GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
rwguess(8) SiLK Tool Suite rwguess(8)

rwguess - Determine which SNMP interfaces are active

  rwguess [{ --top=NUM | --print-all }] PDU_FILE [PDU_FILE...]

  rwguess --help

  rwguess --version

rwguess is deprecated as of SiLK 3.8.3 and it will be removed in the SiLK 4.0 release. Replace invocations of rwguess with rwpdu2silk (1) and either rwstats(1) or rwuniq(1) as shown in "EXAMPLES".

rwguess reads NetFlow v5 PDUs from file(s) specified on the command line and counts the number of flow records that are seen on each input and output SNMP interface. Once all input has been processed, rwguess sorts the SNMP interfaces by the number of records each interface saw, and prints the two sorted lists, one for the input interfaces and one for the output interfaces. By default, only the top-10 interfaces are printed; the number of rows printed may be changed with the --top switch.

When the --print-all switch is specified, the results are printed in SNMP interface order, with one column for the input record count and another for the output record count, and one row for each interface that saw traffic.

The purpose of rwguess is to help one configure the "sensor" blocks in the silk.conf (5) file used by rwflowpack(8) to categorize flow records into classes and types.

The PDU files are expected to be in the form created by NetFlow Collector: Each file's size must be an integer multiple of 1464, where each 1464 byte chunk contains a 24 byte NetFlow v5 header and space for thirty 48 byte NetFlow records. The number of valid records per chunk is specified in the PDU header.

To convert a PDU file to a stream of SiLK Flow records, use rwpdu2silk(1).

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.
--top=NUM
Print the top NUM interfaces for each of input and output. If not specified, the default is to print the top 10 interfaces.
--print-all
Print all SNMP interfaces that saw records, sorted by the SNMP interface number. This switch disables top-N printing.
--help
Print the available options and exit.
--version
Print the version number and information about how SiLK was configured, then exit the application.

rwguess is deprecated. This section demonstrates how to get equivalent functionality by piping the output from rwpdu2silk(1) into either rwstats(1) or rwuniq(1).

In the following examples, the dollar sign ("$") represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash ("\") is used to indicate a wrapped line.

By default, rwguess creates a top-10 list of SNMP interfaces.

 $ rwguess file.pdu
 Top 10 (of 36) SNMP Input Interfaces
 Index|  Input_Recs|
    54|        3466|
    38|        1374|
    84|         770|
    88|         746|
    56|         737|
    68|         513|
   106|         508|
    62|         373|
   114|         323|
     8|         321|

 Top 10 (of 37) SNMP Output Interfaces
 Index| Output_Recs|
    54|        3507|
    38|         885|
    98|         699|
    84|         673|
    88|         671|
    56|         605|
    58|         538|
   106|         501|
    92|         460|
    62|         380|

Use rwpdu2silk to convert the file to SiLK flow format, and pipe the result to rwstats. You must invoke rwstats twice, once the input interface (--field=in) and once for the output interface (--field=out). The --copy-input switch allows the second rwstats command to read output from rwpdu2silk.

 $ rwpdu2silk file.pdu  \
   | rwstats --count=10 --fields=in --copy-input=- --output-path=stderr \
   | rwstats --count=10 --fields=out
 INPUT: 12056 Records for 36 Bins and 12056 Total Records
 OUTPUT: Top 10 Bins by Records
    in|   Records|  %Records|   cumul_%|
    54|      3466| 28.750663| 28.750663|
    38|      1374| 11.398869| 40.149532|
    84|       770|  6.388336| 46.537868|
    88|       746|  6.193106| 52.730975|
    56|       737|  6.117718| 58.848693|
    68|       513|  4.261379| 63.110072|
   106|       508|  4.216760| 67.326831|
    62|       373|  3.094729| 70.421560|
   114|       323|  2.681877| 73.103437|
     8|       321|  2.666285| 75.769722|
 INPUT: 12056 Records for 37 Bins and 12056 Total Records
 OUTPUT: Top 10 Bins by Records
   out|   Records|  %Records|   cumul_%|
    54|      3507| 29.089205| 29.089205|
    38|       885|  7.347980| 36.437185|
    98|       699|  5.801735| 42.238920|
    84|       673|  5.588923| 47.827843|
    88|       671|  5.572502| 53.400345|
    56|       605|  5.022807| 58.423152|
    58|       538|  4.462497| 62.885649|
   106|       501|  4.155802| 67.041451|
    92|       460|  3.821822| 70.863273|
    62|       380|  3.157428| 74.020701|

The --print-all switch shows all interfaces.

 $ rwguess --print-all file2.pdu
 Index|  Input_Recs| Output_Recs|
    10|       17099|       17115|
   172|        7893|        7893|
   192|       25008|       24992|

Use rwuniq to generate similar output, though you must run rwuniq twice (as with rwstats in the previous example).

 $ rwpdu2silk file2.pdu   \
   | rwuniq --sort --fields=in --copy-input=- --output-path=stderr  \
   | rwuniq --sort --fields=out
    in|   Records|
    10|     17099|
   172|      7893|
   192|     25008|
   out|   Records|
    10|     17115|
   172|      7893|
   192|     24992|

rwpdu2silk(1), rwstats(1), rwuniq(1), rwflowpack(8), silk.conf(5), silk(7)
2022-04-12 SiLK 3.19.1

Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.