NAME
rwguess - Determine which SNMP interfaces are active
SYNOPSIS
rwguess [{ --top=NUM | --print-all }] PDU_FILE [PDU_FILE...]
rwguess --help
rwguess --version
DESCRIPTION
rwguess reads NetFlow v5 PDUs from file(s) specified on the command
line. The files are expected to be in the form created by NetFlow
Collector: Each file's size must be an integer multiple of 1464, where
each 1464 byte chunk contains a 24 byte NetFlow v5 header and space
for thirty 48 byte NetFlow records. The number of valid records per
chunk is specified in the PDU header.
rwguess counts the number of flow records that are seen on each input and output SNMP interface. Once all input has been processed, rwguess sorts the SNMP interfaces by the number of records each interface saw, and prints the two sorted lists, one for the input interfaces and one for the output interfaces. By default, only the top-10 interfaces are printed; the number of rows printed may be changed with the --top switch.
When the --print-all switch is specified, the results are printed in SNMP interface order, with one column for the input record count and another for the output record count, and one row for each interface that saw traffic.
OPTIONS
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.
- --top=NUM
-
Print the top NUM interfaces for each of input and output. If not specified, the default is to print the top 10 interfaces.
- --print-all
-
Print all SNMP interfaces that saw records, sorted by the SNMP interface number. This switch disables top-N printing.
- --help
-
Print the available options and exit.
- --version
-
Print the version number and information about how SiLK was configured, then exit the application.