NAME

rwguess - Determine which SNMP interfaces are active

SYNOPSIS

rwguess [{ --top=NUM | --print-all }] PDU_FILE [PDU_FILE...]

rwguess --help

rwguess --version

DESCRIPTION

rwguess is deprecated as of SiLK 3.8.3 and it will be removed in the SiLK 4.0 release. Replace invocations of rwguess with rwpdu2silk(1) and either rwstats(1) or rwuniq(1) as shown in "EXAMPLES".

rwguess reads NetFlow v5 PDUs from file(s) specified on the command line and counts the number of flow records that are seen on each input and output SNMP interface. Once all input has been processed, rwguess sorts the SNMP interfaces by the number of records each interface saw, and prints the two sorted lists, one for the input interfaces and one for the output interfaces. By default, only the top-10 interfaces are printed; the number of rows printed may be changed with the --top switch.

When the --print-all switch is specified, the results are printed in SNMP interface order, with one column for the input record count and another for the output record count, and one row for each interface that saw traffic.

The purpose of rwguess is to help one configure the sensor blocks in the silk.conf(5) file used by rwflowpack(8) to categorize flow records into classes and types.

The PDU files are expected to be in the form created by NetFlow Collector: Each file's size must be an integer multiple of 1464, where each 1464 byte chunk contains a 24 byte NetFlow v5 header and space for thirty 48 byte NetFlow records. The number of valid records per chunk is specified in the PDU header.

To convert a PDU file to a stream of SiLK Flow records, use rwpdu2silk(1).

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

--top=NUM

Print the top NUM interfaces for each of input and output. If not specified, the default is to print the top 10 interfaces.

Print all SNMP interfaces that saw records, sorted by the SNMP interface number. This switch disables top-N printing.

--help

Print the available options and exit.

--version

Print the version number and information about how SiLK was configured, then exit the application.

EXAMPLES

rwguess is deprecated. This section demonstrates how to get equivalent functionality by piping the output from rwpdu2silk(1) into either rwstats(1) or rwuniq(1).

In the following examples, the dollar sign ($) represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash (\) is used to indicate a wrapped line.

Top-N List

By default, rwguess creates a top-10 list of SNMP interfaces.

$ rwguess file.pdu
Top 10 (of 36) SNMP Input Interfaces
Index|  Input_Recs|
   54|        3466|
   38|        1374|
   84|         770|
   88|         746|
   56|         737|
   68|         513|
  106|         508|
   62|         373|
  114|         323|
    8|         321|

Top 10 (of 37) SNMP Output Interfaces
Index| Output_Recs|
   54|        3507|
   38|         885|
   98|         699|
   84|         673|
   88|         671|
   56|         605|
   58|         538|
  106|         501|
   92|         460|
   62|         380|

Use rwpdu2silk to convert the file to SiLK flow format, and pipe the result to rwstats. You must invoke rwstats twice, once the input interface (--field=in) and once for the output interface (--field=out). The --copy-input switch allows the second rwstats command to read output from rwpdu2silk.

$ rwpdu2silk file.pdu  \
  | rwstats --count=10 --fields=in --copy-input=- --output-path=stderr \
  | rwstats --count=10 --fields=out
INPUT: 12056 Records for 36 Bins and 12056 Total Records
OUTPUT: Top 10 Bins by Records
   in|   Records|  %Records|   cumul_%|
   54|      3466| 28.750663| 28.750663|
   38|      1374| 11.398869| 40.149532|
   84|       770|  6.388336| 46.537868|
   88|       746|  6.193106| 52.730975|
   56|       737|  6.117718| 58.848693|
   68|       513|  4.261379| 63.110072|
  106|       508|  4.216760| 67.326831|
   62|       373|  3.094729| 70.421560|
  114|       323|  2.681877| 73.103437|
    8|       321|  2.666285| 75.769722|
INPUT: 12056 Records for 37 Bins and 12056 Total Records
OUTPUT: Top 10 Bins by Records
  out|   Records|  %Records|   cumul_%|
   54|      3507| 29.089205| 29.089205|
   38|       885|  7.347980| 36.437185|
   98|       699|  5.801735| 42.238920|
   84|       673|  5.588923| 47.827843|
   88|       671|  5.572502| 53.400345|
   56|       605|  5.022807| 58.423152|
   58|       538|  4.462497| 62.885649|
  106|       501|  4.155802| 67.041451|
   92|       460|  3.821822| 70.863273|
   62|       380|  3.157428| 74.020701|

Seeing all interfaces

The --print-all switch shows all interfaces.

$ rwguess --print-all file2.pdu
Index|  Input_Recs| Output_Recs|
   10|       17099|       17115|
  172|        7893|        7893|
  192|       25008|       24992|

Use rwuniq to generate similar output, though you must run rwuniq twice (as with rwstats in the previous example).

$ rwpdu2silk file2.pdu   \
  | rwuniq --sort --fields=in --copy-input=- --output-path=stderr  \
  | rwuniq --sort --fields=out
   in|   Records|
   10|     17099|
  172|      7893|
  192|     25008|
  out|   Records|
   10|     17115|
  172|      7893|
  192|     24992|

SEE ALSO

rwpdu2silk(1), rwstats(1), rwuniq(1), rwflowpack(8), silk.conf(5), silk(7)