OPTIONS

The following arguments are available:

-A interval

specifies the accounting interval. Every interval seconds an accounting request will be made to server and the results will be emitted to stdout. When specifying this mode, you also need to specify -d at the command line.

-a anomaly [parameters]

specifies RAD anomaly detection module and its parameters. There must be at least one -a in RAD mode.

-C count

stop radtunnel or (with -k specified) close the current output and reopen a new output after count payloads have been processed.

-d

enable debugging reports or increase them after the first -d.

-E ciphers

specifies a list ciphers for apikey connections.

-h

display options summary.

-I

enables insecure mode for apikey authentication. When enabled, client connections will not be performed via TLS.

-k cmd

enables kicker mode and makes -C , -T or -Z continuous. In this mode output file names are suffixed with a timestamp and radtunnel runs continuously, rotating output files as payload counts or the output file size exceeds a threshold or time intervals expire. cmd specifies the command to run on output files after rotation. If cmd is set to the empty string '', then no command is executed and only file rotation is performed.

This option must be combined with either -C , -T or -Z. Only nmsg file-based outputs are supported.

-m sampling-rate

specifies the sampling rate. Sets the percentage (between 0.1 and 100.0) that the RAD server will send.

-n config-file

specify location for AXA client configuration file.

-O

enable a spinning bar output indicator on stdout.

-p

append output to specified file (only valid for nmsg file-based outputs).

-o out-addr

specifies the destination of the SIE data. It can be forwarded as nmsg messages to a UDP or TCP port or as raw IP packets to a file, FIFO, or network interface.

nmsg:[tcp:|udp:]host,port

sends nmsg messages to the UDP or optional TCP host name and port number host,port. UDP is the default. IP packets are converted to NMSG messages.

nmsg:file:path

sends binary nmsg messages to the file named path. IP packets are converted to nmsg messages.

nmsg:file_json:path

sends nmsg newline-delimited json blobs to the file named path. Note that newline-delimited json outputs can incur a slight performance penalty versus binary nmsg outputs for "high-velocity" outputs. This is because the underlying nmsg json output object is unbuffered and results a filesystem write for every forwarded nmsg.

pcap[-fifo]:path

sends IP packets to a file or FIFO named path for examination with tcpdump(1) or another packet tracing tool. An ordinary file is the default. Only IP packets but not nmsg messages are sent.

pcap-if:[dst/]ifname

transmits IP packets on the network interface named ifname for examination with tcpdump(1) or another packet tracing tool. dst optionally specifies a destination 48-bit Ethernet address other than all 0:0:0:0:0:0 default. This output usually requires that radtunnel be run by root. Only IP packets but not nmsg messages are sent.

-P pidfile

will result in the current PID being written to pidfile. The file will be deleted upon program exit.

-r rate-limit

tells the server to send at most rate-limit SIE messages and raw IP packets per second.

-s server

specifies the server that is the source of the SIE data. The server can be specified with any of the following:

Sm off alias Sm on

Connect to a server using an alias shortcut mnemonic (see FILES section for more information).

Sm off apikey: <users_apikey>@ host,port Sm on

Identify and authenticate the user via a Farsight Security provided apikey. The connection will be encrypted using the TLS protocol.

Sm off tcp: user@ host,port Sm on

The connection will be made with the host name or IP address and port number using clear text over TCP/IP.

Sm off unix: user@ /ud/socket Sm on

This connection uses a UNIX domain socket connected to a local server.

-T secs

stop radtunnel or (with -k specified) close the current output and reopen a new output on a time interval modulo the secs parameter. For example, -t 3600 means an hour after started or reopened.

-t

enable tracing reports on the server or increase them after the first -t.

-V

displays the version of radtunnel and its preferred version of the AXA protocol.

-w watch

There must be at least one -w with a RAD watch to specify the interesting SIE messages or dark channel IP packets. The optional [(shared)] suffix marks IP addresses or domains that are not exclusively used by the RAD client.

 

ip=IP[/n]

The IPv4 or IPv6 address IP specifies a host address unless a prefix length is specified.

 

dns=[*.]dom

watches for the domain anywhere in the IP packets or SIE messages on the enabled channels. A wild card watches for occurrences of the domain and all sub-domains.

In addition, (shared) can be appended to IP and file ... dns watches to indicate addresses or domains that are not used exclusively.

-z

enable nmsg zlib container compression.

-Z size

stop radtunnel or (with -k specified) close the current output and reopen a new output after the output file meets or exceeds size. This mode may only be used with file-based outputs. Additionally, because nmsg-based file outputs are by default buffered, it is recommended when writing to one that this option be used in unbuffered mode ( -u ).