cutmatch - Display value in next-hop field written by rwmatch
rwcut --plugin=cutmatch.so --fields=...,match,... ...
The cutmatch plug-in creates a field in rwcut(1) that provides a more user-friendly representation of the match parameter value that rwmatch(1) writes into a SiLK Flow record's next hop IP field.
The cutmatch plug-in defines a match
field that displays the direction of the flow (->
represents a query and <-
a response) and the numeric match ID.
The cutmatch plug-in modifies the following switch of rwcut(1):
FIELDS refers to a list of fields to print. The cutmatch plug-in adds the following field:
Print the direction of the flow (->
represents a query and <-
a response) and the numeric match ID
In the following examples, the dollar sign ($
) represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash (\
) is used to indicate a wrapped line.
Given two files containing unidirectional flow records, use rwsort(1) and rwmatch(1) to create the file matched.rw where a query and its response have been labeled with a unique value in the next-hop IP field. See the rwmatch manual page for more information.
$ rwsort --fields=1,4,2,3,5,stime incoming.rw > incoming-query.rw
$ rwsort --fields=2,3,1,4,5,stime outgoing.rw > outgoing-response.rw
$ rwmatch --relate=1,2 --relate=4,3 --relate=2,1 --relate=3,4 \
--relate=5,5 incoming-query.rw outgoing-response.rw matched.rw
To use the plug-in, you must explicitly load it into rwcut(1) by specifying the --plugin switch. You can then include match
in the list of --fields to print:
$ rwcut --plugin=cutmatch.so --num-rec=8 \
--fields=sIP,sPort,match,dIP,dPort,type matched.rw
sIP|sPort| <->Match#| dIP|dPort| type|
10.4.52.235|29631|-> 1|192.168.233.171| 80| inweb|
192.168.233.171| 80|<- 1| 10.4.52.235|29631| outweb|
10.9.77.117|29906|-> 2| 192.168.184.65| 80| inweb|
192.168.184.65| 80|<- 2| 10.9.77.117|29906| outweb|
10.14.110.214|29989|-> 3| 192.168.249.96| 80| inweb|
192.168.249.96| 80|<- 3| 10.14.110.214|29989| outweb|
10.18.66.79|29660|-> 4| 192.168.254.69| 80| inweb|
192.168.254.69| 80|<- 4| 10.18.66.79|29660| outweb|
This shows external hosts querying the web server (the Match column contains ->
) and the web server's responses (<-
).
Using the sIP
and dIP
fields may be confusing when the file you are examining contains both incoming and outgoing flow records. To make the output from rwmatch more clear, consider using the int-ext-fields(3) plug-in as well. That plug-in allows you to display the external IPs in one column and the internal IPs in a another column. See its manual page for additional information.
$ export INCOMING_FLOWTYPES=all/in,all/inweb
$ export OUTGOING_FLOWTYPES=all/out,all/outweb
$ rwcut --plugin=cutmatch.so --plugin=int-ext-fields.so --num-rec=8 \
--fields=ext-ip,ext-port,match,int-ip,int-port,proto matched.rw
ext-ip|ext-p| <->Match#| int-ip|int-p| type|
10.4.52.235|29631|-> 1|192.168.233.171| 80| inweb|
10.4.52.235|29631|<- 1|192.168.233.171| 80| outweb|
10.9.77.117|29906|-> 2| 192.168.184.65| 80| inweb|
10.9.77.117|29906|<- 2| 192.168.184.65| 80| outweb|
10.14.110.214|29989|-> 3| 192.168.249.96| 80| inweb|
10.14.110.214|29989|<- 3| 192.168.249.96| 80| outweb|
10.18.66.79|29660|-> 4| 192.168.254.69| 80| inweb|
10.18.66.79|29660|<- 4| 192.168.254.69| 80| outweb|
This environment variable gives the root of the install tree. When searching for plug-ins, a SiLK application may use this environment variable. See the "FILES" section for details.
When set to 1, the SiLK applications print status messages to the standard error as they attempt to find and open the cutmatch.so plug-in. A typical invocation using this variable is:
env SILK_PLUGIN_DEBUG=1 rwcut --plugin=cutmatch.so --version
Possible locations for the plug-in.