rwrandomizeip(1) SiLK Tool Suite rwrandomizeip(1)NAMErwrandomizeip - Randomize the IP addresses in a SiLK Flow file
SYNOPSISrwrandomizeip [--seed=NUMBER] [--only-change-set=CHANGE_IPSET]
[--dont-change-set=KEEP_IPSET]
[--consistent] [--save-table=FILE] [--load-table=FILE]
[--site-config-file=FILENAME] INPUT_FILE OUTPUT_FILE
rwrandomizeip--help
rwrandomizeip--version
DESCRIPTION
Substitute a pseudo-random IP address for the source and destination IP
addresses of INPUT_FILE and write the result to OUTPUT_FILE. You may
use "stdin" for INPUT_FILE to have rwrandomizeip to read from the
standard input; the OUTPUT_FILE value of "stdout" will cause
rwrandomizeip to write to the standard output unless it is connected to
a terminal. rwrandomizeip knows how to read and write compressed
(gzippid) files.
To only change a subset of the IP addresses, the optional switches
--only-change-set or --dont-change-set can be used; each switch takes
an IPset file as its required argument. When the
--only-change-set=CHANGE_IPSET switch is given, rwrandomizeip only
modifies the IP addresses listed in the CHANGE_IPSET file. To change
all addresses except a specified set, use rwsetbuild(1) to create an
IPset file containing those IPs and pass the name of the file to the
--dont-change-set switch. An address listed in both the only-change-
set and the dont-change-set will not be modified.
The --seed switch can be used to initialize the pseudo-random number
generator to a known state.
When the --consistent, --load-table, and --save-table switches are not
provided, rwrandomizeip uses a pseudo-random, non-routable IP address
for each source and destination IP address it sees; an IP address that
appears multiple times in the input will be mapped to different output
address each time, and no structural information in the input will be
maintained.
The --consistent, --load-table, or --save-table switches enable
consistent IP mapping, so that an input IP is consistently mapped to
the same output IP. In addition, the structural information of the
input IPs is maintained. Unfortunately, this comes at a cost of less
randomness in the output.
OPTIONS
Option names may be abbreviated if the abbreviation is unique or is an
exact match for an option. A parameter to an option may be specified
as --arg=param or --arg param, though the first form is required for
options that take optional parameters.
--seed=NUMBER
Use NUMBER to seed the pseudo-random number generator. This can be
used to put the random number generator into a known state, which
is useful for testing.
--only-change-set=CHANGE_IPSET
Only modify the source or destination IP address if it appears in
the given IPset file CHANGE_IPSET. The rwsetbuild command can be
used to create an IPset file. When the
--dont-change-set=KEEP_IPSET switch is also given, the IPs it
contains will override those in the CHANGE_IPSET file.
--dont-change-set=KEEP_IPSET
Do not modify the source or destination IP address if the address
appears in the given IPset file KEEP_IPSET. The rwsetbuild command
can be used to create an IPset file. The interaction of this
switch with the --only-change-set switch is described immediately
above.
--consistent
Randomize the IP addresses consistently, so that an input IP
address is always mapped to the same value. The default behavior
is to use a random IP address for each IP, even if the IP has been
seen before.
--save-table=FILE
Randomize the IP addresses consistently and save this run's
randomization table for future use. The table is written to the
specified FILE, which must not not exist. This switch is
incompatible with the --load-table switch.
--load-table=FILE
Randomize the IP addresses consistently using the randomization
table contained in FILE that was created by a previous invocation
of rwrandomizeip. This switch is incompatible with the
--save-table switch.
--site-config-file=FILENAME
Read the SiLK site configuration from the named file FILENAME.
When this switch is not provided, the location specified by the
SILK_CONFIG_FILE environment variable is used if that variable is
not empty. The value of SILK_CONFIG_FILE should include the name
of the file. Otherwise, the application looks for a file named
silk.conf in the following directories: the directory specified in
the SILK_DATA_ROOTDIR environment variable; the data root directory
that is compiled into SiLK (/data); the directories
$SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/
and share/ directories parallel to the application's directory.
--help
Print the available options and exit.
--version
Print the version number and information about how SiLK was
configured, then exit the application.
ENVIRONMENT
SILK_CONFIG_FILE
This environment variable is used as the value for the
--site-config-file when that switch is not provided.
SILK_DATA_ROOTDIR
When the --site-config-file switch is not provided and the
SILK_CONFIG_FILE environment variable is not set, rwrandomizeip
looks for the site configuration file in
$SILK_DATA_ROOTDIR/silk.conf.
SILK_CLOBBER
The SiLK tools normally refuse to overwrite existing files.
Setting SILK_CLOBBER to a non-empty value removes this restriction.
SILK_PATH
This environment variable gives the root of the install tree. As
part of its search for the SiLK site configuration file,
rwrandomizeip checks for a file named silk.conf in the directories
$SILK_PATH/share/silk and $SILK_PATH/share.
SEE ALSOrwsetbuild(1), silk(7)BUGSrwrandomizeip does not support IPv6 flow records. When an input file
contains IPv6 records, rwrandomizeip converts records that contain
addresses in the ::ffff:0:0/96 prefix to IPv4 and processes them.
rwrandomizeip silently ignores IPv6 records containing addresses
outside of that prefix.
Only the source and destination IP fields are modified; additional
fields in the SiLK Flow records may leak sensitive information.
The --consistent switch uses a method of randomization that is fairly
easy to decipher. Specifically, 4 tables are created with each having
256 entries containing the values 0-255 that have been randomly
shuffled. Each table is used to map the values for a specific octet in
an IP address. For example, when modifying the IP address 10.10.10.10,
the value at position 10 from each table will be substituted into the
IP.
When the same IPset is passed to the --only-change-set and
--dont-change-set switches, the output is identical to the input.
SiLK 3.11.0.1 2016-02-19 rwrandomizeip(1)
