NAME

SYNOPSIS

  rwcut --plugin=cutmatch.so --fields=...,match,...  ...

DESCRIPTION

The cutmatch plug-in defines a "match" field that displays the direction of the flow ("->" represents a query and "<-" a response) and the numeric match ID.

OPTIONS

--fields=FIELDS

FIELDS refers to a list of fields to print. The cutmatch plug-in adds the following field:

EXAMPLES

Given two files containing unidirectional flow records, use rwsort(1) and rwmatch(1) to create the file matched.rw where a query and its response have been labeled with a unique value in the next-hop IP field. See the rwmatch manual page for more information.

 $ rwsort --fields=1,4,2,3,5,stime incoming.rw > incoming-query.rw
 $ rwsort --fields=2,3,1,4,5,stime outgoing.rw > outgoing-response.rw
 $ rwmatch --relate=1,2 --relate=4,3 --relate=2,1 --relate=3,4 \
        --relate=5,5 incoming-query.rw outgoing-response.rw matched.rw

To use the plug-in, you must explicitly load it into rwcut(1) by specifying the --plugin switch. You can then include "match" in the list of --fields to print:

 $ rwcut --plugin=cutmatch.so --num-rec=8  \
        --fields=sIP,sPort,match,dIP,dPort,type matched.rw
             sIP|sPort| <->Match#|            dIP|dPort|   type|
     10.4.52.235|29631|->       1|192.168.233.171|   80|  inweb|
 192.168.233.171|   80|<-       1|    10.4.52.235|29631| outweb|
     10.9.77.117|29906|->       2| 192.168.184.65|   80|  inweb|
  192.168.184.65|   80|<-       2|    10.9.77.117|29906| outweb|
   10.14.110.214|29989|->       3| 192.168.249.96|   80|  inweb|
  192.168.249.96|   80|<-       3|  10.14.110.214|29989| outweb|
     10.18.66.79|29660|->       4| 192.168.254.69|   80|  inweb|
  192.168.254.69|   80|<-       4|    10.18.66.79|29660| outweb|

This shows external hosts querying the web server (the Match column contains "->") and the web server's responses ("<-").

Using the "sIP" and "dIP" fields may be confusing when the file you are examining contains both incoming and outgoing flow records. To make the output from rwmatch more clear, consider using the int-ext-fields(3) plug-in as well. That plug-in allows you to display the external IPs in one column and the internal IPs in a another column. See its manual page for additional information.

 $ export INCOMING_FLOWTYPES=all/in,all/inweb
 $ export OUTGOING_FLOWTYPES=all/out,all/outweb
 $ rwcut --plugin=cutmatch.so --plugin=int-ext-fields.so --num-rec=8 \
      --fields=ext-ip,ext-port,match,int-ip,int-port,proto matched.rw
         ext-ip|ext-p| <->Match#|         int-ip|int-p|   type|
    10.4.52.235|29631|->       1|192.168.233.171|   80|  inweb|
    10.4.52.235|29631|<-       1|192.168.233.171|   80| outweb|
    10.9.77.117|29906|->       2| 192.168.184.65|   80|  inweb|
    10.9.77.117|29906|<-       2| 192.168.184.65|   80| outweb|
  10.14.110.214|29989|->       3| 192.168.249.96|   80|  inweb|
  10.14.110.214|29989|<-       3| 192.168.249.96|   80| outweb|
    10.18.66.79|29660|->       4| 192.168.254.69|   80|  inweb|
    10.18.66.79|29660|<-       4| 192.168.254.69|   80| outweb|

ENVIRONMENT

SILK_PATH

This environment variable gives the root of the install tree. When searching for plug-ins, a SiLK application may use this environment variable. See the "FILES" section for details.

SILK_PLUGIN_DEBUG

When set to 1, the SiLK applications print status messages to the standard error as they attempt to find and open the cutmatch.so plug-in. A typical invocation using this variable is:

 env SILK_PLUGIN_DEBUG=1 rwcut --plugin=cutmatch.so --version
    

FILES

${SILK_PATH}/lib64/silk/cutmatch.so

${SILK_PATH}/lib64/cutmatch.so

${SILK_PATH}/lib/silk/cutmatch.so

${SILK_PATH}/lib/cutmatch.so

/usr/local/lib64/silk/cutmatch.so

/usr/local/lib64/cutmatch.so

/usr/local/lib/silk/cutmatch.so

/usr/local/lib/cutmatch.so

Possible locations for the plug-in.

SEE ALSO