SiLK

NAME

rwp2yaf2silk - Convert PCAP data to SiLK Flow Records with YAF

SYNOPSIS

  rwp2yaf2silk --in=INPUT_SPEC --out=FILE [--dry-run]
      [--yaf-program=YAF] [--yaf-args='ARG1 ARG2']
      [--rwipfix2silk-program=RWIPFIX2SILK]
      [--rwipfix2silk-args='ARG1 ARG2']

  rwp2yaf2silk --help

  rwp2yaf2silk --man

  rwp2yaf2silk --version

DESCRIPTION

rwp2yaf2silk is a script to convert a pcap(3) file, such as that produced by tcpdump(1), to a single file of SiLK Flow records. The script assumes that the yaf(1) and rwipfix2silk(1) commands are available on your system.

The --in and --out switches are required. Note that the --in switch is processed by yaf, and the --out switch is processed by rwipfix2silk.

For information on reading live pcap data and using rwflowpack(8) to store that data in hourly files, see the SiLK Installation Handbook.

Normally yaf groups multiple packets into flow records. You can almost force yaf to create a flow record for every packet so that its output is similar to that of rwptoflow(1): When you give yaf the --idle-timeout=0 switch, yaf creates a flow record for every complete packet and for each packet that it is able to completely reassemble from packet fragments. Any fragmented packets that yaf cannot reassemble are dropped.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

--in=INPUT_SPEC

Read the pcap records from INPUT_SPEC. Often INPUT_SPEC is the name of the pcap file to read or the string string - or stdin to read from standard input. To process multiple pcap files, create a text file that lists the names of the pcap files. Specify the text file as INPUT_SPEC and use --yaf-args=--caplist to tell yaf the INPUT_SPEC contains the names of pcap files.

--out=FILE

Write the SiLK Flow records to FILE. The string stdout or - may be used for the standard output, as long as it is not connected to a terminal.

--dry-run

Do not invoke any commands, just print the commands that would be invoked.

--yaf-program=YAF

Use YAF as the location of the yaf program. When not specified, rwp2yaf2silk assumes there is a program yaf on your $PATH.

--yaf-args=ARGS

Pass the additional ARGS to the yaf program.

--rwipfix2silk-program=RWIPFIX2SILK

Use RWIPFIX2SILK as the location of the rwipfix2silk program. When not specified, rwp2yaf2silk assumes there is a program rwipfix2silk on your $PATH.

--rwipfix2silk-args=ARGS

Pass the additional ARGS to the rwipfix2silk program.

--help

Display a brief usage message and exit.

--man

Display full documentation for rwp2yaf2silk and exit.

--version

Print the version number and exit the application.

SEE ALSO

yaf(1), rwipfix2silk(1), rwflowpack(8), rwptoflow(1), silk(7), tcpdump(1), pcap(3), SiLK Installation Handbook