CERT/CC
background
background
CERT NetSA Security Suite 
Open Source Tools for Network Monitoring 
News | Documentation | Downloads
YAF 0.8.1 | NAF 0.6.0 | SiLK 1.0.1 | RAVE 1.9.9
fixbuf 0.7.3 | ipa 0.2.1 | airdbc 0.2.2 | airframe 0.7.2 | Portal 0.8.0
SiLK - Documentation - rwaddrcount
Documentation | Downloads | Release Notes | FAQ | License | Credits | Reference Data | Live CD

NAME

rwaddrcount - count activity by IP address

SYNOPSIS

  rwaddrcount {--print-recs | --print-ips | --print-stat}
        [--use-dest] [--byte-min=BYTEMIN] [--byte-max=BYTEMAX]
        [--rec-min=RECMIN] [--rec-max=RECMAX]
        [--packet-min=PACKMIN] [--packet-max=PACKMAX]
        [--set-file=PATHNAME] [--sort-ips]
        [{--integer-ips | --zero-pad-ips}]
        [--no-titles] [--no-columns] [--column-separator=CHAR]
        [--no-final-delimiter] [{--delimited | --delimited=CHAR}]
        [--print-filenames] [--copy-input=PATH] [--output-path=PATH]
        [--pager=PAGER_PROG] [--site-config-file=FILENAME]
        [{--legacy-timestamps | --legacy-timestamps=NUM}] [FILES...]

DESCRIPTION

rwaddrcount reads SiLK Flow records from files named on the command line or from the standard input, sums the byte-, packet-, and record-counts by individual source or destination IP address and maintains the time window during which that IP address was active. At the end of the count operation, the results per IP address are displayed when the --print-recs switch is given. rwaddrcount includes facilities for displaying only those IP address whose byte-, packet- or flow-counts are between specified minima and maxima.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

For the application to operate, one of the three --print options must be chosen.

--print-recs
Print out count records: IP address, number of bytes, number of packets, number of filter records, earliest start time and latest end time.

--print-ips
Print out IP addresses exclusively

--print-stat
Print the following statistics for all SiLK flows that were read and for those meeting the minima and maxima criteria: byte, packet, and flow record counts and the number of unique IP addresses.

--use-dest
Count by destination IP address in the filter record rather than source IP.

--byte-min=BYTEMIN
Filtering criterion; for the final output (stats or printing), only include count records where the total number of bytes exceeds BYTEMIN

--packet-min=PACKMIN
Filtering criterion; for the final output (stats or printing), only include count records where the total number of packets exceeds PACKMIN

--rec-min=RECMIN
Filtering criterion; for the final output (stats or printing), only include count records where the total number of filter records contributing to that count record exceeds RECMIN.

--byte-max=BYTEMAX
Filtering criterion; for the final output (stats or printing), only include count records where the total number of bytes is less than BYTEMAX.

--packet-max=PACKMAX
Filtering criterion; for the final output (stats or printing), only include count records where the total number of packets is less than PACKMAX.

--rec-max=RECMAX
Filtering criterion; for the final output (stats or printing), only include count records which at most RECMAX filter records contributed to.

--set-file=PATHNAME
Write the IPs into the rwset(1)-style binary IP-set file named PATHNAME. Use rwsetcat(1) to see the contents of this file.

--integer-ips
For the --print-recs and --print-ips output formats, print the IPs as integers. By default, IP addresses are printed as dotted decimal.

--zero-pad-ips
For the --print-recs and --print-ips output formats, print IP addresses as dotted decimal, but use three digits per octet by adding zero-padding, e.g, 000.000.000.000.

--sort-ips
For the --print-recs and --print-ips output formats, the results are presented sorted by IP address.

--no-titles
Turn off column titles. By default, titles are printed.

--no-columns
Disable fixed-width columnar output.

--column-separator=C
Use specified character between columns and after the final column. When this switch is not specified, the default of '|' is used.

--no-final-delimiter
Do not print the column separator after the final column. Normally a delimiter is printed.

--delimited
--delimited=C
Run as if --no-columns --no-final-delimiter --column-sep=C had been specified. That is, disable fixed-width columnar output; if character C is provided, it is used as the delimiter between columns instead of the default '|'.

--print-filenames
Print to the standard error the names of input files as they are opened.

--copy-input=PATH
Copy all binary input to the specified file or named pipe. PATH can be stdout to print flows to the standard output as long as the --output-path switch has been used to redirect rwaddrcount's ASCII output.

--output-path=PATH
Determine where the output of rwaddrcount (ASCII text) is written. If this option is not given, output is written to the standard output.

--pager=PAGER_PROG
When output is to a terminal, invoke the program PAGER_PROG to view the output one screen full at a time. This switch overrides the SILK_PAGER environment variable, which in turn overrides the PAGER variable. If the value of the pager is determined to be the empty string, no paging will be performed and all output will be printed to the terminal.

--site-config-file=FILENAME
Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the directory specified in the SILK_DATA_ROOTDIR environment variable; the data root directory that is compiled into SiLK (use the --version switch to view this value); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application's directory.

--legacy-timestamps
--legacy-timestamps=NUM
Specify the format for human readable timestamps, either the default (new) style, YYYY/MM/DDThh:mm:ss, or the legacy style, MM/DD/YYYY hh:mm:ss. When this switch is not present, the timestamps will be in the default format. When this switch is present and no argument is given, timestamps are in the legacy format. When an argument is supplied, timestamps will be in the new format if the argument begins with 0, and in the old format if the argument begins with 1. Any other argument to the switch is an error.

EXAMPLES

To print out a set of IP's with exactly one tcp record during the time period, use:

  rwfilter --start-date=2003/09/01:00 --end-date=2003/09/01:12 \
        --proto=6 --pass=stdout \
        | rwaddrcount --max-rec=1 --print-ips

In general, to print out record information, use rwaddrcount with --print-rec

  rwfilter --start-date=2003/01/17:00 --end-date=2003/01/17:23 \
        --proto=6 --pass=stdout \
        | rwaddrcount --print-rec | head -3
  10.10.10.1|  65792| 147|  21| 2003/01/17T00:19:01| 2003/01/17T02:00:13|
  10.10.10.2| 110744|  89|   7| 2003/01/17T01:21:42| 2003/01/17T01:39:21|
  10.10.10.3|    864|  18|   6| 2003/01/17T00:20:33| 2003/01/17T01:25:38|

ENVIRONMENT

SILK_PAGER
When set to a non-empty string, rwcut automatically invokes this program to display its output a screen at a time. If set to an empty string, rwcut does not automatically page its output.

PAGER
When set and SILK_PAGER is not set, rwcut automatically invokes this program to display its output a screen at a time.

SILK_CONFIG_FILE
This environment variable is used as the value for the --site-config-file when that switch is not provided.

SILK_DATA_ROOTDIR
When the --site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, rwaddrcount looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.

SILK_PATH
This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, rwaddrcount checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.

SEE ALSO

rwfilter(1), rwset(1), rwsetcat(1), rwstats(1), rwtotal(1), rwuniq(1)

NOTES

When used in an IPv6 environment, rwaddrcount will attempt to convert any IPv6 addresses to IPv4. Records that can be converted will be processed, all other records will be silently ignored.

rwaddrcount uses a fairly large hashtable to store data, but it is likely that as the amount of data expands, the application will take more time to process data.

Similar binning of records are produced by rwstats(1), rwtotal(1), and rwuniq(1).

To generate a list of IP addresses without the volume information, use rwset(1).

YAF | NAF | SiLK | RAVE | fixbuf | ipa | airdbc | airframe | Portal
SiLK is part of the NetSA Security Suite, developed by the CERT NetSA group
at the Software Engineering Institute at Carnegie Mellon University.

© 2002-2008 Carnegie Mellon University