This Tool Tip deals with how to filter on and display specific ICMP Type and
Code combinations, using the following commands:
SiLK stores ICMP type and code information in the 16-bit "dport" field in a bit-packed form which is readable as an integer, but not is not intuitive to map to the correct ICMP type and code values. The options shown above were added to allow filtering or display of the ICMP type and code values as their original 8-bit integer values.
rwfilter can select records based on their ICMP Type and Code values.
the analyst can select ICMP ECHO REQUEST traffic.
rwfilter automatically adds the condition
to the filter when either of the
options are used.
A chain of these could be used, for example, to filter out the common ICMP types and codes, leaving only anomalous types and codes that may be especially interesting to analyze:
When using rwcut the type and code values are only displayed when the protocol is ICMP.
The situation is similar, but more subtle, for rwuniq---it will decode every dport field into icmp Type and Code, unless the "protocol" field is also included in its list of keys. The reason for this is that unless "protocol" is one of the key fields, then any particular row of the output could be a mixture of different protocols (both ICMP and non-ICMP).
What rwsort actually does when passed
is to sort on dport, which amounts to roughly the same thing as sorting on ICMP type, and then code. When more than one protocol is present, then the ICMP may not be listed contiguously:
so the best way to use rwsort is to either filter on ICMP traffic only, or sort on protocol first.
For rwstats, the option
may not be paired with any other key field option, and it assumes that all input is ICMP. Therefore, you need to filter down to ICMP traffic only first.
You must filter for --proto=1 before passing data to rwstats --icmp!