Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
rwguess(8)			SiLK Tool Suite			    rwguess(8)

NAME
       rwguess - Determine which SNMP interfaces are active

SYNOPSIS
	 rwguess [{ --top=NUM |	--print-all }] PDU_FILE	[PDU_FILE...]

	 rwguess --help

	 rwguess --version

DESCRIPTION
       rwguess is deprecated as	of SiLK	3.8.3 and it will be removed in	the
       SiLK 4.0	release.  Replace invocations of rwguess with rwpdu2silk(1)
       and either rwstats(1) or	rwuniq(1) as shown in "EXAMPLES".

       rwguess reads NetFlow v5	PDUs from file(s) specified on the command
       line and	counts the number of flow records that are seen	on each	input
       and output SNMP interface.  Once	all input has been processed, rwguess
       sorts the SNMP interfaces by the	number of records each interface saw,
       and prints the two sorted lists,	one for	the input interfaces and one
       for the output interfaces.  By default, only the	top-10 interfaces are
       printed;	the number of rows printed may be changed with the --top
       switch.

       When the	--print-all switch is specified, the results are printed in
       SNMP interface order, with one column for the input record count	and
       another for the output record count, and	one row	for each interface
       that saw	traffic.

       The purpose of rwguess is to help one configure the "sensor" blocks in
       the silk.conf(5)	file used by rwflowpack(8) to categorize flow records
       into classes and	types.

       The PDU files are expected to be	in the form created by NetFlow
       Collector: Each file's size must	be an integer multiple of 1464,	where
       each 1464 byte chunk contains a 24 byte NetFlow v5 header and space for
       thirty 48 byte NetFlow records.	The number of valid records per	chunk
       is specified in the PDU header.

       To convert a PDU	file to	a stream of SiLK Flow records, use
       rwpdu2silk(1).

OPTIONS
       Option names may	be abbreviated if the abbreviation is unique or	is an
       exact match for an option.  A parameter to an option may	be specified
       as --arg=param or --arg param, though the first form is required	for
       options that take optional parameters.

       --top=NUM
	   Print the top NUM interfaces	for each of input and output.  If not
	   specified, the default is to	print the top 10 interfaces.

       --print-all
	   Print all SNMP interfaces that saw records, sorted by the SNMP
	   interface number.  This switch disables top-N printing.

       --help
	   Print the available options and exit.

       --version
	   Print the version number and	information about how SiLK was
	   configured, then exit the application.

EXAMPLES
       rwguess is deprecated.  This section demonstrates how to	get equivalent
       functionality by	piping the output from rwpdu2silk(1) into either
       rwstats(1) or rwuniq(1).

       In the following	examples, the dollar sign ("$")	represents the shell
       prompt.	The text after the dollar sign represents the command line.
       Lines have been wrapped for improved readability, and the back slash
       ("\") is	used to	indicate a wrapped line.

   Top-N List
       By default, rwguess creates a top-10 list of SNMP interfaces.

	$ rwguess file.pdu
	Top 10 (of 36) SNMP Input Interfaces
	Index|	Input_Recs|
	   54|	      3466|
	   38|	      1374|
	   84|	       770|
	   88|	       746|
	   56|	       737|
	   68|	       513|
	  106|	       508|
	   62|	       373|
	  114|	       323|
	    8|	       321|

	Top 10 (of 37) SNMP Output Interfaces
	Index| Output_Recs|
	   54|	      3507|
	   38|	       885|
	   98|	       699|
	   84|	       673|
	   88|	       671|
	   56|	       605|
	   58|	       538|
	  106|	       501|
	   92|	       460|
	   62|	       380|

       Use rwpdu2silk to convert the file to SiLK flow format, and pipe	the
       result to rwstats.  You must invoke rwstats twice, once the input
       interface (--field=in) and once for the output interface	(--field=out).
       The --copy-input	switch allows the second rwstats command to read
       output from rwpdu2silk.

	$ rwpdu2silk file.pdu  \
	  | rwstats --count=10 --fields=in --copy-input=- --output-path=stderr \
	  | rwstats --count=10 --fields=out
	INPUT: 12056 Records for 36 Bins and 12056 Total Records
	OUTPUT:	Top 10 Bins by Records
	   in|	 Records|  %Records|   cumul_%|
	   54|	    3466| 28.750663| 28.750663|
	   38|	    1374| 11.398869| 40.149532|
	   84|	     770|  6.388336| 46.537868|
	   88|	     746|  6.193106| 52.730975|
	   56|	     737|  6.117718| 58.848693|
	   68|	     513|  4.261379| 63.110072|
	  106|	     508|  4.216760| 67.326831|
	   62|	     373|  3.094729| 70.421560|
	  114|	     323|  2.681877| 73.103437|
	    8|	     321|  2.666285| 75.769722|
	INPUT: 12056 Records for 37 Bins and 12056 Total Records
	OUTPUT:	Top 10 Bins by Records
	  out|	 Records|  %Records|   cumul_%|
	   54|	    3507| 29.089205| 29.089205|
	   38|	     885|  7.347980| 36.437185|
	   98|	     699|  5.801735| 42.238920|
	   84|	     673|  5.588923| 47.827843|
	   88|	     671|  5.572502| 53.400345|
	   56|	     605|  5.022807| 58.423152|
	   58|	     538|  4.462497| 62.885649|
	  106|	     501|  4.155802| 67.041451|
	   92|	     460|  3.821822| 70.863273|
	   62|	     380|  3.157428| 74.020701|

   Seeing all interfaces
       The --print-all switch shows all	interfaces.

	$ rwguess --print-all file2.pdu
	Index|	Input_Recs| Output_Recs|
	   10|	     17099|	  17115|
	  172|	      7893|	   7893|
	  192|	     25008|	  24992|

       Use rwuniq to generate similar output, though you must run rwuniq twice
       (as with	rwstats	in the previous	example).

	$ rwpdu2silk file2.pdu	 \
	  | rwuniq --sort --fields=in --copy-input=- --output-path=stderr  \
	  | rwuniq --sort --fields=out
	   in|	 Records|
	   10|	   17099|
	  172|	    7893|
	  192|	   25008|
	  out|	 Records|
	   10|	   17115|
	  172|	    7893|
	  192|	   24992|

SEE ALSO
       rwpdu2silk(1), rwstats(1), rwuniq(1), rwflowpack(8), silk.conf(5),
       silk(7)

SiLK 3.19.1			  2021-02-28			    rwguess(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=rwguess&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help