the start time to make processing by another tool (e.g., a spreadsheet) easier. However, within the default rwcut output fields of 1-12, you want to see dotted-decimal IP addresses.
rwfilter ... --pass=stdout | \
rwcut --integer-ip --fields=2,9,1-12 --epoch-time | \ num2dot --ip-field=3,4 |
The first six columns produced by rwcut will be dIP, sTime, sIP, dIP, sPort, dPort. The –integer-ip switch makes the first, third, and fourth columns be integers, but you only want the first column to be an integer representation. The pipe through num2dot will convert the third and fourth columns to dotted-decimal IP numbers.
rwcut(1)
num2dot has no support for IPv6 addresses.
Count activity by IP address
rwaddrcount {--print-recs | --print-ips | --print-stat}
[--use-dest] [--byte-min=BYTEMIN] [--byte-max=BYTEMAX] [--rec-min=RECMIN] [--rec-max=RECMAX] [--packet-min=PACKMIN] [--packet-max=PACKMAX] [--set-file=PATHNAME] [--sort-ips] [{--integer-ips | --zero-pad-ips}] [--no-titles] [--no-columns] [--column-separator=CHAR] [--no-final-delimiter] [{--delimited | --delimited=CHAR}] [--print-filenames] [--copy-input=PATH] [--output-path=PATH] [--pager=PAGER_PROG] [--site-config-file=FILENAME] [{--legacy-timestamps | --legacy-timestamps=NUM}] [FILES...] |
rwaddrcount reads SiLK Flow records from files named on the command line or from the standard input, sums the byte-, packet-, and record-counts by individual source or destination IP address and maintains the time window during which that IP address was active. At the end of the count operation, the results per IP address are displayed when the –print-recs switch is given. rwaddrcount includes facilities for displaying only those IP address whose byte-, packet- or flow-counts are between specified minima and maxima.
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as –arg=param or –arg param, though the first form is required for options that take optional parameters.
For the application to operate, one of the three –print options must be chosen.
Print out count records: IP address, number of bytes, number of packets, number of filter records, earliest start time and latest end time.
Print out IP addresses exclusively
Print the following statistics for all SiLK flows that were read and for those meeting the minima and maxima criteria: byte, packet, and flow record counts and the number of unique IP addresses.
Count by destination IP address in the filter record rather than source IP.
Filtering criterion; for the final output (stats or printing), only include count records where the total number of bytes exceeds BYTEMIN
Filtering criterion; for the final output (stats or printing), only include count records where the total number of packets exceeds PACKMIN
Filtering criterion; for the final output (stats or printing), only include count records where the total number of filter records contributing to that count record exceeds RECMIN.
Filtering criterion; for the final output (stats or printing), only include count records where the total number of bytes is less than BYTEMAX.
Filtering criterion; for the final output (stats or printing), only include count records where the total number of packets is less than PACKMAX.
Filtering criterion; for the final output (stats or printing), only include count records which at most RECMAX filter records contributed to.
Write the IPs into the rwset(1)-style binary IP-set file named PATHNAME. Use rwsetcat(1) to see the contents of this file.
For the –print-recs and –print-ips output formats, print the IPs as integers. By default, IP addresses are printed as dotted decimal.
For the –print-recs and –print-ips output formats, print IP addresses as dotted decimal, but use three digits per octet by adding zero-padding, e.g, 000.000.000.000.
For the –print-recs and –print-ips output formats, the results are presented sorted by IP address.
Turn off column titles. By default, titles are printed.
Disable fixed-width columnar output.
Use specified character between columns and after the final column. When this switch is not specified, the default of ’∣’ is used.
Do not print the column separator after the final column. Normally a delimiter is printed.
Run as if –no-columns –no-final-delimiter –column-sep=C had been specified. That is, disable fixed-width columnar output; if character C is provided, it is used as the delimiter between columns instead of the default ’∣’.
Print to the standard error the names of input files as they are opened.
Copy all binary input to the specified file or named pipe. PATH can be stdout to print flows to the standard output as long as the –output-path switch has been used to redirect rwaddrcount’s ASCII output.
Determine where the output of rwaddrcount (ASCII text) is written. If this option is not given, output is written to the standard output.
When output is to a terminal, invoke the program PAGER_PROG to view the output one screen full at a time. This switch overrides the SILK_PAGER environment variable, which in turn overrides the PAGER variable. If the value of the pager is determined to be the empty string, no paging will be performed and all output will be printed to the terminal.
Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the directory specified in the SILK_DATA_ROOTDIR environment variable; the data root directory that is compiled into SiLK (use the –version switch to view this value); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application’s directory.
Specify the format for human readable timestamps, either the default (new) style, YYYY/MM/DDThh:mm:ss , or the legacy style, MM/DD/YYYY hh:mm:ss . When this switch is not present, the timestamps will be in the default format. When this switch is present and no argument is given, timestamps are in the legacy format. When an argument is supplied, timestamps will be in the new format if the argument begins with 0, and in the old format if the argument begins with 1. Any other argument to the switch is an error.
To print out a set of IP’s with exactly one tcp record during the time period, use:
rwfilter --start-date=2003/09/01:00 --end-date=2003/09/01:12 \
--proto=6 --pass=stdout \ | rwaddrcount --max-rec=1 --print-ips |
In general, to print out record information, use rwaddrcount with –print-rec
rwfilter --start-date=2003/01/17:00 --end-date=2003/01/17:23 \
--proto=6 --pass=stdout \ | rwaddrcount --print-rec | head -3 |
10.10.10.1| 65792| 147| 21| 2003/01/17T00:19:01| 2003/01/17T02:00:13|
10.10.10.2| 110744| 89| 7| 2003/01/17T01:21:42| 2003/01/17T01:39:21| 10.10.10.3| 864| 18| 6| 2003/01/17T00:20:33| 2003/01/17T01:25:38| |
When set to a non-empty string, rwcut automatically invokes this program to display its output a screen at a time. If set to an empty string, rwcut does not automatically page its output.
When set and SILK_PAGER is not set, rwcut automatically invokes this program to display its output a screen at a time.
This environment variable is used as the value for the –site-config-file when that switch is not provided.
When the –site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, rwaddrcount looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.
This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, rwaddrcount checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.
rwfilter(1), rwset(1), rwsetcat(1), rwstats(1), rwtotal(1), rwuniq(1)
When used in an IPv6 environment, rwaddrcount will attempt to convert any IPv6 addresses to IPv4. Records that can be converted will be processed, all other records will be silently ignored.
rwaddrcount uses a fairly large hashtable to store data, but it is likely that as the amount of data expands, the application will take more time to process data.
Similar binning of records are produced by rwstats(1), rwtotal(1), and rwuniq(1).
To generate a list of IP addresses without the volume information, use rwset(1).
Append SiLK Flow file(s) to an existing SiLK Flow file
rwappend [--create=[TEMPLATE_FILE]] [--site-config-file=FILENAME]
[--print-statistics] TARGET_FILE SOURCE_FILE [SOURCE_FILE...] |
rwappend reads SiLK Flow records from the specified SOURCE_FILEs and appends them to the TARGET_FILE. If stdin is used as the name of one of the SOURCE_FILEs, SiLK flow records will be read from the standard input.
When the TARGET_FILE does not exist and the –create switch is not provided, rwappend will exit with an error. When –create is specified and TARGET_FILE does not exist, rwappend will create the TARGET_FILE using the same format, version, and byte-order as the specified TEMPLATE_FILE. If no TEMPLATE_FILE is given, the TARGET_FILE is created in the default format and version (the same format that rwcat(1) would produce).
The TARGET_FILE must not be compressed (i.e., in may not end in the .gz extension).
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as –arg=param or –arg param, though the first form is required for options that take optional parameters.
Create the TARGET_FILE if it does not exist. The file will have the same format, version, and byte-order as the TEMPLATE_FILE if it is provided; otherwise the defaults are used. The TEMPLATE_FILE will NOT be appended to TARGET_FILE unless it also appears in as the name of a SOURCE_FILE.
Print the number of records read from each SOURCE_FILE and the total number of records appened to the TARGET_FILE.
Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the directory specified in the SILK_DATA_ROOTDIR environment variable; the data root directory that is compiled into SiLK (use the –version switch to view this value); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application’s directory.
Standard usage where results.dat exists:
rwappend results.dat sample5.dat sample6.dat
|
To append files sample*.dat to results.dat, or to create results.dat using the same format as the first file argument (note that sample1.dat must be repeated):
rwappend results.dat --create=sample1.dat \
sample1.dat sample2.dat |
If results.dat does not exist, the following two commands are equivalent:
rwappend --create results.dat sample1.dat sample2.dat
|
rwcat sample1.dat sample2.dat > results.dat
|
This environment variable is used as the value for the –site-config-file when that switch is not provided.
When the –site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, rwappend looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.
This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, rwappend checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.
rwcat(1)
When used in an IPv6 environment, rwappend will convert IP addresses into the form used by the TARGET_FILE. Any records containing IP addresses that cannot be converted will be silently ignored.
rwappend makes some attempts to avoid appending a file to itself (which would eventually exhaust the disk space) by comparing the names of files it is given; it should be smarter about this.
Build a binary Bag from SiLK Flow records.
rwbag [--sip-flows=OUTPUTFILE] [--dip-flows=OUTPUTFILE]
[--sport-flows=OUTPUTFILE] [--dport-flows=OUTPUTFILE] [--proto-flows=OUTPUTFILE] [--sensor-flows=OUTPUTFILE] [--input-flows=OUTPUTFILE] [--output-flows=OUTPUTFILE] [--nhip-flows=OUTPUTFILE] [--sip-packets=OUTPUTFILE] [--dip-packets=OUTPUTFILE] [--sport-packets=OUTPUTFILE] [--dport-packets=OUTPUTFILE] [--proto-packets=OUTPUTFILE] [--sensor-packets=OUTPUTFILE] [--input-packets=OUTPUTFILE] [--output-packets=OUTPUTFILE] [--nhip-packets=OUTPUTFILE] [--sip-bytes=OUTPUTFILE] [--dip-bytes=OUTPUTFILE] [--sport-bytes=OUTPUTFILE] [--dport-bytes=OUTPUTFILE] [--proto-bytes=OUTPUTFILE] [--sensor-bytes=OUTPUTFILE] [--input-bytes=OUTPUTFILE] [--output-bytes=OUTPUTFILE] [--nhip-bytes=OUTPUTFILE] [--note-add=TEXT] [--note-file-add=FILE] [--compression-method=COMP_METHOD] [--print-filenames] [--copy-input=PATH] [--site-config-file=FILENAME] [--legacy-help] [INPUTFILE[ INPUTFILE...]] |
rwbag reads SiLK Flow records and builds a Bag. Source IP address, destination IP address, next hop IP address, source port, destination port, protocol, input interface index, output interface index, or sensor ID may be used as the unique key by which to count volumes. Flows, packets, or bytes may be used as the counter. rwbag attempts to read raw flow records from the standard input or from any INPUTFILE arguments. INPUTFILE may also explicitly be the keyword stdin. If the raw flow records do not contain the proper key and counter fields, rwbag prints an error to stderr and exits abnormally.
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as –arg=param or –arg param, though the first form is required for options that take optional parameters.
At least one of the following output flags must be defined. For each, OUTPUTFILE is the name of a non-existent file, a named pipe, or the keyword stdout to write the binary Bag to the standard output. Only one switch may use the standard output as its output stream.
Count number of flows by unique source IP.
Count number of packets by unique source IP.
Count number of bytes by unique source IP.
Count number of flows by unique destination IP.
Count number of packets by unique destination IP.
Count number of bytes by unique destination IP.
Count number of flows by unique source port.
Count number of packets by unique source port.
Count number of bytes by unique source port.
Count number of flows by unique destination port.
Count number of packets by unique destination port.
Count number of bytes by unique destination port.
Count number of flows by unique protocol.
Count number of packets by unique protocol.
Count number of bytes by unique protocol.
Count number of flows by unique sensor ID.
Count number of packets by unique sensor ID.
Count number of bytes by unique sensor ID.
Count number of flows by unique input interface index.
Count number of packets by unique input interface index.
Count number of bytes by unique input interface index.
Count number of flows by unique output interface index.
Count number of packets by unique output interface index.
Count number of bytes by unique output interface index.
Count number of flows by unique next hop IP.
Count number of packets by unique next hop IP.
Count number of bytes by unique next hop IP.
Add the specified TEXT to the header of every output file as an annotation. This switch may be repeated to add multiple annotations to a file. To view the annotations, use the rwfileinfo(1) tool.
Open FILENAME and add the contents of that file to the header of every output file as an annotation. This switch may be repeated to add multiple annotations. Currently the application makes no effort to ensure that FILENAME contains text; be careful that you do not attempt to add a SiLK data file as an annotation.
Set the compression method of the output to COMP_METHOD. Some SiLK tools can use an external library to compress their binary output. The list of available compression methods and the default method are set when SiLK is compiled (the –help and –version switches print the available and default compression methods) and depend on which supported libraries are found. SiLK can support:
Do not compress the output using an external library
Use the zlib(3) library for compressing the output
Use the lzo1x algorithm from the LZO real time compression library for compression
Use whichever available method gives the best compression in general, though not necessarily the best for this particular output.
Prints to the standard error the names of input files as they are opened.
Copy all binary input to the specified file or named pipe. PATH can be stdout to print flows to the standard output as long as the –output-path switch has been used to redirect rwuniq’s ASCII output.
Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the directory specified in the SILK_DATA_ROOTDIR environment variable; the data root directory that is compiled into SiLK (use the –version switch to view this value); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application’s directory.
Print the usage information for rwbag and include the names of the deprecated options in the output.
The following options are deprecated.
Deprecated alias for –sip-flows.
Deprecated alias for –sip-packets.
Deprecated alias for –sip-bytes.
Deprecated alias for –dip-flows.
Deprecated alias for –dip-packets.
Deprecated alias for –dip-bytes.
Deprecated alias for –sport-flows.
Deprecated alias for –sport-packets.
Deprecated alias for –sport-bytes.
Deprecated alias for –dport-flows.
Deprecated alias for –dport-packets.
Deprecated alias for –dport-bytes.
Deprecated alias for –proto-flows.
Deprecated alias for –proto-packets.
Deprecated alias for –proto-bytes.
To build both source IP and destination IP Bags of flows:
rwfilter... | rwbag --sip-flow=sf.bag --dip-flow=df.bag
|
This environment variable is used as the value for the –site-config-file when that switch is not provided.
When the –site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, rwbag looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.
This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, rwbag checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.
rwbagbuild(1), rwbagcat(1), rwbagtool(1), rwfileinfo(1), rwfilter(1)
Currently there is no support for Bag files keyed by an IPv6 address.
When used in an IPv6 environment, rwbag will process every record when creating Bags that are not keyed by the IP address. For Bags keyed by the IP address, rwbag will attempt to convert any IPv6 addresses to IPv4. Records that can be converted will be processed, all other records will be silently ignored for the IP-keyed Bags, but will be used for any non-IP-keyed Bags.
Create a binary Bag from non-flow data.
rwbagbuild { --set-input=SETFILE | --bag-input=TEXTFILE }
[--delimiter=C] [--default-count=DEFAULTCOUNT] [--note-add=TEXT] [--note-file-add=FILE] [--compression-method=COMP_METHOD] [--output-path=OUTPUTFILE] |
rwbagbuild builds a binary Bag file from an IPset file or from textual input.
When creating a Bag from an IPset, the value associated with each IP address is the value given by the –default-count switch, or 1 if the switch isn’t provided.
The textual input read from the argument to the –bag-input switch is processed a line at a time. Comments begin with a ’#’-character and continue to the end of the line; they are stripped from each line. Any line that is blank or contains only whitespace is ignored. All other lines must contain a valid key or key-count pair; whitespace around the key and count is ignored.
If the delimiter character (specified by the –delimiter switch and having pipe (’∣’) as its default) is not present, the line must contain only an IP address or an integer key. If the delimiter is present, the line must contain an IP address or integer key before the delimiter and an integer count after the delimiter. These lines may have a second delimiter after the integer count; the delimiter and any text to the right of it are ignored.
When the –default-count switch is specified, its value will used as the count for each key, and the count value parsed from each line, if any, is ignored. Otherwise, the parsed count is used, or 1 is used as the count if no delimiter was present.
For each key-count pair, the key will be inserted into Bag with its count or, if the key is already present in the Bag, its total count will be incremented by the count from this line.
The IP address or integer key must be expresed in one of these formats:
Dotted decimal—all 4 octets are required:
10.1.2.4
|
An unsigned 32-bit integer:
167838212
|
Either of the above with a CIDR designation—for dotted decimal all four octets are still required:
10.1.2.4/31
167838212/31 |
SiLK wildcard notation: Four octets separated by periods where each octet may be a single number, a range of numbers, e.g., 1-10, a comma separated list of numbers and ranges, or the character ’x’ used to represent all values in an octet, that is 0-255:
10.x.1-2.4,5
|
If an IP address or count cannot be parsed, or if a line contains a delimiter character but no count, rwbagbuild prints an error and exits.
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as –arg=param or –arg param, though the first form is required for options that take optional parameters.
The following two switches control the type of input; one and only one must be provided:
Create a Bag from an IPset. SETFILE is a filename, a named pipe, or the keyword stdin. Counts have a volume of 1 unless overridden with –default-count.
Create a Bag from a delimited text file. TEXTFILE is a filename, a named pipe, or the keyword stdin. See the DESCRIPTION section for the syntax of the TEXTFILE.
The delimiter to expect between each key-count pair of the TEXTFILE read by the –bag-input switch. The delimiter is ignored if the –set-input switch is specified. Since ’#’ is used to denote comments and newline is used to used to denote records, neither is a valid delimiter character.
Override the counts of all values in the input bag or set with the value of DEFAULTCOUNT. DEFAULTCOUNT must be a positive integer.
Add the specified TEXT to the header of the output file as an annotation. This switch may be repeated to add multiple annotations to a file. To view the annotations, use the rwfileinfo(1) tool.
Open FILENAME and add the contents of that file to the header of the output file as an annotation. This switch may be repeated to add multiple annotations. Currently the application makes no effort to ensure that FILENAME contains text; be careful that you do not attempt to add a SiLK data file as an annotation.
Set the compression method of the output to COMP_METHOD. Some SiLK tools can use an external library to compress their binary output. The list of available compression methods and the default method are set when SiLK is compiled (the –help and –version switches print the available and default compression methods) and depend on which supported libraries are found. SiLK can support:
Do not compress the output using an external library
Use the zlib(3) library for compressing the output
Use the lzo1x algorithm from the LZO real time compression library for compression
Use whichever available method gives the best compression in general, though not necessarily the best for this particular output.
Redirect output to OUTPUTFILE. OUTPUTFILE is a filename, named pipe, or the keyword stdout.
Assume the file mybag.txt contains the following (ignore leading whitespace and every line ends with a newline):
192.168.0.1|5
192.168.0.2|500 192.168.0.3|3 192.168.0.4|14 192.168.0.5|5 |
To build a bag with it:
rwbagbuild --bag-input=mybag.txt > mybag.bag
|
Or given the IP set myset.set, create a bag where every entry in the set has a count of 3:
rwbagbuild --set-input=myset.set --default-count=3 \
--out=mybag2.bag |
rwbag(1), rwbagcat(1), rwbagtool(1), rwfileinfo(1), rwset(1)
Output a binary Bag as text.
rwbagcat [--stats[=OUTFILE]] [--tree-stats[=OUTFILE]]
[ --network-structure[=[T][A][B][C][X][H][S]] | --bin-ips[=SCALE]] [--mincounter=VALUE] [--maxcounter=VALUE] [--minkey=VALUE] [--maxkey=VALUE] [--zero-counts] [--integer-keys | --zero-pad-ips] [--output-path=OUTPUTFILE] [--no-columns] [--column-separator=C] [--no-final-delimiter] [{--delimited | --delimited=C}] [--pager=PAGER_PROG] [BAGFILE...] |
rwbagcat reads a binary Bag, converts it to text, and outputs it to the standard output or the specified file. It can also print various statistics and summary information about the Bag.
rwbagcat reads the BAGFILEs specified on the command line; if no BAGFILE arguments are given, rwbagcat attempts to read the Bag from the standard input. BAGFILE may also explicitly be the keyword stdin to allow rwbagcat to combine files and piped input. If any input does not contain a Bag, rwbagcat prints an error to stderr and exits abnormally.
When multiple BAGFILEs are specified, each is handled individually; to process the combination of the BAGFILEs, invoke rwbagcat on the output from rwbagtool(1).
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as –arg=param or –arg param, though the first form is required for options that take optional parameters.
Print the network structure around the keys.
total sum of all keys
class A (/8) network header and subtotal
class B (/16) network header and subtotal
class C (/24) network header and subtotal
(/27) network header and subtotal
individual IP addresses and counter
count of /8,/16,/24,/27s in each smaller subnet
If no paramter is specified to the –network-structure switch, the default is TS. Any combination of T,A,B,C,X,H may be specified; the value S by itself is illegal.
Invert the bag and count the total number of unique IP addresses for a given value of the volume bin. For example, turn a Bag {sip:flow} into {flow:count(sip)}. SCALE is a string containing the value linear, binary, or decimal.
The default behavior is linear: Each distinct counter gets its own bin. Any counter in the input Bag file that is larger than the maximum possible key will be attributed to the maximum key; to prevent this, specify --maxcounter=4294967295.
binary creates a bag of {log2(flow):count(sip)}. Bin n contains counts in the range [ 2^n, 2^(n+1) ).
decimal creates one hundred bins for each counter in the range [1,100), and one hundred bins for each counter in the range [100,1000), each counter in the range [1000,10000), etc. Counters are logarithmically distributed among the bins.
Print out breakdown of the network hosts seen, and print out general statistics about the keys and counters.
count of unique keys
sum of all the counters
minimum key
maximum key
minimum counter
maximum counter
mean of counters
variance of counters
standard deviation of counters
skew of counters
kurtosis of counters
OUTFILE is a filename, named pipe, or one of the keywords stdout or stderr. Defaults to printing on stderr unless output is being paged, in which case output is to stdout.
Print out metadata about how the bag is performing:
count of nodes allocated
total bytes allocated for nodes
count of leaves allocated
total bytes allocated for leaves
count of keys entered
density of data
OUTFILE is a filename, named pipe, or one of the keywords stdout or stderr. Defaults to printing on stdout.
Only output records whose minimum counter value is VALUE or higher. The valid range of VALUE is 1 to 18446744073709551615. The default is to print all records with non-zero counter; use –zero-counts to show records whose counter is 0.
Only output records whose maximum counter value is VALUE or lower. The valid range of VALUE is 1 to 18446744073709551615, with the default being the maximum counter value.
Only output records whose minimum key value is VALUE or higher. The valid range is of VALUE 0 to 4294967295, or 0.0.0.0 to 255.255.255.255. Default is 0 (for port or protocol) or 0.0.0.0 (for IP address). Accepts dotted decimal or integer notation.
Only output records whose maximum key value is VALUE or lower. The valid range of VALUE is 0 to 4294967295, or 0.0.0.0 to 255.255.255.255. Default is all ports or protocols, or the maximum IP address 255.255.255.255. Accepts dotted decimal or integer notation.
Print keys whose counter is zero. Normally, keys with a counter of zero are suppressed since all keys have a default counter of zero. In order to use this flag, –minkey and –maxkey must be specified. When this switch is specified, any counter limit explicitly set by the –maxcounter switch will still be applied.
Redirect output of the –network-structure or –bin-ips options to OUTPUTFILE. OUTPUTFILE is a filename, named pipe, or the keyword stdout.
Pad IP address octets with zeros so that every octet is three characters wide.
Print the keys as integers. This flag should be used if the bag is a port or protocol bag.
Disable fixed-width columnar output.
Use specified character between columns and after the final column. When this switch is not specified, the default of ’∣’ is used.
Do not print the column separator after the final column. Normally a delimiter is printed. When the network summary is requested (–network-structure=S), the separator is always printed before the summary column and never that column.
Run as if –no-columns –no-final-delimiter –column-sep=C had been specified. That is, disable fixed-width columnar output; if character C is provided, it is used as the delimiter between columns instead of the default ’∣’.
When output is to a terminal, invoke the program PAGER_PROG to view the output one screen full at a time. This switch overrides the SILK_PAGER environment variable, which in turn overrides the PAGER variable. If the value of the pager is determined to be the empty string, no paging will be performed and all output will be printed to the terminal.
To print the bag:
$ rwbagcat mybag.bag
172.23.1.1| 5| 172.23.1.2| 231| 172.23.1.3| 9| 172.23.1.4| 19| 192.168.0.100| 1| 192.168.0.101| 1| 192.168.0.160| 15| 192.168.20.161| 1| 192.168.20.162| 5| 192.168.20.163| 5| |
To print it with full network:
$ rwbagcat --network-structure=TABCHX mybag.bag
172.23.1.1 | 5| 172.23.1.2 | 231| 172.23.1.3 | 9| 172.23.1.4 | 19| 172.23.1.0/27 | 264| 172.23.1.0/24 | 264| 172.23.0.0/16 | 264| 172.0.0.0/8 | 264| 192.168.0.100 | 1| 192.168.0.101 | 1| 192.168.0.96/27 | 2| 192.168.0.160 | 15| 192.168.0.160/27 | 15| 192.168.0.0/24 | 17| 192.168.20.161 | 1| 192.168.20.162 | 5| 192.168.20.163 | 5| 192.168.20.160/27 | 11| 192.168.20.0/24 | 11| 192.168.0.0/16 | 28| 192.0.0.0/8 | 28| TOTAL | |