rwbag - Build a binary Bag from SiLK Flow records.
rwbag [--sip-flows=OUTPUTFILE] [--dip-flows=OUTPUTFILE]
[--sport-flows=OUTPUTFILE] [--dport-flows=OUTPUTFILE]
[--proto-flows=OUTPUTFILE] [--sensor-flows=OUTPUTFILE]
[--input-flows=OUTPUTFILE] [--output-flows=OUTPUTFILE]
[--nhip-flows=OUTPUTFILE]
[--sip-packets=OUTPUTFILE] [--dip-packets=OUTPUTFILE]
[--sport-packets=OUTPUTFILE] [--dport-packets=OUTPUTFILE]
[--proto-packets=OUTPUTFILE] [--sensor-packets=OUTPUTFILE]
[--input-packets=OUTPUTFILE] [--output-packets=OUTPUTFILE]
[--nhip-packets=OUTPUTFILE]
[--sip-bytes=OUTPUTFILE] [--dip-bytes=OUTPUTFILE]
[--sport-bytes=OUTPUTFILE] [--dport-bytes=OUTPUTFILE]
[--proto-bytes=OUTPUTFILE] [--sensor-bytes=OUTPUTFILE]
[--input-bytes=OUTPUTFILE] [--output-bytes=OUTPUTFILE]
[--nhip-bytes=OUTPUTFILE]
[--note-add=TEXT] [--note-file-add=FILE]
[--compression-method=COMP_METHOD]
[--print-filenames] [--copy-input=PATH]
[--site-config-file=FILENAME]
[INPUTFILE[ INPUTFILE...]]
rwbag --help
rwbag --legacy-help
rwbag --version
rwbag reads SiLK Flow records and builds a Bag. Source IP address,
destination IP address, next hop IP address, source port, destination
port, protocol, input interface index, output interface index, or
sensor ID may be used as the unique key by which to count volumes.
Flows, packets, or bytes may be used as the counter. rwbag
attempts to read raw flow records from the standard input or from any
INPUTFILE arguments. INPUTFILE may also explicitly be the
keyword stdin. If the raw flow records do not contain the proper
key and counter fields, rwbag prints an error to stderr and exits
abnormally.
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.
At least one of the following output flags must be defined. For each,
OUTPUTFILE is the name of a non-existent file, a named pipe, or the
keyword stdout to write the binary Bag to the standard output.
Only one switch may use the standard output as its output stream.
- --sip-flows=OUTPUTFILE
-
Count number of flows by unique source IP.
- --sip-packets=OUTPUTFILE
-
Count number of packets by unique source IP.
- --sip-bytes=OUTPUTFILE
-
Count number of bytes by unique source IP.
- --dip-flows=OUTPUTFILE
-
Count number of flows by unique destination IP.
- --dip-packets=OUTPUTFILE
-
Count number of packets by unique destination IP.
- --dip-bytes=OUTPUTFILE
-
Count number of bytes by unique destination IP.
- --sport-flows=OUTPUTFILE
-
Count number of flows by unique source port.
- --sport-packets=OUTPUTFILE
-
Count number of packets by unique source port.
- --sport-bytes=OUTPUTFILE
-
Count number of bytes by unique source port.
- --dport-flows=OUTPUTFILE
-
Count number of flows by unique destination port.
- --dport-packets=OUTPUTFILE
-
Count number of packets by unique destination port.
- --dport-bytes=OUTPUTFILE
-
Count number of bytes by unique destination port.
- --proto-flows=OUTPUTFILE
-
Count number of flows by unique protocol.
- --proto-packets=OUTPUTFILE
-
Count number of packets by unique protocol.
- --proto-bytes=OUTPUTFILE
-
Count number of bytes by unique protocol.
- --sensor-flows=OUTPUTFILE
-
Count number of flows by unique sensor ID.
- --sensor-packets=OUTPUTFILE
-
Count number of packets by unique sensor ID.
- --sensor-bytes=OUTPUTFILE
-
Count number of bytes by unique sensor ID.
- --input-flows=OUTPUTFILE
-
Count number of flows by unique input interface index.
- --input-packets=OUTPUTFILE
-
Count number of packets by unique input interface index.
- --input-bytes=OUTPUTFILE
-
Count number of bytes by unique input interface index.
- --output-flows=OUTPUTFILE
-
Count number of flows by unique output interface index.
- --output-packets=OUTPUTFILE
-
Count number of packets by unique output interface index.
- --output-bytes=OUTPUTFILE
-
Count number of bytes by unique output interface index.
- --nhip-flows=OUTPUTFILE
-
Count number of flows by unique next hop IP.
- --nhip-packets=OUTPUTFILE
-
Count number of packets by unique next hop IP.
- --nhip-bytes=OUTPUTFILE
-
Count number of bytes by unique next hop IP.
- --note-add=TEXT
-
Add the specified TEXT to the header of every output file as an annotation. This switch may be repeated to add multiple annotations to a file. To view the annotations, use the rwfileinfo(1) tool.
- --note-file-add=FILENAME
-
Open FILENAME and add the contents of that file to the header of every output file as an annotation. This switch may be repeated to add multiple annotations. Currently the application makes no effort to ensure that FILENAME contains text; be careful that you do not attempt to add a SiLK data file as an annotation.
- --compression-method=COMP_METHOD
-
Set the compression method of the output to COMP_METHOD. Some SiLK tools can use an external library to compress their binary output. The list of available compression methods and the default method are set when SiLK is compiled (the --help and --version switches print the available and default compression methods) and depend on which supported libraries are found. SiLK can support:
- none
-
Do not compress the output using an external library
- zlib
-
Use the zlib(3) library for compressing the output
- lzo1x
-
Use the lzo1x algorithm from the LZO real time compression library for compression
- best
-
Use whichever available method gives the
bestcompression in general, though not necessarily thebestfor this particular output.
- --print-filenames
-
Prints to the standard error the names of input files as they are opened.
- --copy-input=PATH
-
Copy all binary input to the specified file or named pipe. PATH can be
stdoutto print flows to the standard output as long as the --output-path switch has been used to redirect rwbag's ASCII output. - --site-config-file=FILENAME
-
Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the directory specified in the SILK_DATA_ROOTDIR environment variable; the data root directory that is compiled into SiLK (use the --version switch to view this value); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application's directory.
- --help
-
Print the available options and exit.
- --legacy-help
-
Print the usage information for rwbag and include the names of the deprecated options in the output, then exit.
- --version
-
Print the version number and information about how SiLK was configured, then exit the application.
The following options are deprecated.
- --sf-file=OUTPUTFILE
-
Deprecated alias for --sip-flows.
- --sp-file=OUTPUTFILE
-
Deprecated alias for --sip-packets.
- --sb-file=OUTPUTFILE
-
Deprecated alias for --sip-bytes.
- --df-file=OUTPUTFILE
-
Deprecated alias for --dip-flows.
- --dp-file=OUTPUTFILE
-
Deprecated alias for --dip-packets.
- --db-file=OUTPUTFILE
-
Deprecated alias for --dip-bytes.
- --port-sf-file=OUTPUTFILE
-
Deprecated alias for --sport-flows.
- --port-sp-file=OUTPUTFILE
-
Deprecated alias for --sport-packets.
- --port-sb-file=OUTPUTFILE
-
Deprecated alias for --sport-bytes.
- --port-df-file=OUTPUTFILE
-
Deprecated alias for --dport-flows.
- --port-dp-file=OUTPUTFILE
-
Deprecated alias for --dport-packets.
- --port-db-file=OUTPUTFILE
-
Deprecated alias for --dport-bytes.
- --proto-f-file=OUTPUTFILE
-
Deprecated alias for --proto-flows.
- --proto-p-file=OUTPUTFILE
-
Deprecated alias for --proto-packets.
- --proto-b-file=OUTPUTFILE
-
Deprecated alias for --proto-bytes.
To build both source IP and destination IP Bags of flows:
rwfilter... | rwbag --sip-flow=sf.bag --dip-flow=df.bag
- SILK_CONFIG_FILE
-
This environment variable is used as the value for the --site-config-file when that switch is not provided.
- SILK_DATA_ROOTDIR
-
When the --site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, rwbag looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.
- SILK_PATH
-
This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, rwbag checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.
rwbagbuild(1), rwbagcat(1), rwbagtool(1), rwfileinfo(1), rwfilter(1)
Currently there is no support for Bag files keyed by an IPv6 address.
When used in an IPv6 environment, rwbag will process every record when creating Bags that are not keyed by the IP address. For Bags keyed by the IP address, rwbag will attempt to convert any IPv6 addresses to IPv4. Records that can be converted will be processed, all other records will be silently ignored for the IP-keyed Bags, but will be used for any non-IP-keyed Bags.