SiLK

NAME

flowrate - SiLK plug-in providing payload and rate filters and fields

SYNOPSIS

  rwfilter --plugin=flowrate.so [--payload-bytes=INTEGER_RANGE]
        [--payload-rate=DECIMAL_RANGE]
        [--bytes-per-second=DECIMAL_RANGE]
        [--packets-per-second=DECIMAL_RANGE]
        [--flowrate-zero-duration=MICROSECONDS] ...

  rwcut --plugin=flowrate.so --fields=FIELDS
        [--flowrate-zero-duration=MICROSECONDS] ...

  rwgroup --plugin=flowrate.so --fields=FIELDS
        [--flowrate-zero-duration=MICROSECONDS] ...

  rwsort --plugin=flowrate.so --fields=FIELDS
        [--flowrate-zero-duration=MICROSECONDS] ...

  rwstats --plugin=flowrate.so --fields=FIELDS --values=FIELDS
        [--flowrate-zero-duration=MICROSECONDS] ...

  rwuniq --plugin=flowrate.so --fields=FIELDS --values=FIELDS
        [--flowrate-zero-duration=MICROSECONDS] ...

DESCRIPTION

When loaded into rwfilter(1), the flowrate plug-in provides switches that can partition flows based on bytes of payload and/or on the rates of data transfer.

For rwcut(1), rwgroup(1), rwsort(1), rwstats(1), and rwuniq(1), the flowrate plug-in provides fields that will print, sort flows by, and group flows by the bytes of payload, bytes-per-packet, bytes-per-second, packets-per-second, and bytes of payload per second. The flowrate plug-in also provides aggregate value fields in rwstats and rwuniq.

The payload byte count is determined by subtracting from the total byte count in the flow the bytes of overhead used by the packet headers. The payload calculation assumes minimal packet headers---that is, there are no options in the packets. For TCP, the switch assumes there are no TCP timestamps in the packets. Thus, the calculated payload will be the maximum possible bytes of payload. If the packet-overhead is larger than the reported number of bytes, the value is zero.

The various flow-rate quantities are determined by dividing the payload byte count, packet count, or byte count by the duration of the flow, giving the average rate across the flow. Flow records whose duration is zero create a problem when computing a flow-rate.

If a flow record's reported duration is zero, the count is divided by a value which defaults to 400 microseconds and may be specified by the --flowrate-zero-duration switch. The switch accepts a minimum of 1 microsecond. The smallest (non-zero) duration SiLK flow records support is 1 millisecond (1000 microseconds). Prior to SiLK 3.16.0, the flowrate plug-in used a duration of 1 second (1000000 microseconds) when the reported duration was zero except when the rate was used as an aggregate value field in rwstats or rwuniq.

The flowrate plug-in must be explicitly loaded into an application via the --plugin switch. The reason for this is due to name clashes with existing switches and fields. For example, adding the --packets-per-second switch to rwfilter means any short-cutting of the current --packets switch will fail.

OPTIONS

The flowrate plug-in provides the following options to the indicated applications.

Common Switches

The following switch is available whenever the flowrate plug-in has been loaded into a supported application:

--flowrate-zero-duration=MICROSECONDS

When computing a rate and a flow record has a duration of zero, assume the duration is actually MICROSECONDS microseconds. The MICROSECONDS value must be one or greater. If this switch is not specified, a duration of 400 microseconds is used. The smallest non-zero duration SiLK flow records support is 1 millisecond (1000 microseconds). Since SiLK 3.16.0.

rwfilter Switches

When the flowrate plug-in has been loaded, the following set of partitioning switches are added to rwfilter. To pass the filter, the record must pass the test implied by each switch. The form of the argument to each switch is described below. The partitioning switches are:

--payload-bytes=INTEGER_RANGE

Check whether the payload byte count is within INTEGER_RANGE.

--payload-rate=DECIMAL_RANGE

Check whether the average number of payload bytes seen per second in the flow is within DECIMAL_RANGE.

--packets-per-second=DECIMAL_RANGE

Check whether the average number of packets per second in the flow is within DECIMAL_RANGE.

--bytes-per-second=DECIMAL_RANGE

Check whether the average number of bytes per second in the flow is within DECIMAL_RANGE.

An INTEGER_RANGE is a range of two non-negative integers, and a DECIMAL_RANGE is a range of two non-negative decimal values with accuracy up to 0.0001. The ranges are specified as two values separated by a hyphen, MIN-MAX; for example 1-500 or 5.0-10.031. If a single value is given (e.g., 3.14), the range consists of that single value. The upper limit of the range may be omitted, such as 1-, in which case the upper limit is set to the maximum possible value.

rwcut, rwgroup, rwsort, rwstats, and rwuniq Switches

--fields=FIELDS

FIELDS refers to a list of fields to use for the operation. The flowrate plug-in adds the following fields for display, sorting, and grouping using the rwcut(1), rwgroup(1), rwsort(1), rwstats(1), and rwuniq(1) tools:

payload-bytes

Print, sort by, or group by the number of bytes of payload.

payload-rate

Print, sort by, or group by the bytes of payload seen per second.

pckts/sec

Print, sort by, or group by the packets seen per second.

bytes/sec

Print, sort by, or group by the bytes seen per second.

bytes/packet

Print, sort by, or group by the average number of bytes contained in each packet.

--values=AGGREGATES

The flowrate plug-in adds the following aggregate value fields to rwstats and rwuniq. AGGREGATES refers to a list of values to compute for each bin. To compute these values, flowrate maintains separate sums for the numerator and denominator while reading the records, then flowrate computes the ratio when the output is generated.

payload-bytes

Compute the approximate bytes of payload for records in this bin.

payload-rate

Compute the average bytes of payload seen per second for records in this bin.

pckts/sec

Compute the average packets seen per second for records in this bin,

bytes/sec

Compute the average bytes seen per second for records in this bin.

bytes/packet

Compute the average number of bytes contained in each packet for records in this bin.

ENVIRONMENT

SILK_PATH

This environment variable gives the root of the install tree. When searching for plug-ins, a SiLK application may use this environment variable. See the "FILES" section for details.

SILK_PLUGIN_DEBUG

When set to 1, the SiLK applications print status messages to the standard error as they attempt to find and open the flowrate.so plug-in. A typical invocation using this variable is:

 env SILK_PLUGIN_DEBUG=1 rwcut --plugin=flowrate.so --version

FILES

${SILK_PATH}/lib64/silk/flowrate.so

${SILK_PATH}/lib64/flowrate.so

${SILK_PATH}/lib/silk/flowrate.so

${SILK_PATH}/lib/flowrate.so

/usr/lib64/silk/flowrate.so

/usr/lib64/flowrate.so

/usr/lib/silk/flowrate.so

/usr/lib/flowrate.so

Possible locations for the plug-in.

SEE ALSO

rwcut(1), rwfilter(1), rwgroup(1), rwsort(1), rwstats(1), rwuniq(1), silk(7)