NAME
rwnetmask - Zero out lower bits of IP addresses in SiLK Flow records
SYNOPSIS
rwnetmask [--4sip-prefix-length=N] [--6sip-prefix-length=N]
[--4dip-prefix-length=N] [--6dip-prefix-length=N]
[--4nhip-prefix-length=N] [--6nhip-prefix-length=N]
[--sip-prefix-length=N] [--dip-prefix-length=N]
[--nhip-prefix-length=N] [--output-path=PATH]
[--print-filenames] [--ipv6-policy=POLICY]
[--note-add=TEXT] [--note-file-add=FILE]
[--compression-method=COMP_METHOD]
[--site-config-file=FILENAME] [FILES]
rwnetmask --help
rwnetmask --version
DESCRIPTION
rwnetmask reads SiLK Flow records from file(s) named on the command
line, sets the prefix of the source IP, destination IP, and/or next
hop IP to the specified value(s) by masking the least significant bits
of the address(es), and writes the modified SiLK Flow records to the
specified output path. Modifying the IP addresses allows one to group
IPs into arbitrary CIDR blocks. Multiple prefix-lengths may be
specified; at least one must be specified.
When SiLK is compiled with IPv6 support, a separate mask can be specified for IPv4 and IPv6 addresses. Records are processed using the IP-version in which they are read. The --ipv6-policy switch can be used to force the records into a particular IP-version or to ignore records of a particular IP-version.
When no file names are specified on the command line, rwnetmask
attempts to read flow records from the standard input. To read the
standard input in addition to files, specify - or stdin on the
command line. When no output path is specified and the standard
output is not connected to a terminal, rwnetmask writes the records
to the standard output.
OPTIONS
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.
One of these switches must be provided:
- --4sip-prefix-length=N
- --sip-prefix-length=N
-
For IPv4 addresses, specify the number of most significant bits of the source address to keep. The default is to not mask off any bits (i.e., N=32).
- --4dip-prefix-length=N
- --dip-prefix-length=N
-
For IPv4 addresses, specify the number of most significant bits of the destination address to keep. The default is to not mask off any bits (i.e., N=32).
- --4nhip-prefix-length=N
- --nhip-prefix-length=N
-
For IPv4 addresses, specify the number of most significant bits of the next-hop address to keep. The default is to not mask off any bits (i.e., N=32).
- --6sip-prefix-length=N
-
For IPv6 addresses, specify the number of most significant bits of the source address to keep. The default is to not mask off any bits (i.e., N=128).
- --6dip-prefix-length=N
-
For IPv6 addresses, specify the number of most significant bits of the destination address to keep. The default is to not mask off any bits (i.e., N=128).
- --6nhip-prefix-length=N
-
For IPv6 addresses, specify the number of most significant bits of the next-hop address to keep. The default is to not mask off any bits (i.e., N=128).
These switches are optional:
- --output-path=PATH
-
Write the output to the named PATH. PATH may be a file, named pipe, or the symbols
stdoutor-to write to the standard output. When not specified, output will be written to the standard output. rwnetmask will exit with an error if the output path is the standard output and the standard output is connected to a terminal. - --print-filenames
-
Print to the standard error the names of the input files as the files are opened.
- --ipv6-policy=POLICY
-
Determine how IPv4 and IPv6 flows are handled when SiLK has been compiled with IPv6 support. When the switch is not provided, the SILK_IPV6_POLICY environment variable is checked for a policy. If it is also unset or contains an invalid policy, the POLICY is mixed. When SiLK has not been compiled with IPv6 support; IPv6 flows are always ignored, regardless of the value passed to this switch or in the SILK_IPV6_POLICY variable. The supported values for POLICY are:
- ignore
-
Completely ignore IPv6 flows in the input. Only IPv4 flows will be processed.
- asv4
-
Convert IPv6 addresses in the input to IPv4 if possible, otherwise ignore the IPv6 flows.
- mix
-
Process the input as a mixture of IPv4 and IPv6 flows.
- force
-
Force IPv4 flows to be converted to IPv6.
- only
-
Only process flows that were marked as IPv6 and completely ignore IPv4 flows in the input.
- --note-add=TEXT
-
Add the specified TEXT to the header of the output file as an annotation. This switch may be repeated to add multiple annotations to a file. To view the annotations, use the rwfileinfo(1) tool.
- --note-file-add=FILENAME
-
Open FILENAME and add the contents of that file to the header of the output file as an annotation. This switch may be repeated to add multiple annotations. Currently the application makes no effort to ensure that FILENAME contains text; be careful that you do not attempt to add a SiLK data file as an annotation.
- --compression-method=COMP_METHOD
-
Set the compression method of the output to COMP_METHOD. Some SiLK tools can use an external library to compress their binary output. The list of available compression methods and the default method are set when SiLK is compiled (the --help and --version switches print the available and default compression methods) and depend on which supported libraries are found. SiLK can support:
- none
-
Do not compress the output using an external library
- zlib
-
Use the zlib(3) library for compressing the output
- lzo1x
-
Use the lzo1x algorithm from the LZO real time compression library for compression
- best
-
Use whichever available method gives the
bestcompression in general, though not necessarily thebestfor this particular output. - --site-config-file=FILENAME
-
Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the directory specified in the SILK_DATA_ROOTDIR environment variable; the data root directory that is compiled into SiLK (use the --version switch to view this value); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application's directory.
- --help
-
Print the available options and exit.
- --version
-
Print the version number and information about how SiLK was configured, then exit the application.
EXAMPLES
To summarize the TCP traffic from your network to each /24 on the Internet, use:
rwfilter --type=out,outweb --proto=6 --pass=stdout | \
rwnetmask --dip-prefix-mask 24 | \
rwaddrcount --use-dest --sort --print-rec
IP Address| Bytes|Packets|Records| Start Time|...
10.10.35.0| 2345| 52| 6|01/15/2003 19:30:31|
10.23.3.0| 118| 2| 1|01/16/2003 19:38:40|
10.23.4.0| 20858| 263| 16|01/16/2003 16:54:25|
10.31.49.0|266920| 3885| 1092|01/11/2003 02:04:11|
10.126.7.0| 36912| 260| 9|01/16/2003 17:03:28|
....
ENVIRONMENT
- SILK_CONFIG_FILE
-
This environment variable is used as the value for the --site-config-file when that switch is not provided.
- SILK_DATA_ROOTDIR
-
When the --site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, rwnetmask looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.
- SILK_PATH
-
This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, rwnetmask checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.