GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
rwpmatch(1) SiLK Tool Suite rwpmatch(1)

rwpmatch - Filter a tcpdump file using a SiLK Flow file 

  rwpmatch --flow-file=FLOW_FILE [--msec-compare] [--ports-compare]
        TCPDUMP_INPUT > TCPDUMP_OUTPUT

  rwpmatch --help

  rwpmatch --version

rwpmatch reads each packet from the pcap(3) (tcpdump(1)) capture file TCPDUMP_INPUT and writes the packet to the standard output if the specified FLOW_FILE contains a matching SiLK Flow record. It is designed to reverse the input from rwptoflow(1).

rwpmatch will read the pcap capture data from its standard input if TCPDUMP_INPUT is specified as "stdin". The application will fail when attempting to read or write binary data from or to a terminal.

The SiLK Flow records in FLOW_FILE should appear in time sorted order.

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.
--flow-file=FLOW_FILE
FLOW_FILE refers to a file, named pipe, or the string "stdin". The flow file determines which packet records should be output to the new packet file. This switch is required.
--msec-compare
Compare times down to the millisecond (rather than the default of second).
--ports-compare
For TCP and UDP data, compare the source and destination ports when matching.
--help
Print the available options and exit.
--version
Print the version number and information about how SiLK was configured, then exit the application.

In the following examples, the dollar sign ("$") represents the shell prompt. The text after the dollar sign represents the command line.

Given the pcap capture file data.pcap, use rwptoflow(1) to convert it to a SiLK flow file:

 $ rwptoflow data.pcap --packet-pass=good.pcap --flow-out=data.rw

With rwfilter(1), select the SiLK Flow records whose source IPs are found in the IPset file sip.set:

 $ rwfilter --sipset=sip.set --pass=filtered.rw  data.rw

Match the original pcap file against the filtered SiLK file, in effect generating a pcap file which has been filtered by sip.set:

 $ rwpmatch --flow-file=filtered.rw good.pcap > filtered.pcap

For best results, the tcpdump input to rwpmatch should be the output from --packet-pass-output switch on rwptoflow. This ensures that only well-behaved packets are given to rwpmatch.

The flow file input to rwpmatch should contain single-packet flows originally derived from a tcpdump file using rwptoflow. If a flow record is found which does not represent a corresponding tcpdump record, rwpmatch will return an error.

Both the tcpdump and the SiLK file inputs must be time-ordered.

rwpmatch is an expensive I/O application since it reads the entire tcpdump capture file and the entire SiLK Flow file. It may be worthwhile to optimize an analysis process to avoid using rwpmatch until payload filtering is necessary. Saving the output from rwpmatch as a partial-results file, and matching against that in the future (rather than the original tcpdump file) can also provide significant performance gains.

SiLK supports millisecond timestamps. When reading packets whose timestamps have finer precision, the times are truncated at the millisecond position.

rwptoflow(1), rwfilter(1), silk(7), tcpdump(1), pcap (3)
2022-04-12 SiLK 3.19.1
Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.