rwpdedupe - Eliminate duplicate packets collected by several sensors
rwpdedupe { --first-duplicate | --random-duplicate[=SCALAR] }
[--threshold=MILLISECONDS] FILE... > OUTPUT-FILE
rwpdedupe --help
rwpdedupe --version
Detects and eliminates duplicate records from tcpdump(1)
capture files. Duplicate records are defined as having timestamps within a
user-configurable time of each other. In addition, their Ethernet (OSI layer
2) headers must match. If they are not IP packets, then their entire Ethernet
payload must match. If they are IP packets, then their source and destination
addresses, protocol, and IP payload must match.
Option names may be abbreviated if the abbreviation is unique or is an exact
match for an option. A parameter to an option may be specified as
--arg=param or --arg param, though the first form
is required for options that take optional parameters.
- --threshold=MILLISECONDS
- Set the maximum number of milliseconds which may elapse between two
packets and still have those packets be detected as duplicates. Default 0
(exact timestamp match). Must be a value between 0 and 1,000,000
milliseconds.
One and only one of the following switches is required:
- --first-duplicate
- When selecting between multiple duplicate packets, always choose the
packet with the earliest timestamp. Not compatible with
--random-duplicate.
- --random-duplicate
- --random-duplicate=SCALAR
- Select a random packet from the list of duplicate packets. SCALAR is a
random number seed, so that multiple runs can produce identical
results.
- --help
- Print the available options and exit.
- --version
- Print the version number and information about how SiLK was configured,
then exit the application.
In the following example, the dollar sign
("$") represents the shell prompt. The text
after the dollar sign represents the command line. Lines have been wrapped for
improved readability, and the back slash
("\") is used to indicate a wrapped line.
Given tcpdump files data1.tcp and data2.tcp,
detect and eliminate duplicate packets which occur within one second of each
other (when choosing which timestamp to output, pick one randomly.) Store
the result file in out.tcp.
$ rwpdedupe --threshold=1000 --random-duplicate \
data1.tcp data2.tcp > out.tcp
silk(7), mergecap(1),
tcpdump(1), pcap(3)
mergecap(1) can be used to merge two tcpdump capture
files without eliminating duplicate packets.