NAME
rwtuc - Text Utility Converter - rwcut output to SiLK flows
SYNOPSIS
rwtuc [--site-config-file=FILENAME] [--fields=FIELDS]
[--column-separator=CHAR] [--compression-method=COMP_METHOD]
[--output-path=FILEPATH] [--bad-input-lines=FILEPATH]
[--saddress=IPADDR] [--daddress=IPADDR] [--sport=NUM]
[--dport=NUM] [--protocol=NUM] [--packets=NUM] [--bytes=NUM]
[--flags-all=TCPFLAGS] [--stime=TIME] [--duration=NUM]
[--etime=TIME] [--sensor=SID] [--input-index=NUM]
[--output-index=NUM] [--next-hop-ip=IPADDR]
[--flags-initial=TCPFLAGS] [--flags-session=TCPFLAGS]
[--attributes=ATTR] [--application=NUM] [--class=NAME]
[--type=NAME] [--stime+msec=TIME] [--etime+msec=TIME]
[--duration+msec=NUM] [FILES]
DESCRIPTION
rwtuc reads text files that have a format similar to that produced by rwcut and attempts to create a SiLK Flow record for each line of input.
The field which make up a single record should be separated by the pipe character ('|'); use the --column-separator switch to change this delimiter. Note that space will not work as delimiter since several fields (e.g., time, tcp-flags) contain embedded spaces.
The fields to be read from each line can be specified with the --fields switch; if the switch is not provided, rwtuc treats the first line as a title and attempts to determine the fields from the title strings.
Fields can be forced to have a fixed value, which causes rwtuc to override the value read from the input file (if any).
The textual input is read from the files named on the command line; if no files are specified, rwtuc attempts to read the text from the standard input if it is not connected to a terminal.
When the --output-path switch is not provided, output is sent to the standard output when it is not connected to a terminal.
Lines that cannot be parsed are ignored (unless rwtuc is attempting to determine the fields from the title line). These lines can be copied to another output stream with the --bad-input-lines switch. Each bad line will have the source file name and line number prepended to it, separated from each other and the source line by colons (':').
Due to the way records are stored, some field combinations cannot be supported. The end time is computed by adding the duration to the start time; when start time and duration are specified, any end-time value is ignored. The initial TCP flags and session TCP flags fields must both be present or absent. Using the attributes or application fields requires using the initial TCP flags field. The class and type field must both be present for the fields to have any affect on the SiLK flow record.
OPTIONS
Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.
- --fields=FIELDS
- FIELDS contains the list of fields (columns) to parse. FIELDS is a comma separated list of field-names, field-integers, and ranges of field-integers; a range is specified by separating the start and end of the range with a hyphen (-).
-
The field names and their descriptions are:
- sIP,sip,1
- source IP address
- dIP,dip,2
- destination IP address
- sPort,sport,3
- source port
- dPort,dport,4
- destination port
- protocol,5
- IP protocol
- packets,pkts,6
- packet count
- bytes,7
- byte count
- flags,8
- bitwise OR of TCP flags over all packets
- sTime,stime,9
- starting time of flow (seconds resolution)
- dur,10
- duration of flow (seconds resolution)
- eTime,etime,11
- end time of flow (seconds resolution)
- sensor,12
- router sensor name or ID
- class
- class of router at collection pt
- type
- type of router at collection pt
- initialFlags,initialflags,26
- TCP flags on first packet in the flow
- sessionFlags,sessionflags,27
- bitwise OR of TCP flags over all packets except the first in the flow
- attribute,28
- flow attributes set by flow collector:
T
- flow collector generated a flow record for a long-running connection due to timeout.
C
- this flow is a continuation of a long-running connection that the collector terminated.
F
- additional non-ACK packets seen after a packet with the FIN flag set.
- application,29
- guess as to the application generating the flow; value will be standard port for the application, such as 80 for web traffic
- --column-separator=CHAR
- Expect the character CHAR to used as the delimiter between columns instead of the default '|'.
- --compression-method=COMP_METHOD
- Set the compression method of the output to COMP_METHOD. Some SiLK tools can use an external library to compress their binary output. The list of available compression methods and the default method are set when SiLK is compiled (the --help and --version switches print the available and default compression methods) and depend on which supported libraries are found. SiLK can support:
- none
- Do not compress the output using an external library
- zlib
- Use the zlib(3) library for compressing the output
- lzo1x
- Use the lzo1x algorithm from the LZO real time compression library for compression
- best
-
Use whichever available method gives the
bestcompression in general, though not necessarily thebestfor this particular output. - --output-path=FILEPATH
-
Write the SiLK Flow records to FILEPATH. The strings
stdoutandstderrmay be used for the standard output and standard error, respectively, as long as they are not connected to a terminal. - --bad-input-lines=FILEPATH
-
Copy any lines which could not be parsed to FILEPATH. The strings
stdoutandstderrmay be used for the standard output and standard error, respectively. Each bad line will be predended by the source input file, a colon, the line number, and a colon. On exit, rwtuc will remove FILEPATH if all input lines were successfully parsed. - --saddress=IPADDR
- Set the source address field to IPADDR for all records. IPADDR can be in dotted decimal notation or an unsigned integer.
- --daddress=IPADDR
- Set the destination address field to IPADDR for all records. IPADDR can be in dotted decimal notation or an unsigned integer.
- --sport=NUM
- Set the source port field to NUM for all records; a value between 0 and 65535.
- --dport=NUM
- Set the destination port field to NUM for all records; a value between 0 and 65535.
- --protocol=NUM
- Set the protocol field to NUM for all records; a value between 0 and 255.
- --packets=NUM
- Set the packets field to NUM for all records; the value must be non-zero.
- --bytes=NUM
- Set the bytes field to NUM for all records; the value must be non-zero.
- --flags-all=TCPFLAGS
- Set the TCP flags field to TCPFLAGS for all records.
- --stime=TIME
- Set the start time field to TIME for all records.
- --duration=NUM
- Set the duration field to NUM for all records.
- --etime=TIME
- Set the end time field to TIME for all records.
- --sensor=SID
- Set the sensor field to SID for all records. This can either be a sensor name or sensor ID.
- --input-index=NUM
- Set the SNMP input index field to NUM for all records; a value between 0 and 65535.
- --output-index=NUM
- Set the SNMP output index field to NUM for all records; a value between 0 and 65535.
- --next-hop-ip=IPADDR
- Set the next-hop-ip field to IPADDR for all records. IPADDR can be in dotted decimal notation or an unsigned integer.
- --flags-initial=TCPFLAGS
- Set the initial TCP flags field to TCPFLAGS for all records.
- --flags-session=TCPFLAGS
- Set the session TCP flags field to TCPFLAGS for all records.
- --attributes=ATTR
- Set the attributes field to ATTR for all records.
- --application=NUM
- Set the application field to NUM for all records; a value between 0 and 65535.
- --class=NAME
- Set the class field to NAME for all records. Should be a valid class name; use rwfilter --help to see the list of valid classes for your site.
- --type=NAME
- Set the type field to NAME for all records. Should be a valid type name; use rwfilter --help to see the list of valid types for your site.
- --stime+msec=TIME
- Set the start time field (including milliseconds) to TIME for all records.
- --etime+msec=TIME
- Set the end time field (including milliseconds) to TIME for all records.
- --duration+msec=NUM
- Set the duration field (including milliseconds) to NUM for all records.
- --site-config-file=FILENAME
- Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the directory specified in the SILK_DATA_ROOTDIR environment variable; the data root directory that is compiled into SiLK (use the --version switch to view this value); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application's directory.
Many of our packed files do not store the following fields and their values will always be 0, but they are listed here for completeness:
SiLK can store flows generated by enhanced collection software that provides more information than NetFlow v5. These flows may support some or all of these additional fields; for flows without this additional information, the field's value is always 0.
Fields may not be specified more than once.
EXAMPLES
$ rwcut data.rwf > cut.txt $ md5 < cut.txt 7e3d693cd2cba2510803935274e1debd $ rwtuc < cut.txt | rwcut | md5 7e3d693cd2cba2510803935274e1debd
ENVIRONMENT
- SILK_CONFIG_FILE
- This environment variable is used as the value for the --site-config-file when that switch is not provided.
- SILK_DATA_ROOTDIR
- When the --site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, rwtuc looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.
- SILK_PATH
- This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, rwtuc checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.