OPTIONS

-A interval

specifies the accounting interval. Every interval seconds an accounting request will be made to server and the results will be emitted to stdout. When specifying this mode, you also need to specify -d at the command line.

-a anomaly [parameters]

specifies RAD anomaly detection module and its parameters. There must be at least one -a in RAD mode.

-C count

stops radtunnel after count SIE messages and raw IP packets.

-d

enable debugging reports or increase them after the first -d.

-E ciphers

specifies a list ciphers for TLS connections.

-h

display options summary.

-i interval

enables timestamp indexing every interval nmsgs. This mode writes to a pre-existing (or creates an) lmdb-backed key-value store of nmsg timestamp/file offset pairs. The keys are the epoch portion of the nmsg timestamp for which the offsets refer back to. It is intended to be used as a hints file to speed subsequent cherry-picking of nmsgs from the nmsg data file it backs. It is most useful when the corresponding nmsg data file is anticipated to grow large.

This mode may only be used with nmsg file-based outputs and, because radtunnel needs to know when filesystem writes have occurred, it must be run in unbuffered mode ( -u ). If you specify the append option ( -p ), it is assumed you are continuing a previous session so you must also specify a previously created nmsg file which must also have a corresponding previously created timestamp index mdb file.

It will always write an index for the first nmsg and every interval nmsgs thereafter.

-m sampling-rate

specifies the sampling rate. Sets the percentage (between 0.1 and 100.0) that the RAD server will send.

-n config-file

specify location for AXA client configuration file.

-O

enable a spinning bar output indicator on stdout.

-p

append output to specified file (only valid for nmsg file-based outputs).

-o out-addr

specifies the destination of the SIE data. It can be forwarded as NMSG messages to a UDP or TCP port or as raw IP packets to a file, FIFO, or network interface.

nmsg:[tcp:|udp:]host,port

sends NMSG messages to the UDP or optional TCP host name and port number host,port. UDP is the default. IP packets are converted to NMSG messages.

nmsg:file:path

sends NMSG messages to the file named path. IP packets are converted to NMSG messages.

nmsg:file_json:path

sends NMSG json blobs to the file named path.

pcap[-fifo]:path

sends IP packets to a file or FIFO named path for examination with tcpdump(1) or another packet tracing tool. An ordinary file is the default. Only IP packets but not NMSG messages are sent.

pcap-if:[dst/]ifname

transmits IP packets on the network interface named ifname for examination with tcpdump(1) or another packet tracing tool. dst optionally specifies a destination 48-bit Ethernet address other than all 0:0:0:0:0:0 default. This output usually requires that radtunnel be run by root. Only IP packets but not NMSG messages are sent.

-P pidfile

will result in the current PID being written to pidfile. The file will be deleted upon program exit.

-r rate-limit

tells the server to send at most rate-limit SIE messages and raw IP packets per second.

-S certs

overrides the default directory containing SSL certificates and keys. Its default is /usr/local/etc/axa/certs.

-s server

specifies the server that is the source of the SIE data. The server can be specified with any of the following:

Sm off alias Sm on

Connect to a server using an alias shortcut mnemonic (see FILES section for more information).

Sm off apikey: <users_apikey>@ host,port Sm on

Identify and authenticate the user via a Farsight Security provided apikey. The connection will be encrypted using the same TLS semantics as the tls transport below.

Sm off ssh: [user@] host Sm on

The server will be contacted using the ssh protocol. These connections usually use default ssh ssh_config(1) files to specify the required public keys and optionally the fully qualified host name and user names associated with the public key. Use -dddd to diagnose ssh connection problems.

Sm off tcp: user@ host,port Sm on

The connection will be made with the host name or IP address and port number using clear text over TCP/IP.

Sm off unix: user@ /ud/socket Sm on

This connection uses a UNIX domain socket connected to a local server.

tls:cert,key@host,port

Use the TLS protocol with the certificate in the cert file and the private key in the key file. If not absolute, the files are in the -S certs directory.

-t

enable tracing reports on the server or increase them after the first -t.

-V

displays the version of radtunnel and its preferred version of the AXA protocol.

-w watch

There must be at least one -w with a RAD watch to specify the interesting SIE messages or dark channel IP packets. The optional [(shared)] suffix marks IP addresses or domains that are not exclusively used by the RAD client.

 

ip=IP[/n]

The IPv4 or IPv6 address IP specifies a host address unless a prefix length is specified.

 

dns=[*.]dom

watches for the domain anywhere in the IP packets or SIE messages on the channels selected with -c. A wild card watches for occurrences of the domain and all sub-domains.

In addition, (shared) can be appended to IP and file ... dns watches to indicate addresses or domains that are not used exclusively.

-z

enable NMSG zlib container compression.