NAME

rwaggbagcat - Output a binary Aggregate Bag file as text

SYNOPSIS

  rwaggbagcat [--fields=FIELDS
        [--missing-field=FIELD=STRING [--missing-field=FIELD=STRING...]]]
        [--timestamp-format=FORMAT] [--ip-format=FORMAT]
        [--integer-sensors] [--integer-tcp-flags]
        [--no-titles] [--no-columns] [--column-separator=C]
        [--no-final-delimiter] [{--delimited | --delimited=C}]
        [--output-path=PATH] [--pager=PAGER_PROG]
        [--site-config-file=FILENAME]
        [AGGBAGFILE [AGGBAGFILE...]]
  rwaggbagcat --help
  rwaggbagcat --help-fields
  rwaggbagcat --version

DESCRIPTION

rwaggbagcat reads a binary Aggregate Bag as created by rwaggbag(1) or rwaggbagbuild(1), converts it to text, and outputs it to the standard output, the pager, or the specified file.

As of SiLK 3.22.0, rwaggbagcat accepts a --fields switch to control the order in which the fields are printed.

rwaggbagcat reads the AGGBAGFILEs specified on the command line; if no AGGBAGFILE arguments are given, rwaggbagcat attempts to read an Aggregate Bag from the standard input. To read the standard input in addition to the named files, use "-" or "stdin" as an AGGBAGFILE name. If any input does not contain an Aggregate Bag file, rwaggbagcat prints an error to the standard error and exits abnormally.

When multiple AGGBAGFILEs are specified on the command line, each is handled individually. To process the files as a single Aggregate Bag, use rwaggbagtool(1) to combine the Aggregate Bags and pipe the output of rwaggbagtool into rwaggbagcat. Using --fields in this situation allows for a consistent output across the multiple files and causes the titles to appear only once. No value is printed if --fields names a key or counter that is not present in one of the files.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

--fields=FIELDS: Print only the key and/or counter fields given in this comma separated list. Fields are printed in the order given in FIELDS, and keys and counters may appear in any order or not at all. Specifying --fields only changes the order in which the columns are printed, it does not re-order the entries (rows) in the Aggregate Bag file. If FIELDS includes fields not present in an input Aggregate Bag file, prints the string specified for that field by --missing-field or an empty value. The title line is printed only one time even if multiple Aggregate Bag files are read.
The names of the fields that may appear in FIELDS are:

sIPv4: source IP address, IPv4 only
dIPv4: destination IP address, IPv4 only
nhIPv4: next hop IP address, IPv4 only
any-IPv4: a generic IPv4 address
sIPv6: source IP address, IPv6 only
dIPv6: destination IP address, IPv6 only
nhIPv6: next hop IP address, IPv6 only
any-IPv6: a generic IPv6 address
sPort: source port
dPort: destination port
any-port: a generic port
protocol: IP protocol
packets: packet count
bytes: byte count
flags: bit-wise OR of TCP flags over all packets
initialFlags: TCP flags on the first packet
sessionFlags: bit-wise OR of TCP flags on the second through final packet
sTime: starting time in seconds
eTime: ending time in seconds
any-time: a generic time in seconds
duration: duration of flow
sensor: sensor name or ID at the collection point
class: class at collection point
type: type at collection point
input: router SNMP ingress interface or vlanId
output: router SNMP egress interface or postVlanId
any-snmp: a generic SNMP value
attribute: flow attributes set by the flow generator
application: guess as to the content of the flow
icmpType: ICMP type
icmpCode: ICMP code
scc: the country code of the source
dcc: the country code of the destination
any-cc: a generic country code
custom-key: a generic key
records: counter: count of records that match the key
sum-packets: counter: sum of packet counts
sum-bytes: counter: sum of byte counts
sum-duration: counter: sum of duration values
custom-counter: counter: a generic counter

Since SiLK 3.22.0.

--missing-field=FIELD=STRING: When --fields is active, print STRING as the value for FIELD when FIELD is not present in the input Aggregate Bag file. The default value is the empty string. The switch may be repeated to set the missing value string for multiple fields. rwaggbagcat exits with an error if FIELD is not present in --fields or if this switch is specified but --fields is not. STRING may be any string. Since SiLK 3.22.0.
--timestamp-format=FORMAT: Specify the format, timezone, and/or modifier to use when printing timestamps. When this switch is not specified, the SILK_TIMESTAMP_FORMAT environment variable is checked for a format, timezone, and modifier. If it is empty or contains invalid values, timestamps are printed in the default format, and the timezone is UTC unless SiLK was compiled with local timezone support. FORMAT is a comma-separated list of a format, a timezone, and/or a modifier. The format is one of:

default: Print the timestamps as YYYY/MM/DDThh:mm:ss.sss.
iso: Print the timestamps as YYYY-MM-DD hh:mm:ss.sss.
m/d/y: Print the timestamps as MM/DD/YYYY hh:mm:ss.sss.
epoch: Print the timestamps as the number of seconds since 00:00:00 UTC on 1970-01-01.

When a timezone is specified, it is used regardless of the default timezone support compiled into SiLK. The timezone is one of:

utc: Use Coordinated Universal Time to print timestamps.
local: Use the TZ environment variable or the local timezone.

--ip-format=FORMAT: Specify how IP addresses are printed, where FORMAT is a comma-separated list of the arguments described below. When this switch is not specified, the SILK_IP_FORMAT environment variable is checked for a value and that format is used if it is valid. The default FORMAT is "canonical".

canonical: Print IP addresses in the canonical format. If the column is IPv4, use dot-separated decimal (192.0.2.1). If the column is IPv6, use colon-separated hexadecimal ("2001:db8::1") or a mixed IPv4-IPv6 representation for IPv4-mapped IPv6 addresses (the ::ffff:0:0/96 netblock, e.g., "::ffff:192.0.2.1") and IPv4-compatible IPv6 addresses (the ::/96 netblock other than ::/127, e.g., "::192.0.2.1").
no-mixed: Print IP addresses in the canonical format (192.0.2.1 or "2001:db8::1") but do not used the mixed IPv4-IPv6 representations. For example, use "::ffff:c000:201" instead of "::ffff:192.0.2.1". Since SiLK 3.17.0.
decimal: Print IP addresses as integers in decimal format. For example, print 192.0.2.1 and "2001:db8::1" as 3221225985 and 42540766411282592856903984951653826561, respectively.
hexadecimal: Print IP addresses as integers in hexadecimal format. For example, print 192.0.2.1 and "2001:db8::1" as "c00000201" and "20010db8000000000000000000000001", respectively.
zero-padded: Make all IP address strings contain the same number of characters by padding numbers with leading zeros. For example, print 192.0.2.1 and "2001:db8::1" as 192.000.002.001 and "2001:0db8:0000:0000:0000:0000:0000:0001", respectively. For IPv6 addresses, this setting implies "no-mixed", so that "::ffff:192.0.2.1" is printed as "0000:0000:0000:0000:0000:ffff:c000:0201". As of SiLK 3.17.0, may be combined with any of the above, including "decimal" and "hexadecimal".

The following arguments modify certain IP addresses prior to printing. These arguments may be combined with the above formats.

map-v4: Change an IPv4 column to IPv4-mapped IPv6 addresses (addresses in the ::ffff:0:0/96 netblock) prior to formatting. Since SiLK 3.17.0.
unmap-v6: For an IPv6 column, change any IPv4-mapped IPv6 addresses (addresses in the ::ffff:0:0/96 netblock) to IPv4 addresses prior to formatting. Since SiLK 3.17.0.

The following argument is also available:

force-ipv6: Set FORMAT to "map-v4","no-mixed".

--integer-sensors: Print the integer ID of the sensor rather than its name.
--integer-tcp-flags: Print the TCP flag fields (flags, initialFlags, sessionFlags) as an integer value. Typically, the characters "F,S,R,P,A,U,E,C" are used to represent the TCP flags.
--no-titles: Turn off column titles. By default, titles are printed.
--no-columns: Disable fixed-width columnar output.
--column-separator=C: Use specified character between columns and after the final column. When this switch is not specified, the default of '|' is used.
--no-final-delimiter: Do not print the column separator after the final column. Normally a delimiter is printed.
--delimited
--delimited=C: Run as if --no-columns --no-final-delimiter --column-sep=C had been specified. That is, disable fixed-width columnar output; if character C is provided, it is used as the delimiter between columns instead of the default '|'.
--output-path=PATH: Write the textual output to PATH, where PATH is a filename, a named pipe, the keyword "stderr" to write the output to the standard error, or the keyword "stdout" or "-" to write the output to the standard output (and bypass the paging program). If PATH names an existing file, rwaggbagcat exits with an error unless the SILK_CLOBBER environment variable is set, in which case PATH is overwritten. If this option is not given, the output is either sent to the pager or written to the standard output.
--pager=PAGER_PROG: When output is to a terminal, invoke the program PAGER_PROG to view the output one screen full at a time. This switch overrides the SILK_PAGER environment variable, which in turn overrides the PAGER variable. If the --output-path switch is given or if the value of the pager is determined to be the empty string, no paging is performed and all output is written to the terminal.
--site-config-file=FILENAME: Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, rwaggbagcat searches for the site configuration file in the locations specified in the "FILES" section.
--help: Print the available options and exit.
--help-fields: Print the names and descriptions of the keys and counters that may be used in the --fields and --missing-field switches and exit. Since SiLK 3.22.0.
--version: Print the version number and information about how SiLK was configured, then exit the application.

EXAMPLES

In the following examples, the dollar sign ("$") represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash ("\") is used to indicate a wrapped line.

The formatting switches on rwaggbagcat are similar to those on the other SiLK tools.

Creating and printing an Aggregate Bag file

First, use rwaggbag(1) to create an Aggregate Bag file from the SiLK Flow file data.rw:

 $ rwaggbag --key=sport,dport --counter=sum-pack,sum-byte \
        --output-path=ab.aggbag data.rw

To print the contents of the Aggregate Bag file:

 $ rwaggbagcat ab.aggbag | head -4
 sPort|dPort|    sum-packets|           sum-bytes|
     0|    0|          73452|             6169968|
     0|  769|          15052|              842912|
     0|  771|          14176|              793856|

Reordering the columns

Use the --fields switch (added in SiLK 3.22.0) to control the order of the columns in the output or to select only some columns:

 $ rwaggbagcat --fields=dPort,sPort,sum-bytes ab.aggbag | head -4
 dPort|sPort|           sum-bytes|
     0|    0|             6169968|
   769|    0|              842912|
   771|    0|              793856|

The --fields switch only changes the positions of the columns. The "sPort" field is still the primary key in the output shown above.

The --fields switch may also include fields that are not in the input. By default, rwaggbagcat prints an empty value for those fields, but the --missing-field switch may be used to display any string instead. The argument to --missing-field is FIELD=STRING where FIELD is one of the fields in --fields.

 $ rwaggbagcat --fields=sipv4,proto,dport,sum-bytes \
        --missing=sipv4=n/a ab.aggbag | head -4
          sIPv4|pro|dPort|           sum-bytes|
            n/a|   |    0|             6169968|
            n/a|   |  769|              842912|
            n/a|   |  771|              793856|

Using --fields with IP addresses

When creating an Aggregate Bag file with the source IP address and protocol as keys, rwaggbagcat prints the columns in a different order depending on whether the address is treated as IPv4 or IPv6.

When the key is the source IPv4 address and the protocol, the Aggregate Bag is built with the source address as the primary key:

 $ rwaggbag --key=sipv4,proto --counter=records data.rw         \
   | rwaggbagcat
          sIPv4|pro|   records|
    10.4.52.235|  6|         1|
   10.5.231.251|  6|         1|
    10.9.77.117|  6|         1|

Reading the same file but treating the data as IPv6 results in the protocol being the primary key:

 $ rwaggbag --key=sipv6,proto --counter=records data.rw         \
   | rwaggbagcat
 pro|                                  sIPv6|   records|
   1|                   ::ffff:10.40.151.242|         1|
   1|                   ::ffff:10.44.140.138|         1|
   1|                    ::ffff:10.53.204.62|         1|

In the latter case, the --fields may be used to display the source IPv6 address first, but the switch only changes the positions of the columns, it does not reorder the entries (rows):

 $ rwaggbag --key=sipv6,proto --counter=records data.rw         \
   | rwaggbagcat --fields=sipv6,proto,records
                                  sIPv6|pro|   records|
                   ::ffff:10.40.151.242|  1|         1|
                   ::ffff:10.44.140.138|  1|         1|
                    ::ffff:10.53.204.62|  1|         1|

Removing the columns or the title from the output

To produce comma separated data:

 rwaggbagcat --delimited=, /tmp/ab.aggbag | head -4
 sPort,dPort,sum-packets,sum-bytes
 0,0,73452,6169968
 0,769,15052,842912
 0,771,14176,793856

To remove the title:

 $ rwaggbagcat --no-title ab.aggbag | head -4
     0|    0|          73452|             6169968|
     0|  769|          15052|              842912|
     0|  771|          14176|              793856|
     0| 2048|          14356|             1205904|

Customizing the IP and timestamp format

To change the format of IP addresses:

 $ rwaggbag --key=sipv4,dipv4 --counter=sum-pack,sum-byte data.rw   \
   | rwaggbagcat --ip-format=decimal | head -4
      sIPv4|     dIPv4|    sum-packets|           sum-bytes|
  168047851|3232295339|            255|               18260|
  168159227|3232293505|            331|              536169|
  168381813|3232282689|            563|               55386|

To change the format of timestamps:

 $ rwaggbag --key=stime,etime --counter=sum-pack,sum-byte data.rw   \
   | rwaggbagcat --timestamp-format=epoch | head -4
      sTime|     eTime|    sum-packets|           sum-bytes|
 1234396802|1234396802|              2|                 259|
 1234396802|1234398594|            526|               38736|
 1234396803|1234396803|              9|                 504|

ENVIRONMENT

SILK_IP_FORMAT: This environment variable is used as the value for --ip-format when that switch is not provided.
SILK_TIMESTAMP_FORMAT: This environment variable is used as the value for --timestamp-format when that switch is not provided.
SILK_CLOBBER: The SiLK tools normally refuse to overwrite existing files. Setting SILK_CLOBBER to a non-empty value removes this restriction.
SILK_PAGER: When set to a non-empty string, rwaggbagcat automatically invokes this program to display its output a screen at a time. If set to an empty string, rwaggbagcat does not automatically page its output.
PAGER: When set and SILK_PAGER is not set, rwaggbagcat automatically invokes this program to display its output a screen at a time.
SILK_CONFIG_FILE: This environment variable is used as the value for the --site-config-file when that switch is not provided.
SILK_DATA_ROOTDIR: This environment variable specifies the root directory of data repository. As described in the "FILES" section, rwaggbagcat may use this environment variable when searching for the SiLK site configuration file.
SILK_PATH: This environment variable gives the root of the install tree. When searching for configuration files and plug-ins, rwaggbagcat may use this environment variable. See the "FILES" section for details.
TZ: When the argument to the --timestamp-format switch includes "local" or when a SiLK installation is built to use the local timezone, the value of the TZ environment variable determines the timezone in which rwaggbagcat displays timestamps. (If both of those are false, the TZ environment variable is ignored.) If the TZ environment variable is not set, the machine's default timezone is used. Setting TZ to the empty string or 0 causes timestamps to be displayed in UTC. For system information on the TZ variable, see tzset(3) or environ(7). (To determine if SiLK was built with support for the local timezone, check the "Timezone support" value in the output of rwaggbagcat --version.)

FILES

${SILK_CONFIG_FILE}
${SILK_DATA_ROOTDIR}/silk.conf
/data/silk.conf
${SILK_PATH}/share/silk/silk.conf
${SILK_PATH}/share/silk.conf
/usr/local/share/silk/silk.conf
/usr/local/share/silk.conf: Possible locations for the SiLK site configuration file which are checked when the --site-config-file switch is not provided.

NOTES

The --fields, --missing-field, and --help-fields switches were added in SiLK 3.22.0.

rwaggbagcat and the other Aggregate Bag tools were introduced in SiLK 3.15.0.