NAME
rwnetmask - Zero out lower bits of IP addresses in SiLK Flow records
SYNOPSIS
rwnetmask [--sip-prefix-length=N] [--dip-prefix-length=N]
[--nhip-prefix-length=N] [--output-path=PATH]
[FILES]
DESCRIPTION
rwnetmask reads SiLK Flow records from files named on the command line or from the standard input, masks off the least significant bits of the specified IP address(es), and writes the modified SiLK Flow records to the specified output path or to the standard output. Modifying the IP addresses allows one to group IPs into arbitrary CIDR blocks.
OPTIONS
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.
- --sip-prefix-length=N
- High bits of the source address to keep. The default is to not mask off any bits (i.e., N=32).
- --dip-prefix-length=N
- High bits of the destination address to keep. The default is to not mask off any bits (i.e., N=32).
- --nhip-prefix-length=N
- High bits of the next-hop address to keep. The default is to not mask off any bits (i.e., N=32).
- --output-path=PATH
- Location to write the output. When not specified, output will be written to the standard output.
- --source-prefix-length=N
- Deprecated alias for --sip-prefix-length.
- --destination-prefix-length=N
- Deprecated alias for --dip-prefix-length.
- --next-hop-prefix-length=N
- Deprecated alias for --next-hop-prefix-length.
EXAMPLES
To summarize the TCP traffic from your network to each /24 on the Internet, use:
rwfilter --type=out,outweb --proto=6 --pass=stdout |
rwnetmask --dip 24 |
rwaddrcount --use-dest --sort --print-rec
IP Address| Bytes|Packets|Records| Start Time|...
10.10.35.0| 2345| 52| 6|01/15/2003 19:30:31|
10.23.3.0| 118| 2| 1|01/16/2003 19:38:40|
10.23.4.0| 20858| 263| 16|01/16/2003 16:54:25|
10.31.49.0|266920| 3885| 1092|01/11/2003 02:04:11|
10.126.7.0| 36912| 260| 9|01/16/2003 17:03:28|
....