rwsilk2ipfix(1) SiLK Tool Suite rwsilk2ipfix(1)NAMErwsilk2ipfix - Convert SiLK Flow records to IPFIX records
SYNOPSISrwsilk2ipfix [--ipfix-output=FILE] [--print-statistics]
[--site-config-file=FILENAME]
{[--xargs] | [--xargs=FILENAME] | [FILE [FILE ...]]}
rwsilk2ipfix--help
rwsilk2ipfix--version
DESCRIPTIONrwsilk2ipfix reads SiLK Flow records, converts the records to an IPFIX
(Internet Protocol Flow Information eXport) format, and writes the
IPFIX records to the path specified by --ipfix-output or to the
standard output when stdout is not the terminal and --ipfix-output is
not provided.
rwsilk2ipfix reads SiLK Flow records from the files named on the
command line or from the standard input when no file names are
specified and --xargs is not present. To read the standard input in
addition to the named files, use "-" or "stdin" as a file name. If an
input file name ends in ".gz", the file will be uncompressed as it is
read. When the --xargs switch is provided, rwsilk2ipfix will read the
names of the files to process from the named text file, or from the
standard input if no file name argument is provided to the switch. The
input to --xargs must contain one file name per line.
The IPFIX records generated by rwsilk2ipfix will contain six
information elements that are in the Private Enterprise space for CERT
(the IPFIX Private Enterprise Number of CERT is 6871). These six
information elements fall into two groups:
· Elements 30 and 31 contain the packing information that was
determined by rwflowpack(8), specifically the flowtype and the
sensor. These values correspond to numbers specified in the
silk.conf(5) file.
· Elements 14, 15, 32, and 33 contain information elements generated
by the yaf(1) flow meter (<http://tools.netsa.cert.org/yaf/>). The
information elements will be present even if yaf was not used to
generate the flow records, but their value will be empty or 0.
For each of the six information elements that rwsilk2ipfix will
produce, the following table lists its numeric ID, its length in
octets, its name, the field name it corresponds to on rwcut(1), and a
brief description.
30 1 silkFlowType class & type How rwflowpack categorized
the flow record
31 2 silkFlowSensor sensor Sensor where the flow was
collected
14 1 initialTCPFlags initialFlags TCP flags on first packet in
the flow record
15 1 unionTCPFlags sessionFlags TCP flags on all packets in
the flow except the first
32 1 silkTCPState attributes Flow continuation attributes
set by generator
33 2 silkAppLabel application Guess by flow generator as
to the content of traffic
The IPFIX template that rwsilk2ipfix writes contains the following
information elements:
OCTETS INFORMATION ELEMENT (PEN, ID) SILK FIELD
======= ============================= =============
0- 7 flowStartMilliseconds (152) sTime
8- 15 flowEndMilliseconds (153) sTime + duration
16- 31 sourceIPv6Address (27) sIP
32- 47 destinationIPv6Address (28) dIP
48- 51 sourceIPv4Address (8) sIP
52- 55 destinationIPv4Address (12) dIP
56- 57 sourceTransportPort (7) sPort
58- 59 destinationTransportPort (11) dPort
60- 63 ipNextHopIPv4Address (15) nhIP
64- 79 ipNextHopIPv6Address (62) nhIP
80- 83 ingressInterface (10) in
84- 87 egressInterface (14) out
88- 95 packetDeltaCount (2) packets
96-103 octetDeltaCount (1) bytes
104 protocolIdentifier (4) protocol
105 silkFlowType (6871, 30) class & type
106-107 silkFlowSensor (6871, 31) sensor
108 tcpControlBits (6) flags
109 initialTCPFlags (6871, 14) initialFlags
110 unionTCPFlags (6871, 15) sessionFlags
111 silkTCPState (6871, 32) attributes
112-113 silkAppLabel (6871, 33) application
114-119 paddingOctets (210) -
Note that the template contains both IPv4 and IPv6 addresses. One set
of those addresses contains the IP addresses and the other set contains
only zeros.
OPTIONS
Option names may be abbreviated if the abbreviation is unique or is an
exact match for an option. A parameter to an option may be specified
as --arg=param or --arg param, though the first form is required for
options that take optional parameters.
--ipfix-output=FILE
Write the IPFIX records to FILE, which must not exist. If the
switch is not provided or if FILE has the value "stdout", the IPFIX
flows are written to the standard output.
--print-statistics
Print, to the standard error, the number of records that were
written to the IPFIX output file.
--site-config-file=FILENAME
Read the SiLK site configuration from the named file FILENAME.
When this switch is not provided, rwsilk2ipfix searches for the
site configuration file in the locations specified in the "FILES"
section.
--xargs
--xargs=FILENAME
Causes rwsilk2ipfix to read file names from FILENAME or from the
standard input if FILENAME is not provided. The input should have
one file name per line. rwsilk2ipfix will open each file in turn
and read records from it, as if the files had been listed on the
command line.
--help
Print the available options and exit.
--version
Print the version number and information about how SiLK was
configured, then exit the application.
EXAMPLES
In the following examples, the dollar sign ("$") represents the shell
prompt. The text after the dollar sign represents the command line.
To convert the SiLK file silk.rw into an IPFIX format and store the
results in ipfix.dat:
$ rwsilk2ipfix --ipfix-output=ipfix.dat silk.rw
To view the contents of ipfix.dat using the yafscii(1) tool (see
<http://tools.netsa.cert.org/yaf/>):
$ yafscii --in=ipfix.dat --out=-
Use the rwipfix2silk(1) tool to convert the IPFIX file back into SiLK
Flow format:
$ rwipfix2silk --silk-output=silk2.rw ipfix.dat
ENVIRONMENT
SILK_CLOBBER
The SiLK tools normally refuse to overwrite existing files.
Setting SILK_CLOBBER to a non-empty value removes this restriction.
SILK_CONFIG_FILE
This environment variable is used as the value for the
--site-config-file when that switch is not provided.
SILK_DATA_ROOTDIR
This environment variable specifies the root directory of data
repository. As described in the "FILES" section, rwsilk2ipfix may
use this environment variable when searching for the SiLK site
configuration file.
SILK_PATH
This environment variable gives the root of the install tree. When
searching for configuration files, rwsilk2ipfix may use this
environment variable. See the "FILES" section for details.
FILES
${SILK_CONFIG_FILE}
${SILK_DATA_ROOTDIR}/silk.conf
/data/silk.conf
${SILK_PATH}/share/silk/silk.conf
${SILK_PATH}/share/silk.conf
/usr/local/share/silk/silk.conf
/usr/local/share/silk.conf
Possible locations for the SiLK site configuration file which are
checked when the --site-config-file switch is not provided.
SEE ALSOrwipfix2silk(1), rwcut(1), rwflowpack(8), silk.conf(5), sensor.conf(5),
silk(7), yaf(1), yafscii(1)SiLK 3.11.0.1 2016-02-19 rwsilk2ipfix(1)
