CERT/CC
background
background
CERT NetSA Security Suite 
Open Source Tools for Network Monitoring 
News | Documentation | Downloads
YAF 0.8.1 | NAF 0.6.0 | SiLK 1.0.1 | RAVE 1.9.9
fixbuf 0.7.3 | ipa 0.2.1 | airdbc 0.2.2 | airframe 0.7.2 | Portal 0.8.0
SiLK - Documentation - rwbag
Documentation | Downloads | Release Notes | FAQ | License | Credits | Reference Data | Live CD

NAME

rwbag - Build a binary Bag from SiLK Flow records.

SYNOPSIS

  rwbag [--sip-flows=OUTPUTFILE] [--dip-flows=OUTPUTFILE]
        [--sport-flows=OUTPUTFILE] [--dport-flows=OUTPUTFILE]
        [--proto-flows=OUTPUTFILE] [--sensor-flows=OUTPUTFILE]
        [--input-flows=OUTPUTFILE] [--output-flows=OUTPUTFILE]
        [--nhip-flows=OUTPUTFILE]
        [--sip-packets=OUTPUTFILE] [--dip-packets=OUTPUTFILE]
        [--sport-packets=OUTPUTFILE] [--dport-packets=OUTPUTFILE]
        [--proto-packets=OUTPUTFILE] [--sensor-packets=OUTPUTFILE]
        [--input-packets=OUTPUTFILE] [--output-packets=OUTPUTFILE]
        [--nhip-packets=OUTPUTFILE]
        [--sip-bytes=OUTPUTFILE] [--dip-bytes=OUTPUTFILE]
        [--sport-bytes=OUTPUTFILE] [--dport-bytes=OUTPUTFILE]
        [--proto-bytes=OUTPUTFILE] [--sensor-bytes=OUTPUTFILE]
        [--input-bytes=OUTPUTFILE] [--output-bytes=OUTPUTFILE]
        [--nhip-bytes=OUTPUTFILE]
        [--note-add=TEXT] [--note-file-add=FILE]
        [--compression-method=COMP_METHOD]
        [--print-filenames] [--copy-input=PATH]
        [--site-config-file=FILENAME] [--legacy-help]
        [INPUTFILE[ INPUTFILE...]]

DESCRIPTION

rwbag reads SiLK Flow records and builds a Bag. Source IP address, destination IP address, next hop IP address, source port, destination port, protocol, input interface index, output interface index, or sensor ID may be used as the unique key by which to count volumes. Flows, packets, or bytes may be used as the counter. rwbag attempts to read raw flow records from the standard input or from any INPUTFILE arguments. INPUTFILE may also explicitly be the keyword stdin. If the raw flow records do not contain the proper key and counter fields, rwbag prints an error to stderr and exits abnormally.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

At least one of the following output flags must be defined. For each, OUTPUTFILE is the name of a non-existent file, a named pipe, or the keyword stdout to write the binary Bag to the standard output. Only one switch may use the standard output as its output stream.

--sip-flows=OUTPUTFILE
Count number of flows by unique source IP.

--sip-packets=OUTPUTFILE
Count number of packets by unique source IP.

--sip-bytes=OUTPUTFILE
Count number of bytes by unique source IP.

--dip-flows=OUTPUTFILE
Count number of flows by unique destination IP.

--dip-packets=OUTPUTFILE
Count number of packets by unique destination IP.

--dip-bytes=OUTPUTFILE
Count number of bytes by unique destination IP.

--sport-flows=OUTPUTFILE
Count number of flows by unique source port.

--sport-packets=OUTPUTFILE
Count number of packets by unique source port.

--sport-bytes=OUTPUTFILE
Count number of bytes by unique source port.

--dport-flows=OUTPUTFILE
Count number of flows by unique destination port.

--dport-packets=OUTPUTFILE
Count number of packets by unique destination port.

--dport-bytes=OUTPUTFILE
Count number of bytes by unique destination port.

--proto-flows=OUTPUTFILE
Count number of flows by unique protocol.

--proto-packets=OUTPUTFILE
Count number of packets by unique protocol.

--proto-bytes=OUTPUTFILE
Count number of bytes by unique protocol.

--sensor-flows=OUTPUTFILE
Count number of flows by unique sensor ID.

--sensor-packets=OUTPUTFILE
Count number of packets by unique sensor ID.

--sensor-bytes=OUTPUTFILE
Count number of bytes by unique sensor ID.

--input-flows=OUTPUTFILE
Count number of flows by unique input interface index.

--input-packets=OUTPUTFILE
Count number of packets by unique input interface index.

--input-bytes=OUTPUTFILE
Count number of bytes by unique input interface index.

--output-flows=OUTPUTFILE
Count number of flows by unique output interface index.

--output-packets=OUTPUTFILE
Count number of packets by unique output interface index.

--output-bytes=OUTPUTFILE
Count number of bytes by unique output interface index.

--nhip-flows=OUTPUTFILE
Count number of flows by unique next hop IP.

--nhip-packets=OUTPUTFILE
Count number of packets by unique next hop IP.

--nhip-bytes=OUTPUTFILE
Count number of bytes by unique next hop IP.

--note-add=TEXT
Add the specified TEXT to the header of every output file as an annotation. This switch may be repeated to add multiple annotations to a file. To view the annotations, use the rwfileinfo(1) tool.

--note-file-add=FILENAME
Open FILENAME and add the contents of that file to the header of every output file as an annotation. This switch may be repeated to add multiple annotations. Currently the application makes no effort to ensure that FILENAME contains text; be careful that you do not attempt to add a SiLK data file as an annotation.

--compression-method=COMP_METHOD
Set the compression method of the output to COMP_METHOD. Some SiLK tools can use an external library to compress their binary output. The list of available compression methods and the default method are set when SiLK is compiled (the --help and --version switches print the available and default compression methods) and depend on which supported libraries are found. SiLK can support:
none
Do not compress the output using an external library

zlib
Use the zlib(3) library for compressing the output

lzo1x
Use the lzo1x algorithm from the LZO real time compression library for compression

best
Use whichever available method gives the best compression in general, though not necessarily the best for this particular output.

--print-filenames
Prints to the standard error the names of input files as they are opened.

--copy-input=PATH
Copy all binary input to the specified file or named pipe. PATH can be stdout to print flows to the standard output as long as the --output-path switch has been used to redirect rwuniq's ASCII output.

--site-config-file=FILENAME
Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the directory specified in the SILK_DATA_ROOTDIR environment variable; the data root directory that is compiled into SiLK (use the --version switch to view this value); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application's directory.

--legacy-help
Print the usage information for rwbag and include the names of the deprecated options in the output.

The following options are deprecated.

--sf-file=OUTPUTFILE
Deprecated alias for --sip-flows.

--sp-file=OUTPUTFILE
Deprecated alias for --sip-packets.

--sb-file=OUTPUTFILE
Deprecated alias for --sip-bytes.

--df-file=OUTPUTFILE
Deprecated alias for --dip-flows.

--dp-file=OUTPUTFILE
Deprecated alias for --dip-packets.

--db-file=OUTPUTFILE
Deprecated alias for --dip-bytes.

--port-sf-file=OUTPUTFILE
Deprecated alias for --sport-flows.

--port-sp-file=OUTPUTFILE
Deprecated alias for --sport-packets.

--port-sb-file=OUTPUTFILE
Deprecated alias for --sport-bytes.

--port-df-file=OUTPUTFILE
Deprecated alias for --dport-flows.

--port-dp-file=OUTPUTFILE
Deprecated alias for --dport-packets.

--port-db-file=OUTPUTFILE
Deprecated alias for --dport-bytes.

--proto-f-file=OUTPUTFILE
Deprecated alias for --proto-flows.

--proto-p-file=OUTPUTFILE
Deprecated alias for --proto-packets.

--proto-b-file=OUTPUTFILE
Deprecated alias for --proto-bytes.

EXAMPLES

To build both source IP and destination IP Bags of flows:

  rwfilter... | rwbag --sip-flow=sf.bag --dip-flow=df.bag

ENVIRONMENT

SILK_CONFIG_FILE
This environment variable is used as the value for the --site-config-file when that switch is not provided.

SILK_DATA_ROOTDIR
When the --site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, rwbag looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.

SILK_PATH
This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, rwbag checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.

SEE ALSO

rwbagbuild(1), rwbagcat(1), rwbagtool(1), rwfileinfo(1), rwfilter(1)

BUGS

Currently there is no support for Bag files keyed by an IPv6 address.

When used in an IPv6 environment, rwbag will process every record when creating Bags that are not keyed by the IP address. For Bags keyed by the IP address, rwbag will attempt to convert any IPv6 addresses to IPv4. Records that can be converted will be processed, all other records will be silently ignored for the IP-keyed Bags, but will be used for any non-IP-keyed Bags.

YAF | NAF | SiLK | RAVE | fixbuf | ipa | airdbc | airframe | Portal
SiLK is part of the NetSA Security Suite, developed by the CERT NetSA group
at the Software Engineering Institute at Carnegie Mellon University.

© 2002-2008 Carnegie Mellon University