rwp2yaf2silk(1) SiLK Tool Suite rwp2yaf2silk(1)NAMErwp2yaf2silk - Convert PCAP data to SiLK Flow Records with YAF
SYNOPSISrwp2yaf2silk --in=INPUT_SPEC --out=FILE [--dry-run]
[--yaf-program=YAF] [--yaf-args='ARG1 ARG2']
[--rwipfix2silk-program=RWIPFIX2SILK] [--rwipfix2silk-args='ARG1 ARG2']
rwp2yaf2silk--help
rwp2yaf2silk--man
rwp2yaf2silk--version
DESCRIPTIONrwp2yaf2silk is a script to convert a pcap(3) file, such as that
produced by tcpdump(1), to a single file of SiLK Flow records. The
script assumes that the yaf(1) and rwipfix2silk(1) commands are
available on your system.
The --in and --out switches are required. Note that the --in switch is
processed by yaf, and the --out switch is processed by rwipfix2silk.
For information on reading live pcap data and using rwflowpack(8) to
store that data in hourly files, see the SiLK Installation Handbook.
Normally yaf groups multiple packets into flow records. You can almost
force yaf to create a flow record for every packet so that its output
is similar to that of rwptoflow(1): When you give yaf the
--idle-timeout=0 switch, yaf creates a flow record for every complete
packet and for each packet that it is able to completely reassemble
from packet fragments. Any fragmented packets that yaf cannot
reassemble are dropped.
OPTIONS
Option names may be abbreviated if the abbreviation is unique or is an
exact match for an option. A parameter to an option may be specified
as --arg=param or --arg param, though the first form is required for
options that take optional parameters.
--in=INPUT_SPEC
Read the pcap records from INPUT_SPEC. Often INPUT_SPEC is the
name of the pcap file to read or the string string "-" or "stdin"
to read from standard input. To process multiple pcap files,
create a text file that lists the names of the pcap files. Specify
the text file as INPUT_SPEC and use "--yaf-args=caplist" to tell
yaf the INPUT_SPEC contains the names of pcap files.
--out=FILE
Write the SiLK Flow records to FILE. The string "stdout" or "-"
may be used for the standard output, as long as it is not connected
to a terminal.
--dry-run
Do not invoke any commands, just print the commands that would be
invoked.
--yaf-program=YAF
Use YAF as the location of the yaf program. When not specified,
rwp2yaf2silk assumes there is a program yaf on your $PATH.
--yaf-args=ARGS
Pass the additional ARGS to the yaf program.
--rwipfix2silk-program=RWIPFIX2SILK
Use RWIPFIX2SILK as the location of the rwipfix2silk program. When
not specified, rwp2yaf2silk assumes there is a program rwipfix2silk
on your $PATH.
--rwipfix2silk-args=ARGS
Pass the additional ARGS to the rwipfix2silk program.
--help
Display a brief usage message and exit.
--man
Display full documentation for rwp2yaf2silk and exit.
--version
Print the version number and exit the application.
SEE ALSOyaf(1), rwipfix2silk(1), rwflowpack(8), rwptoflow(1), silk(7),
tcpdump(1), pcap(3), SiLK Installation Handbook
SiLK 3.11.0.1 2016-02-19 rwp2yaf2silk(1)
