CERT/CC
background
background
CERT NetSA Security Suite 
Open Source Tools for Network Monitoring 
News | Documentation | Downloads
YAF 0.8.1 | NAF 0.6.0 | SiLK 1.0.1 | RAVE 1.9.9
fixbuf 0.7.3 | ipa 0.2.1 | airdbc 0.2.2 | airframe 0.7.2 | Portal 0.8.0
SiLK - Documentation - rwfglob
Documentation | Downloads | Release Notes | FAQ | License | Credits | Reference Data | Live CD

NAME

rwfglob - Print file names that the fglob options will access

SYNOPSIS

  rwfglob [--start-date=YYYY/MM/DD[:HH] [--end-date=YYYY/MM/DD[:HH]]]
        [--class=CLASS] [--type={all | TYPE[,TYPE ...]}]
        [--sensors=n1[,n2 ...]]
        [--data-rootdir=PATH] [--site-config-file=FILENAME]
        [--print-missing-files] [--no-file-names] [--no-summary]

DESCRIPTION

rwfglob accepts the normal File Selection options of rwfilter(1) and prints, to the standard output, the names of the files that will be accessed. At the end, a summary is printed of the number of files and the number of those files that are on tape. (The on tape number is determined by seeing how many files had 0 blocks allocated to them.)

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

--start-date=YYYY/MM/DD[:HH]
--end-date=YYYY/MM/DD[:HH]
The date predicates indicate which time to start and end the search; these predicates are expressed in YYYY/MM/DD:HH format. In all cases, express values less than 10 with a zero, so 09 for 9, 08 for 8, and so on.

For example, 2003/01/18:00 represents the first hour of January 18th, 2003, while 2002/10/01:22 corresponds to 22:00 GMT on October 1st, 2002.

When the hour of the start-date is given and end-date is not specified, files for that single hour are processed.

When the hour of the start-date is not given, the hour of the end-date is ignored, and files for all dates between midnight on start-date and 23:59 on end-date are processed.

When start-date is not given, rwfglob prints all files for the current day.

--class=CLASS
CLASS is used to select groups of data. Currently only a single class may be selected. If the --class option is not given, a class is selected by default. Use the --help option to see the list of available classes and the default class.

--type={all | TYPE[,TYPE]}
The --type predicate is used to further specify data by specifying the TYPE of traffic using the scheme for your deployment. TYPEs typically refer to the direction of the flow; TYPEs depend on the class and on the site where SiLK is installed. The switch takes a comma-separated list of types or the keyword all which specifies all types for the specified class. If the --type switch is not given, a list of default types is used. Use the --help option to get the list of available types for each class.

--sensors=n1[,n2 ...]
Sensor is used to select data files from specific sensors. This is a comma separated list of sensor names and/or sensor IDs (integers) that will depend on your installation. If not given, the default is all sensors.

--data-rootdir=PATH
This option causes rwfglob to use PATH as the root of the data store directory, which overrides the location given in the SILK_DATA_ROOTDIR environment variable, which overrides the location that was compiled into rwfglob. The default data store directory is available via the --version option.

--site-config-file=FILENAME
Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the root of the data directory (see --data-rootdir); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application's directory.

--print-missing-files
This option prints to the standard error file names that fglob expected to find but did not. This list can be misleading, so use it judiciously.

--no-file-names
This option instructs rwfglob not to print the names of the files that it successfully finds. By default, rwfglob prints the names of the files it finds and a summary line showing the number of files it found.

--no-summary
This option instructs rwfglob not to print the summary line (that is, the line that shows the number of files found). By default, rwfglob prints the names of the files it finds and a summary line showing the number of files it found.

EXAMPLES

Looking at a day on a single sensor:

  $ rwfglob --start=2003/10/11 --sensor=2
  /data/in/2003/10/11/in-GAMMA_20031011.23
  /data/in/2003/10/11/in-GAMMA_20031011.22
  /data/in/2003/10/11/in-GAMMA_20031011.21
  /data/in/2003/10/11/in-GAMMA_20031011.20
  /data/in/2003/10/11/in-GAMMA_20031011.19
  /data/in/2003/10/11/in-GAMMA_20031011.18
  /data/in/2003/10/11/in-GAMMA_20031011.17
  /data/in/2003/10/11/in-GAMMA_20031011.16
  /data/in/2003/10/11/in-GAMMA_20031011.15
  /data/in/2003/10/11/in-GAMMA_20031011.14
  /data/in/2003/10/11/in-GAMMA_20031011.13
  /data/in/2003/10/11/in-GAMMA_20031011.12
  /data/in/2003/10/11/in-GAMMA_20031011.11
  /data/in/2003/10/11/in-GAMMA_20031011.10
  /data/in/2003/10/11/in-GAMMA_20031011.09
  /data/in/2003/10/11/in-GAMMA_20031011.08
  /data/in/2003/10/11/in-GAMMA_20031011.07
  /data/in/2003/10/11/in-GAMMA_20031011.06
  /data/in/2003/10/11/in-GAMMA_20031011.05
  /data/in/2003/10/11/in-GAMMA_20031011.04
  /data/in/2003/10/11/in-GAMMA_20031011.03
  /data/in/2003/10/11/in-GAMMA_20031011.02
  /data/in/2003/10/11/in-GAMMA_20031011.01
  /data/in/2003/10/11/in-GAMMA_20031011.00
  globbed 24 files; 0 on tape

If you only want the summary, pipe the result into tail(1):

  $ rwfglob --start-date=2003/10/11 --sensor=2 | tail -1
  globbed 24 files; 0 on tape

ENVIRONMENT

SILK_CONFIG_FILE
This environment variable is used as the value for the --site-config-file when that switch is not provided.

SILK_DATA_ROOTDIR
When set, overrides the compiled-in value for the location of the directory tree containing the files of SiLK Flow records collected and stored by the packing system (rwflowpack(8)). In addition, when the --site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, rwfglob looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.

SILK_PATH
This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, rwfglob checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.

SEE ALSO

rwfilter(1), tail(1)

BUGS

The --print-missing-files option needs to be smarter about what files are really missing.

The block size check is of unknown portability across different tape-farm systems.

YAF | NAF | SiLK | RAVE | fixbuf | ipa | airdbc | airframe | Portal
SiLK is part of the NetSA Security Suite, developed by the CERT NetSA group
at the Software Engineering Institute at Carnegie Mellon University.

© 2002-2008 Carnegie Mellon University