CERT/CC
background
background
CERT NetSA Security Suite 
Open Source Tools for Network Monitoring 
News | Documentation | Downloads
YAF 0.8.1 | NAF 0.6.0 | SiLK 1.0.1 | RAVE 1.9.9
fixbuf 0.7.3 | ipa 0.2.1 | airdbc 0.2.2 | airframe 0.7.2 | Portal 0.8.0
SiLK - Documentation - rwpcut
Documentation | Downloads | Release Notes | FAQ | License | Credits | Reference Data | Live CD

NAME

rwpcut - Outputs a tcpdump dump file as ASCII

SYNOPSIS

  rwpcut [--columnar]
         [--delimiter=DELIMITER]
         [--epoch-time]
         [--fields=PRINT_FIELDS]
         [--integer-ips]
         [--zero-pad-ips]
         FILE...

DESCRIPTION

rwpcut outputs tcpdump files in an easy to parse way. It supports a user-defined list of fields to output and a user-defined delimiter between columns.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option.

OUTPUT SWITCHES

--columnar
Pad each field with whitespace so that it always takes up the same number of columns. The two payload printing fields, payhex and payascii, never pad with whitespace.

--delimiter=DELIMITER
DELIMITER is used as the delimiter between columns instead of the default '|'.

--epoch-time
Display the timestamp as epoch time seconds instead of a formatted timestamp.

--fields=PRINT_FIELDS
PRINT_FIELDS is a comma-separated list of fields to include in the output. The available fields are:

timestamp - packet timestamp sip - source IP address. dip - destination IP address sport - source port dport - destination port proto - IP protocol payhex - Payload printed as a hex stream payascii - Payload printed as an ascii stream. Non-printing characters are represented with periods.

--integer-ips
Display IP addresses as integers instead of in dotted quad notation.

--zero-pad-ips
Pad dotted quad notation IP addresses so that each quad occupies three columns.

EXAMPLES

 rwpcut --fields=sip,dip,sport,dport,proto --columnar data.dmp
                sip|            dip|sport|dport|proto|
    220.245.221.126|  192.168.1.100|21776| 6882|    6|
    220.245.221.126|  192.168.1.100|21776| 6882|    6|
 rwpcut --fields=timestamp,payhex data.dmp

(Carriage returns mid-payload added for legibility)

    timestamp|payhex|
    2005-04-20 04:28:59.091470|4500003cd85840003206f3e2dcf5dd7
    ec0a8016455101ae2811b6bce00000000a002ffff59990000020405ac0
    10303000101080a524dc5cc00000000|
    2005-04-20 04:29:02.057390|4500003cd88c40003206f3aedcf5dd7
    ec0a8016455101ae2811b6bce00000000a002ffff59930000020405ac0
    10303000101080a524dc5d200000000|

SEE ALSO

rwptoflow(1)

BUGS

Note that payhex and payascii do not whitespace pad themselves if --columnar is used.

The payascii field does not escape the delimiter character in any way, so care should be taken when parsing it.

YAF | NAF | SiLK | RAVE | fixbuf | ipa | airdbc | airframe | Portal
SiLK is part of the NetSA Security Suite, developed by the CERT NetSA group
at the Software Engineering Institute at Carnegie Mellon University.

© 2002-2008 Carnegie Mellon University