NAME

rwsetintersect - Perform intersection operations on IPset files

SYNOPSIS

  rwsetintersect  --add-set=IPSET_FILE
        [--add-set=IPSET_FILE...] [--remove-set=IPSET_FILE...]
        [--compression-method=COMP_METHOD]
        {--print-ips | --integer-ips | --set-file=IPSET_FILE}

DESCRIPTION

Note: It is recommended that you use rwsettool in place of rwsetintersect.

rwsetintersect takes multiple binary IPset files and intersects them, generating a new IPset which can be saved in a binary IPset file or written to the standard output when the standard output is not connected to a terminal. An output destination must be specified.

The IPset files are specified as either --add-set or --remove-set; at least one --add-set IPset must be specified.

First, rwsetintersect performs the intersection of all specified --add-set files. From the resulting IPset, rwsetintersect then removes all addresses specified in the --remove-set files.

rwsetintersect uses binary IPset files, not SiLK Flow data.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

--add-set=IPSET_FILE: Specifies an intersection add file. At the minimum, one add file must be specified. Use stdin to read a binary IPset from the standard input.
--remove-set=IPSET_FILE: Specifies an intersection remove file. Remove files are optional. Use stdin to read a binary IPset from the standard input.
--compression-method=COMP_METHOD: Set the compression method of the output to COMP_METHOD. Some SiLK tools can use an external library to compress their binary output. The list of available compression methods and the default method are set when SiLK is compiled (the --help and --version switches print the available and default compression methods) and depend on which supported libraries are found. SiLK can support:

One of the following output switches is required; multiple switches may be specified:

--print-ips: Print the resulting IP addresses to the standard output.
--integer-ips: Enable the --print-ips option, but print the IPs as integers instead of as dotted decimal.
--set-file=IPSET_FILE: Write the IP addresses to a binary IPset file named IPSET_FILE. Use stdout to write the IPset to the standard output.

EXAMPLES

rwsetintersect uses add-sets and remove-sets. An add-set IPset is intersected in the normal fashion, while a remove-set's negation is intersected.

For example, assume the following sets A,B,C,D:

  A = {1,2,3,4}
  B = {2,3,4,5}
  C = {3,4,5,6}
  D = {8,9,10,11}

then:

  A /\ B
      --add-set=A --add-set=B would result in {2,3,4}

  A /\ C
      --add-set=A --add-set=C would result in {3,4}

  A /\ D
      --add-set=A --add-set=D would result in {}

  A /\ ~D
      --add-set=A --remove-set=D would result in {1,2,3,4}

  A /\ ~A
      --add-set=A --remove-set=A would result in {}

  B /\ ~A
      --add-set=B --remove-set=A would result in {5}

  A /\ ~B
      --add-set=A --remove-set=B would result in {1}

NOTES

All --add-set operations are performed first, followed by all --remove-set operations.

rwsettool supersedes rwsetintersect. Modify your use of rwsetintersect as follows:

  Change:
    rwsetintersect --add=SET1 --add=SET2 --set-file=DEST_SET
  To:
    rwsettool --intersect --output=DEST_SET SET1 SET2

  Change:
    rwsetintersect --add=SET1 --add=SET2 --print-ips
  To:
    rwsettool --intersect SET1 SET2 | rwsetcat

  Change:
    rwsetintersect --add=SET1 --remove=SET2 --set-file=DEST_SET
  To:
    rwsettool --difference --output=DEST_SET SET1 SET2

  Change:
    rwsetintersect --add=SET1 --remove=SET2 --print-ips
  To:
    rwsettool --difference SET1 SET2 | rwsetcat