Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
rwrandomizeip(1)		SiLK Tool Suite		      rwrandomizeip(1)

       rwrandomizeip - Randomize the IP	addresses in a SiLK Flow file

	 rwrandomizeip [--seed=NUMBER] [--only-change-set=CHANGE_IPSET]
	       [--consistent] [--save-table=FILE] [--load-table=FILE]
	       [--site-config-file=FILENAME] INPUT_FILE	OUTPUT_FILE

	 rwrandomizeip --help

	 rwrandomizeip --version

       Substitute a pseudo-random IP address for the source and	destination IP
       addresses of INPUT_FILE and write the result to OUTPUT_FILE.  You may
       use "stdin" for INPUT_FILE to have rwrandomizeip	to read	from the
       standard	input; the OUTPUT_FILE value of	"stdout" will cause
       rwrandomizeip to	write to the standard output unless it is connected to
       a terminal.  rwrandomizeip knows	how to read and	write compressed
       (gzippid) files.

       To only change a	subset of the IP addresses, the	optional switches
       --only-change-set or --dont-change-set can be used; each	switch takes
       an IPset	file as	its required argument.	When the
       --only-change-set=CHANGE_IPSET switch is	given, rwrandomizeip only
       modifies	the IP addresses listed	in the CHANGE_IPSET file.  To change
       all addresses except a specified	set, use rwsetbuild(1) to create an
       IPset file containing those IPs and pass	the name of the	file to	the
       --dont-change-set switch.  An address listed in both the	only-change-
       set and the dont-change-set will	not be modified.

       The --seed switch can be	used to	initialize the pseudo-random number
       generator to a known state.

       When the	--consistent, --load-table, and	--save-table switches are not
       provided, rwrandomizeip uses a pseudo-random, non-routable IP address
       for each	source and destination IP address it sees; an IP address that
       appears multiple	times in the input will	be mapped to different output
       address each time, and no structural information	in the input will be

       The --consistent, --load-table, or --save-table switches	enable
       consistent IP mapping, so that an input IP is consistently mapped to
       the same	output IP.  In addition, the structural	information of the
       input IPs is maintained.	 Unfortunately,	this comes at a	cost of	less
       randomness in the output.

       Option names may	be abbreviated if the abbreviation is unique or	is an
       exact match for an option.  A parameter to an option may	be specified
       as --arg=param or --arg param, though the first form is required	for
       options that take optional parameters.

	   Use NUMBER to seed the pseudo-random	number generator.  This	can be
	   used	to put the random number generator into	a known	state, which
	   is useful for testing.

	   Only	modify the source or destination IP address if it appears in
	   the given IPset file	CHANGE_IPSET.  The rwsetbuild command can be
	   used	to create an IPset file.  When the
	   --dont-change-set=KEEP_IPSET	switch is also given, the IPs it
	   contains will override those	in the CHANGE_IPSET file.

	   Do not modify the source or destination IP address if the address
	   appears in the given	IPset file KEEP_IPSET.	The rwsetbuild command
	   can be used to create an IPset file.	 The interaction of this
	   switch with the --only-change-set switch is described immediately

	   Randomize the IP addresses consistently, so that an input IP
	   address is always mapped to the same	value.	The default behavior
	   is to use a random IP address for each IP, even if the IP has been
	   seen	before.

	   Randomize the IP addresses consistently and save this run's
	   randomization table for future use.	The table is written to	the
	   specified FILE, which must not not exist.  This switch is
	   incompatible	with the --load-table switch.

	   Randomize the IP addresses consistently using the randomization
	   table contained in FILE that	was created by a previous invocation
	   of rwrandomizeip.  This switch is incompatible with the
	   --save-table	switch.

	   Read	the SiLK site configuration from the named file	FILENAME.
	   When	this switch is not provided, the location specified by the
	   SILK_CONFIG_FILE environment	variable is used if that variable is
	   not empty.  The value of SILK_CONFIG_FILE should include the	name
	   of the file.	 Otherwise, the	application looks for a	file named
	   silk.conf in	the following directories: the directory specified in
	   the SILK_DATA_ROOTDIR environment variable; the data	root directory
	   that	is compiled into SiLK (/data); the directories
	   $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/
	   and share/ directories parallel to the application's	directory.

	   Print the available options and exit.

	   Print the version number and	information about how SiLK was
	   configured, then exit the application.

	   This	environment variable is	used as	the value for the
	   --site-config-file when that	switch is not provided.

	   When	the --site-config-file switch is not provided and the
	   SILK_CONFIG_FILE environment	variable is not	set, rwrandomizeip
	   looks for the site configuration file in

	   The SiLK tools normally refuse to overwrite existing	files.
	   Setting SILK_CLOBBER	to a non-empty value removes this restriction.

	   This	environment variable gives the root of the install tree.  As
	   part	of its search for the SiLK site	configuration file,
	   rwrandomizeip checks	for a file named silk.conf in the directories
	   $SILK_PATH/share/silk and $SILK_PATH/share.

       rwsetbuild(1), silk(7)

       rwrandomizeip does not support IPv6 flow	records.  When an input	file
       contains	IPv6 records, rwrandomizeip converts records that contain
       addresses in the	::ffff:0:0/96 prefix to	IPv4 and processes them.
       rwrandomizeip silently ignores IPv6 records containing addresses
       outside of that prefix.

       Only the	source and destination IP fields are modified; additional
       fields in the SiLK Flow records may leak	sensitive information.

       The --consistent	switch uses a method of	randomization that is fairly
       easy to decipher.  Specifically,	4 tables are created with each having
       256 entries containing the values 0-255 that have been randomly
       shuffled.  Each table is	used to	map the	values for a specific octet in
       an IP address.  For example, when modifying the IP address,
       the value at position 10	from each table	will be	substituted into the

       When the	same IPset is passed to	the --only-change-set and
       --dont-change-set switches, the output is identical to the input.

SiLK 3.15.0			  2017-07-02		      rwrandomizeip(1)


Want to link to this manual page? Use this URL:

home | help