CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

In this Tool Tip, we note some overlapping features between rwaddrcount and rwuniq. There is often more than one way to perform the same task in the SiLK tool set.

Here's a guide to replacing each of the modes of rwaddrcount:

print-recs

$ rwaddrcount --print-recs [filename]
          sIP|  Bytes|   Packets|   Records|          Start_Time|            End_Time|
   10.0.0.144|   1646|         4|         1| 2007/05/09T18:01:41| 2007/05/09T18:01:41|
10.14.203.121|     40|         1|         1| 2007/05/09T18:31:54| 2007/05/09T18:31:54|
10.14.203.122|     40|         1|         1| 2007/05/09T18:32:43| 2007/05/09T18:32:43|
   10.15.6.14|    539|         3|         3| 2007/05/09T18:03:05| 2007/05/09T18:08:07|
  12.0.101.22|   4365|        23|         2| 2007/05/09T18:26:43| 2007/05/09T18:43:46|

becomes

$ rwuniq --fields=sip --all-counts [filename]
          sIP|     Bytes|   Packets|   Records|          min_sTime|          max_eTime|
   10.0.0.144|      1646|         4|         1|2007/05/09T18:01:41|2007/05/09T18:01:41|
10.14.203.121|        40|         1|         1|2007/05/09T18:31:54|2007/05/09T18:31:54|
10.14.203.122|        40|         1|         1|2007/05/09T18:32:43|2007/05/09T18:32:43|
   10.15.6.14|       539|         3|         3|2007/05/09T18:03:05|2007/05/09T18:08:07|
  12.0.101.22|      4365|        23|         2|2007/05/09T18:26:43|2007/05/09T18:43:46|

print-stat

$ rwaddrcount --print-stat [filename]
          |  sIP_Uniq|               Bytes|        Packets|        Records|
     Total|     57727|           948620676|        2026581|         382578|

becomes

$ rwuniq --fields=nhIP --sip-distinct --bytes --packets --flows [filename]
           nhIP|               Bytes|   Packets|   Records|Unique_SIP|
        0.0.0.0|           948620676|   2026581|    382578|     57727|

Warning

Icon

Because rwuniq requires at least one key field, if nhIP is not populated in your
environment, then you can use that as a key field that is the same for all records.
If nhIP is populated in your environment, then you can use rwnetmask to set all
nhIP values to zero, as follows:

... | rwnetmask --next-hop-prefix=0 | rwuniq ...

print-ips

$ rwaddrcount --print-ips [filename]
            sIP
     10.0.0.144
  10.14.203.121
  10.14.203.122
     10.15.6.14
    12.0.101.22

becomes

$ rwuniq --fields=sIP [filename]
            sIP|   Records|
     10.0.0.144|         1|
  10.14.203.121|         1|
  10.14.203.122|         1|
     10.15.6.14|         3|
    12.0.101.22|         2|

or if the additional record count column is annoying, you can use rwset instead:

$ rwset --sip-file=stdout [filename] | rwsetcat --print-ips
10.0.0.144
10.14.203.121
10.14.203.122
10.15.6.14
12.0.101.22

{rec,byte,packet}-{min,max}

rwaddrcount allows you to restrict the output to only IPs that have a certain
minimum (or maximum) count of records, bytes or flows. rwuniq supports the same
operations using the bytes, packets and flows flags, each of which allows you to define
a desired minimum and maximum value.

For example:

$ rwaddrcount --print-recs --byte-min=1024 --byte-max=2048 --rec-max=5 [filename]
          sIP|  Bytes|   Packets|   Records|          Start_Time|            End_Time|
   10.0.0.144|   1646|         4|         1| 2007/05/09T18:01:41| 2007/05/09T18:01:41|
...

becomes

$ rwuniq --fields=sip --all-counts --flows=1-5 --bytes=1024-2048 --packets [filename]
          sIP|  Bytes|   Packets|   Records|          min_sTime|          max_eTime|
   10.0.0.144|   1646|         4|         1|2007/05/09T18:01:41|2007/05/09T18:01:41|
...
  • No labels