NAME
rwpackchecker - Find unusual patterns that may indicate a corrupt file
SYNOPSIS
rwpackchecker [--value=TEST=VALUE] [--allowable-count=TEST=ALLOWED]
[--print-all] {[--xargs] | [FILE [FILE...]]}
DESCRIPTION
rwpackchecker reads SiLK Flow records from the specified input
files or from the standard input when no files are specified and looks
for unusual patterns that may indicate that the file has been
corrupted.
OPTIONS
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.
- --value=TEST=VALUE
-
Set the value of TEST to the specified VALUE; separate the test
name from value by
=. The available TESTs are given below; the test name can be shortened to the shortest unique prefix. The form of VALUE depends on the type of TEST: - --allowable-count=TEST=ALLOWED
-
Allow the named TEST to be violated ALLOWED of times before
treating it as
unusual. ALLOWED is an integer value. Separate the test name from the allowed count by=. Repeat this switch for each allowable count you wish to set. - --print-all
-
Print the result of all tests for all input files. Normally only
tests that are deemed
unusualare printed. - --xargs
- Causes rwpackchecker to read file names from the standard input; the input should have one file name per line. rwpackchecker will open each file in turn and read records from it, as if the files had been listed on the command line.
-
If TEST expects a minumum or maximum, VALUE should be a number.
If TEST expects a list of IPs, VALUE should the name of a file
containing an IPset (see rwsetbuild(1)).
If TEST expects a list of numbers (for example, ports or
protocols), VALUE should contain a comma separated list of integers
and integer-ranges where a range is two integers separated by a hyphen
(
-).
Repeat this switch for each value that you wish to set.
The following tests are always run:
- min-bpp-ratio=NUMBER
- Byte-per-packet ratio is less than NUMBER. Default value: 1. Allowed count: 0.
- max-bpp-ratio=NUMBER
- Byte-per-packet ratio is greater than NUMBER. Default value: 16384. Allowed count: 0.
- min-bps-ratio=NUMBER
- Byte-per-second ratio is less than NUMBER. Default value: 0. Allowed count: 0.
- max-bps-ratio=NUMBER
- Byte-per-second ratio is greater than NUMBER. Default value: 4294967295. Allowed count: 0.
- min-packets=NUMBER
- Packet count is less than NUMBER. Default value: 1. Allowed count: 0.
- max-packets=NUMBER
- Packet count is greater than NUMBER. Default value: 67108864. Allowed count: 0.
- min-bytes=NUMBER
- Byte count is less than NUMBER. Default value: 1. Allowed count: 0.
- max-bytes=NUMBER
- Byte count is greater than NUMBER. Default value: 4294967295. Allowed count: 0.
- min-tcp-bpp-ratio=NUMBER
- TCP byte-per-packet ratio is less than NUMBER. Default value: 1. Allowed count: 0.
- max-tcp-bpp-ratio=NUMBER
- TCP byte-per-packet ratio is greater than NUMBER. Default value: 16384. Allowed count: 0.
- min-udp-bpp-ratio=NUMBER
- UDP byte-per-packet ratio is less than NUMBER. Default value: 1. Allowed count: 0.
- max-udp-bpp-ratio=NUMBER
- UDP byte-per-packet ratio is greater than NUMBER. Default value: 16384. Allowed count: 0.
- min-icmp-bpp-ratio=NUMBER
- ICMP byte-per-packet ratio is less than NUMBER. Default value: 1. Allowed count: 0.
- max-icmp-bpp-ratio=NUMBER
- ICMP byte-per-packet ratio is greater than NUMBER. Default value: 16384. Allowed count: 0.
The following tests are only run when the --value switch is used to specify a value for the test.
- match-protocol=LIST
- Protocol is present in LIST. No default. Allowed count: 0.
- nomatch-protocol=LIST
- Protocol is not present in LIST. No default. Allowed count: 0.
- match-flags=LIST
- TCP Flag Combination is present in LIST. No default. Allowed count: 0.
- nomatch-flags=LIST
- TCP Flag Combination is not present in LIST. No default. Allowed count: 0.
- match-sip=IPSET_FILE
- Source IP is present in IPSET_FILE. No default. Allowed count: 0.
- nomatch-sip=IPSET_FILE
- Source IP is not present in IPSET_FILE. No default. Allowed count: 0.
- match-dip=IPSET_FILE
- Destination IP is present in IPSET_FILE. No default. Allowed count: 0.
- nomatch-dip=IPSET_FILE
- Destination IP is not present in IPSET_FILE. No default. Allowed count: 0.
- match-sport=LIST
- Source Port is present in LIST. No default. Allowed count: 0.
- nomatch-sport=LIST
- Source Port is not present in LIST. No default. Allowed count: 0.
- match-dport=LIST
- Destination Port is present in LIST. No default. Allowed count: 0.
- nomatch-dport=LIST
- Destination Port is not present in LIST. No default. Allowed count: 0.
- match-nhip=IPSET_FILE
- Next Hop IP is present in IPSET_FILE. No default. Allowed count: 0.
- nomatch-nhip=IPSET_FILE
- Next Hop IP is not present in IPSET_FILE. No default. Allowed count: 0.
- match-input=LIST
- SNMP Input is present in LIST. No default. Allowed count: 0.
- nomatch-input=LIST
- SNMP Input is not present in LIST. No default. Allowed count: 0.
- match-output=LIST
- SNMP Output is present in LIST. No default. Allowed count: 0.
- nomatch-output=LIST
- SNMP Output is not present in LIST. No default. Allowed count: 0.