CERT/CC
background
background
CERT NetSA Security Suite 
Open Source Tools for Network Monitoring 
News | Downloads | Documentation | Wiki | Tooltips
SiLK 2.1.0 | YAF 1.0.0.2 | IPA 0.4.0 | fixbuf 0.8.0 | Portal 0.9.0 | RAVE 1.9.16 | iSiLK 0.1.6
SiLK - Documentation - rwipfix2silk
Documentation | Downloads | Release Notes | FAQ | License | Credits | Reference Data | Live CD

NAME

rwipfix2silk - Convert IPFIX records to SiLK Flow records

SYNOPSIS

  rwipfix2silk [--silk-output=FILE] [--print-statistics]
        [--interface-values={snmp | vlan}]
        [--note-add=TEXT] [--note-file-add=FILE]
        [--compression-method=COMP_METHOD] [IPFIX_FILES...]
  rwipfix2silk --help
  rwipfix2silk --version

DESCRIPTION

rwipfix2silk reads IPFIX (Internet Protocol Flow Information eXport) records from the input files specified on the command line or from the standard input when no files are specified, converts the records to the SiLK Flow format, and writes the SiLK records to the path specified by --silk-output or to the standard output when stdout is not the terminal and --silk-output is not provided.

When stdin or - is provided as an input file name, rwipfix2silk will read records from the standard input.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

--silk-output=FILE

Write the SiLK records to FILE, which must not exist. If the switch is not provided or if FILE has the value stdout or -, the SiLK flows are written to the standard output.

--print-statistics

Print, to the standard error, the number of records that were written to the SiLK output file, and the number of forward and reverse records that were seen.

--interface-values={snmp | vlan}

Specify which IPFIX fields should be stored in the input and output fields of the generated SiLK Flow records. If this switch is not specified, the default is snmp. The choices are:

snmp

Store the indexes of the network interface cards where the flows entered and left the router. That is, store the ingressInterface in input and the egressInterface in output.

vlan

Store the VLAN identifiers for the source and destination networks. That is, store vlanId in input and postVlanId in output. If only one VLAN ID is available, input is set to that value and output is set to 0.

--note-add=TEXT

Add the specified TEXT to the header of the output file as an annotation. This switch may be repeated to add multiple annotations to a file. To view the annotations, use the rwfileinfo(1) tool.

--note-file-add=FILENAME

Open FILENAME and add the contents of that file to the header of the output file as an annotation. This switch may be repeated to add multiple annotations. Currently the application makes no effort to ensure that FILENAME contains text; be careful that you do not attempt to add a SiLK data file as an annotation.

--compression-method=COMP_METHOD

Set the compression method of the output to COMP_METHOD. Some SiLK tools can use an external library to compress their binary output. The list of available compression methods and the default method are set when SiLK is compiled (the --help and --version switches print the available and default compression methods) and depend on which supported libraries are found. SiLK can support:

none

Do not compress the output using an external library

zlib

Use the zlib(3) library for compressing the output

lzo1x

Use the lzo1x algorithm from the LZO real time compression library for compression

best

Use whichever available method gives the best compression in general, though not necessarily the best for this particular output.

--help

Print the available options and exit.

--version

Print the version number and information about how SiLK was configured, then exit the application.

EXAMPLES

To convert a packet capture (pcap(3)) file, packets.dat, such as that produced by tcpdump(1), to the SiLK format, you could use the yaf tool (see http://tools.netsa.cert.org/yaf/):

  yaf --silk --in packets.dat --out - \
      | rwipfix2silk --silk-output=silk.dat

To convert the file back into an IPFIX format:

  rwsilk2ipfix --silk-output=silk2.rwf ipfix.dat

To have yaf decode VLAN identifiers for 802.1Q packets and to have rwipfix2silk store the VLAD IDs in the input and output fields of the SiLK Flow records, use:

  yaf --mac --silk --in packets.dat --out - \
      | rwipfix2silk --silk-output=silk.dat --interface-values=vlan

SEE ALSO

rwsilk2ipfix(1), rwfileinfo(1), yaf(1)

SiLK | YAF | IPA | fixbuf | Portal | RAVE | iSiLK
SiLK is part of the NetSA Security Suite, developed by the CERT NetSA group
at the Software Engineering Institute at Carnegie Mellon University.

© 2002-2009 Carnegie Mellon University