NAME

SYNOPSIS

DESCRIPTION

Per default, it assumes the input-file to be a libpcap trace file. However, if it is a Zeek connection log, use -c. If input-file is not given, the script reads from stdin. It writes its output to stdout.

OPTIONS

--version

show program's version number and exit

-h, --help

show this help message and exit

-b, --bytes

count fractions in terms of bytes rather than packets/connections

-c, --conn-summaries

input file contains Zeek connection summaries

--conn-version=CONN_VERSION

when used with -c, specify '1' for use with Bro version 1.x connection logs, or '2' for use with Bro 2.x format. '0' tries to guess the format

-C, --chema

for packets: include only TCP, ignore when seq==0

-e, --external

ignore strictly internal traffic

-E EXCLUDENETS, --exclude-nets=EXCLUDENETS

excludes CIDRs in file from analysis

-i ILEN, --intervals=ILEN

create summaries for time intervals of given length (seconds, or use suffix of 'h' for hours, or 'm' for minutes)

-l LOCALNETS, --local-nets=LOCALNETS

differentiate in/out based on CIDRs in file

-n TOPX, --topn=TOPX

show top <n>

-p PORTS, --ports=PORTS

include only ports listed in file

-P STOREPORTS, --write-ports=STOREPORTS

write top total/incoming/outgoing ports into file

-r, --resolve-host-names

resolve host names

-R tag, --R=tag

write output suitable for R into files <tag.*>

-s FACTOR, --sample-factor=FACTOR

sample factor of input

-S SAMPLE, --do-sample=SAMPLE

sample input with probability (0.0 < prob < 1.0)

-m, --save-mem

do not make memory-expensive statistics

-t, --tcp

include only TCP

-u, --udp

include only UDP

-U MINTIME, --min-time=MINTIME

minimum time in ISO format (e.g. 2005-12-31-23-59-00)

-v, --verbose

show top-n for every interval

-V MAXTIME, --max-time=MAXTIME

maximum time in ISO format

AUTHOR