rwset(1) SiLK Tool Suite rwset(1)NAMErwset - Generate binary IPset files of unique IP addresses
SYNOPSISrwset {--sip-file=FILE | --dip-file=FILE
| --nhip-file=FILE | --any-file=FILE [...]}
[--record-version=VERSION] [--invocation-strip]
[--note-add=TEXT] [--note-file-add=FILE]
[--print-filenames] [--copy-input=PATH]
[--compression-method=COMP_METHOD]
[--ipv6-policy={ignore,asv4,mix,force,only}]
[--site-config-file=FILENAME]
{[--xargs] | [--xargs=FILENAME] | [FILE [FILE ...]]}
rwset--help
rwset--version
DESCRIPTIONrwset reads SiLK Flow records and generates one to four binary IPset
file(s). In a single pass, rwset can create one of each type of its
possible outputs, which are IPset files containing:
· the unique source IP addresses
· the unique destination IP addresses
· the unique next-hop IP addresses
· the unique source and destination IP addresses
The output files must not exist prior to invoking rwset. To write an
IPset file to the standard output, specify "stdout" or "-" as the
output file name. rwset will complain if you attempt to write the
IPset to the standard output and standard output is connected to the
terminal. Only one IPset file may be written to the standard output.
rwset reads SiLK Flow records from the files named on the command line
or from the standard input when no file names are specified and --xargs
is not present. To read the standard input in addition to the named
files, use "-" or "stdin" as a file name. If an input file name ends
in ".gz", the file will be uncompressed as it is read. When the
--xargs switch is provided, rwset will read the names of the files to
process from the named text file, or from the standard input if no file
name argument is provided to the switch. The input to --xargs must
contain one file name per line.
IPset files are in a binary format that efficiently stores a set of IP
addresses. The file only stores the presence of an IP address; no
volume information (such as a count of the number of times the IP
address occurs) is maintained. To store volume information, use
rwbag(1).
Use rwsetcat(1) to see the IP addresses in a binary IPset file. To
create a binary IPset file from a list of IP addresses, use
rwsetbuild(1). rwsettool(1) allows you to perform set operations on
binary IPset files. To determine if an IP address is a member of a
binary IPset, use rwsetmember(1).
To list the IPs that appear in the SiLK Flow file flows.rw, the command
$ rwset --sip-file=stdout flows.rw | rwsetcat
will be faster than rwuniq(1), but rwset cannot report total volume or
do the thresholding that rwuniq supports.
OPTIONS
Option names may be abbreviated if the abbreviation is unique or is an
exact match for an option. A parameter to an option may be specified
as --arg=param or --arg param, though the first form is required for
options that take optional parameters.
At least one of the following output switches is required; multiple
output switches can be given, but an output switch cannot be repeated.
--sip-file=FILE
Store the unique source IP addresses in the binary IPset file FILE.
rwset will write the IPset file to the standard output when FILE is
"stdout" or "-" and the standard output is not a terminal.
--dip-file=FILE
Store the unique destination IP addresses in the binary IPset file
FILE. rwset will write the IPset file to the standard output when
FILE is "stdout" or "-" and the standard output is not a terminal.
--nhip-file=FILE
Store the unique next-hop IP addresses in the binary IPset file
FILE. rwset will write the IPset file to the standard output when
FILE is "stdout" and the standard output is not a terminal.
--any-file=FILE
Store the unique source and destination IP addresses in the binary
IPset file FILE. rwset will write the IPset file to the standard
output when FILE is "stdout" or "-" and the standard output is not
a terminal.
Only one of the above switches my use "stdout" as the name of the file.
rwset supports these additional switches:
--record-version=VERSION
Specify the format of the IPset records that are written to the
output. Valid values are 0, 2, 3, and 4. When the switch is not
provided, the SILK_IPSET_RECORD_VERSION environment variable is
checked for a version. A VERSION of 2 creates a file compatible
with SiLK 2.x, and it can only be used for IPsets containing IPv4
addresses. A VERSION of 3 creates a file that can only be read by
SiLK 3.0 or later. A VERSION of 4 creates a file that can only be
read by SiLK 3.7 or later. Version 4 files are smaller than
version 3 files. The default VERSION is 0, which uses version 2
for IPv4 IPsets and version 3 for IPv6 IPsets.
--invocation-strip
Do not record any command line history; that is, do not copy the
invocation history from the input files to the output file, and do
not record the current command line invocation in the output.
--note-add=TEXT
Add the specified TEXT to the header of every output file as an
annotation. This switch may be repeated to add multiple
annotations to a file. To view the annotations, use the
rwfileinfo(1) tool.
--note-file-add=FILENAME
Open FILENAME and add the contents of that file to the header of
every output file as an annotation. This switch may be repeated to
add multiple annotations. Currently the application makes no
effort to ensure that FILENAME contains text; be careful that you
do not attempt to add a SiLK data file as an annotation.
--print-filenames
Prints to the standard error the names of input files as they are
opened.
--copy-input=PATH
Copy all binary input to the specified file or named pipe. PATH
can be "stdout" to print flows to the standard output as long as no
IPset files are being written there.
--ipv6-policy=POLICY
Determine how IPv4 and IPv6 flows are handled when SiLK has been
compiled with IPv6 support. When the switch is not provided, the
SILK_IPV6_POLICY environment variable is checked for a policy. If
it is also unset or contains an invalid policy, the POLICY is mix.
When SiLK has not been compiled with IPv6 support, IPv6 flows are
always ignored, regardless of the value passed to this switch or in
the SILK_IPV6_POLICY variable. The supported values for POLICY
are:
ignore
Ignore any flow record marked as IPv6, regardless of the IP
addresses it contains. Only IP addresses contained in IPv4
flow records will be added to the IPset(s).
asv4
Convert IPv6 flow records that contain addresses in the
::ffff:0:0/96 prefix to IPv4 and ignore all other IPv6 flow
records.
mix Process the input as a mixture of IPv4 and IPv6 flow records.
When the input contains IPv6 addresses outside of the
::ffff:0:0/96 prefix, this policy is equivalent to force;
otherwise it is equivalent to asv4.
force
Convert IPv4 flow records to IPv6, mapping the IPv4 addresses
into the ::ffff:0:0/96 prefix.
only
Process only flow records that are marked as IPv6. Only IP
addresses contained in IPv6 flow records will be added to the
IPset(s).
Regardless of the IPv6 policy, when all IPv6 addresses in the IPset
are in the ::ffff:0:0/96 prefix, rwset treats them as IPv4
addresses and writes an IPv4 IPset. When any other IPv6 addresses
are present in the IPset, the IPv4 addresses in the IPset are
mapped into the ::ffff:0:0/96 prefix and rwset writes an IPv6
IPset.
--compression-method=COMP_METHOD
Specify how to compress the output. When this switch is not given,
output to the standard output or to named pipes is not compressed,
and output to files is compressed using the default chosen when
SiLK was compiled. The valid values for COMP_METHOD are determined
by which external libraries were found when SiLK was compiled. To
see the available compression methods and the default method, use
the --help or --version switch. SiLK can support the following
COMP_METHOD values when the required libraries are available.
none
Do not compress the output using an external library.
zlib
Use the zlib(3) library for compressing the output, and always
compress the output regardless of the destination. Using zlib
produces the smallest output files at the cost of speed.
lzo1x
Use the lzo1x algorithm from the LZO real time compression
library for compression, and always compress the output
regardless of the destination. This compression provides good
compression with less memory and CPU overhead.
best
Use lzo1x if available, otherwise use zlib. Only compress the
output when writing to a file.
--site-config-file=FILENAME
Read the SiLK site configuration from the named file FILENAME.
When this switch is not provided, rwset searches for the site
configuration file in the locations specified in the "FILES"
section.
--xargs
--xargs=FILENAME
Causes rwset to read file names from FILENAME or from the standard
input if FILENAME is not provided. The input should have one file
name per line. rwset will open each file in turn and read records
from it, as if the files had been listed on the command line.
--help
Print the available options and exit.
--version
Print the version number and information about how SiLK was
configured, then exit the application.
EXAMPLES
In the following examples, the dollar sign ("$") represents the shell
prompt. The text after the dollar sign represents the command line.
Lines have been wrapped for improved readability, and the back slash
("\") is used to indicate a wrapped line.
rwset is intended to work tightly with rwfilter(1). For example,
consider generating two IPsets: the first file, low_packet_tcp.set,
contains the source IP addresses for incoming flow records (that is,
the external hosts) where the record has no more than three packets in
its sessions. The second IPset file, high_packet_tcp.set, contains the
external IPs for records with four or more packets.
The first set, for TCP traffic on 03/01/2003 can be generated with:
$ rwfilter --start-date=2003/03/01:00 --end-date=2003/03/01:23 \
--proto=6 --packets=1-3 --pass=stdout \
| rwset --sip-file=low_packet_tcp.set
The second set with:
$ rwfilter --start-date=2003/03/01:00 --end-date=2003/03/01:23 \
--proto=6 --packets=4- --pass=stdout \
| rwset --sip-file=high_packet_tcp.set
ENVIRONMENT
SILK_IPSET_RECORD_VERSION
This environment variable is used as the value for the
--record-version when that switch is not provided.
SILK_CLOBBER
The SiLK tools normally refuse to overwrite existing files.
Setting SILK_CLOBBER to a non-empty value removes this restriction.
SILK_CONFIG_FILE
This environment variable is used as the value for the
--site-config-file when that switch is not provided.
SILK_DATA_ROOTDIR
This environment variable specifies the root directory of data
repository. As described in the "FILES" section, rwset may use
this environment variable when searching for the SiLK site
configuration file.
SILK_PATH
This environment variable gives the root of the install tree. When
searching for configuration files, rwset may use this environment
variable. See the "FILES" section for details.
FILES
${SILK_CONFIG_FILE}
${SILK_DATA_ROOTDIR}/silk.conf
/data/silk.conf
${SILK_PATH}/share/silk/silk.conf
${SILK_PATH}/share/silk.conf
/usr/local/share/silk/silk.conf
/usr/local/share/silk.conf
Possible locations for the SiLK site configuration file which are
checked when the --site-config-file switch is not provided.
SEE ALSOrwsetbuild(1), rwsetcat(1), rwsettool(1), rwsetmember(1), rwfilter(1),
rwfileinfo(1), rwbag(1), rwuniq(1), silk(7), zlib(3)NOTES
The --record-version switch was added in SiLK 3.0. Prior to SiLK 3.6,
the only supported arguments for the switch were 2 and 3, with the
default being 3. As of SiLK 3.6, the default is 0. Version 4 was
added in SiLK 3.7.
SiLK 3.11.0.1 2016-02-19 rwset(1)
