User-defined command line switches

register_switch(switch_name, handler=handler_func, [arg=needs_arg], [help=help_string])

switch_name

Provides the name of the switch you are registering, a string. Do not include the leading "--" in the name. If a switch already exists with the name switch_name, the application will exit with an error message.

handler_func

handler_func([string]). Names a function that will be called by the application while it is processing its command line if and only if the command line includes the switch --switch_name. (If the switch is not given, the handler_func function will not be called.) When the arg parameter is specified and its value is False, the handler_func function will be called with no arguments. Otherwise, the handler_func function will be called with a single argument: a string representing the value the user passed to the --switch_name switch. The return value from this function is ignored. Note that the register_switch() function requires a handler argument which must be passed by keyword.

needs_arg

Specifies a boolean value that determines whether the user must specify an argument to --switch_name, and determines whether the handler_func function should expect an argument. When arg is not specified or needs_arg is True, the user must specify an argument to --switch_name and the handler_func function will be called with a single argument. When needs_arg is False, it is an error to specify an argument to --switch_name and handler_func will be called with no arguments.

help_string

Provides the usage text to print describing this switch when the user runs the application with the --help switch. This argument is optional; when it is not provided, a simple "No help for this switch" message is printed.

rwfilter usage

register_filter(filter_func, [finalize=finalize_func], [initialize=initialize_func])

filter_func

Boolean = filter_func(silk.RWRec). Names a function that must accept a single argument, a silk.RWRec object (see pysilk(3)). When the rwfilter program is run, it finds the records that match the selection options, and hands each record to the built-in partitioning switches. A record that passes all of the built-in switches is handed to the first Python filter_func() function as an RWRec object. The return value of the function determines what happens to the record. The record fails the filter_func() function (and the record is immediately written to the --fail-destination, if specified) when the function returns one of the following: False, None, numeric zero of any type, an empty string, or an empty container (including strings, tuples, lists, dictionaries, sets, and frozensets). If the function returns any other value, the record passes the first filter_func() function, and the record is handed to the next Python filter_func() function. If all filter_func() functions pass the record, the record is written to the --pass-destination, if specified. (Note that when the --plugin switch is present, the code it specifies will be called after the PySiLK code.)

initialize_func

initialize_func(). Names a function that takes no arguments. When this function is specified, is will be called after rwfilter has completed its argument processing, and just before rwfilter opens the first input file. The return value of this function is ignored.

finalize_func

finalize_func(). Names a function that takes no arguments. When this function is specified, it will be called after all flow records have been processed. One use of the these functions is to print any statistics that the filter_func() function was computing. The return value from this function is ignored.

If register_filter() is called multiple times, the filter_func(), initialize_func() , and finalize_func() functions will be invoked in the order in which the register_filter() functions were seen.

NOTE: For backwards compatibility, when the file named by --python-file does not call register_filter(), rwfilter will search the Python file for functions named rwfilter() and finalize(). If it finds the rwfilter() function, rwfilter will act as if the file contained:

 register_filter(rwfilter, finalize=finalize)

The --python-file switch requires the user to create a file containing Python code. To allow the user to write a small filtering check in Python, rwfilter supports the --python-expr switch. The value of the switch should be a Python expression whose result determines whether a given record passes or fails, using the same criterion as the filter_func() function described above. In the expression, the variable "rec" is bound to the current silk.RWRec object. There is no support for the initialize_func() and finalize_func() functions. The user may consider --python-expr=PYTHON_EXPRESSION as being implemented by

 from silk import *
 def temp_filter(rec):
     return (PYTHON_EXPRESSION)

 register_filter(temp_filter)

The --python-file and --python-expr switches allow for much flexibility but at the cost of speed: converting a SiLK Flow record into an RWRec is expensive relative to most operations in rwfilter. The user should use rwfilter's built-in partitioning switches to whittle down the input as much as possible, and only use the Python code to do what is difficult or impossible to do otherwise.

Simple field registration functions

Once you have created a key field or aggregate value field, you must include the field's name in the argument to the --fields or --values switch to tell the application to use the field.

Integer key field

The following function is used to create a key field whose value is an unsigned integer.

register_int_field(field_name, int_function, min, max, [width])

field_name

The name of the new field, a string. If you attempt to add a key field that already exists, you will get an an error message.

int_function

int = int_function(silk.RWRec). A function that accepts a silk.RWRec object as its sole argument, and returns an unsigned integer which represents the value of this field for the given record.

min

A number representing the minimum integer value for the field. If int_function returns a value less than min, an error is raised.

max

A number representing the maximum integer value for the field. If int_function returns a value greater than max, an error is raised.

width

The column width to use when displaying the field. This parameter is optional; the default is the number of digits necessary to display the integer max.

IPv4 address key field

This function is used to create a key field whose value is an IPv4 address. (See also register_ip_field()).

register_ipv4_field(field_name, ipv4_function, [width])

field_name

The name of the new field, a string. If you attempt to add a key field that already exists, you will get an an error message.

ipv4_function

silk.IPv4Addr = ipv4_function(silk.RWRec). A function that accepts a silk.RWRec object as its sole argument, and returns a silk.IPv4Addr object. This IPv4Addr object will be the IPv4 address that represents the value of this field for the given record.

width

The column width to use when displaying the field. This parameter is optional, and it defaults to 15.

IP address key field

The next function is used to create a key field whose value is an IPv4 or IPv6 address.

register_ip_field(field_name, ip_function, [width])

field_name

The name of the new field, a string. If you attempt to add a key field that already exists, you will get an an error message.

ip_function

silk.IPAddr = ip_function(silk.RWRec). A function that accepts a silk.RWRec object as its sole argument, and returns a silk.IPAddr object which represents the value of this field for the given record.

width

The column width to use when displaying the field. This parameter is optional. The default width is 39.

This key field requires more memory internally than fields registered by the register_ipv4_field() function. If SiLK is compiled without IPv6 support, register_ip_field() works exactly like register_ipv4_field(), including the default width of 15.

Enumerated object key field

The following function is used to create a key field whose value is any Python object. The maximum number of different objects that can be represented is 4,294,967,296, or 2^32.

register_enum_field(field_name, enum_function, width, [ordering])

field_name

The name of the new field, a string. If you attempt to add a key field that already exists, you will get an an error message.

enum_function

object = enum_function(silk.RWRec). A function that accepts a silk.RWRec object as its sole argument, and returns a Python object which represents the value of this field for the given record. For typical usage, the Python objects returned by the enum_function will be strings representing some categorical value.

width

The column width to use when displaying this field. The parameter is required.

ordering

A list of objects used to determine ordering for rwsort and rwuniq. This parameter is optional. If specified, it lists the objects in the order in which they should be sorted. If the enum_function returns a object that is not in ordering, the object will be sorted after all the objects in ordering.

Integer sum aggregate value field

This function is used to create an aggregate value field that maintains a running unsigned integer sum.

register_int_sum_aggregator(agg_value_name, int_function, [max_sum], [width])

agg_value_name

The name of the new aggregate value field, a string. The agg_value_name must be unique among all aggregate values, but an aggregate value field and key field can have the same name.

int_function

int = int_function(silk.RWRec). A function that accepts a silk.RWRec object as its sole argument, and returns an unsigned integer which represents the value that should be added to the running sum for the current bin.

max_sum

The maximum possible sum. This parameter is optional; if not specified, the default is 2^64-1 (18,446,744,073,709,551,615).

width

The column width to use when displaying the aggregate value. This parameter is optional. The default is the number of digits necessary to display max_sum.

Integer maximum aggregate value field

The following function is used to create an aggregate value field that maintains the maximum unsigned integer value.

register_int_max_aggregator(agg_value_name, int_function, [max_max], [width])

agg_value_name

The name of the new aggregate value field, a string. The agg_value_name must be unique among all aggregate values, but an aggregate value field and key field can have the same name.

int_function

int = int_function(silk.RWRec). A function that accepts a silk.RWRec object as its sole argument, and returns an integer which represents the value that should be considered for the current highest value for the current bin.

max_max

The maximum possible value for the maximum. This parameter is optional; if not specified, the default is 2^64-1 (18,446,744,073,709,551,615).

width

The column width to use when displaying the aggregate value. This parameter is optional. The default is the number of digits necessary to display max_max.

Integer minimum aggregate value field

This function is used to create an aggregate value field that maintains the minimum unsigned integer value.

register_int_min_aggregator(agg_value_name, int_function, [max_min], [width])

agg_value_name

The name of the new aggregate value field, a string. The agg_value_name must be unique among all aggregate values, but an aggregate value field and key field can have the same name.

int_function

int = int_function(silk.RWRec). A function that accepts a silk.RWRec object as its sole argument, and returns an integer which represents the value that should be considered for the current lowest value for the current bin.

max_min

The maximum possible value for the minimum. When this optional parameter is not specified, the default is 2^64-1 (18,446,744,073,709,551,615).

width

The column width to use when displaying the aggregate value. This parameter is optional. The default is the number of digits necessary to display max_min.

Advanced field registration function

Many of the arguments to the register_field() function are callback functions that you must create and that the application will invoke. (The simple registration functions above have already taken care of defining these callback functions.)

Often the callback functions for handling fields will either take (as a parameter) or return a representation of a numeric value that can be processed from C. The most efficient way to handle these representations is as a string containing binary characters, including the null byte. We will use the term "byte sequence" for these representations; other possible terms include "array of bytes", "byte strings", or "binary values". For hints on creating byte sequences from Python, see the "Byte sequences" section below.

To define a new field or aggregate value, the user calls:

register_field(field_name, [add_rec_to_bin=add_rec_to_bin_func,] [bin_compare=bin_compare_func,] [bin_bytes=bin_bytes_value,] [bin_merge=bin_merge_func,] [bin_to_text=bin_to_text_func,] [column_width=column_width_value,] [description=description_string,] [initial_value=initial_value,] [initialize=initialize_func,] [rec_to_bin=rec_to_bin_func,] [rec_to_text=rec_to_text_func])

Although the keyword arguments to register_field() are all optional from Python's perspective, certain keyword arguments must be present before an application will define the key or aggregate value. The following table summarizes the keyword arguments used by each application. An "F" means the argument is required for a key field, an "A" means the argument is required for an aggregate value field, "f" and "a" mean the application will use the argument for a key field or an aggregate value if the argument is present, and a dot means the application completely ignores the argument.

                   rwcut  rwgroup  rwsort  rwstats  rwuniq
 add_rec_to_bin      .       .       .        A       A
 bin_compare         .       .       .        A       .
 bin_bytes           .       F       F       F,A     F,A
 bin_merge           .       .       .        A       A
 bin_to_text         .       .       .       F,A     F,A
 column_width        F       .       .       F,A     F,A
 description         f       f       f       f,a     f,a
 initial_value       .       .       .        a       a
 initialize          f       f       f       f,a     f,a
 rec_to_bin          .       F       F        F       F
 rec_to_text         F       .       .        .       .

The following sections describe how to use register_field() in each application.

rwcut usage

register_field(field_name, column_width=column_width_value, rec_to_text=rec_to_text_func, [description=description_string,] [initialize=initialize_func])

field_name

Names the field being defined, a string. If you attempt to add a field that already exists, you will get an an error message. To display the field, include field_name in the argument to the --fields switch.

column_width_value

Specifies the length of the longest printable representation. rwcut will use it as the width for the field_name column when columnar output is selected.

rec_to_text_func

string = rec_to_text_func(silk.RWRec). Names a callback function that takes a silk.RWRec object as its sole argument and produces a printable representation of the field being defined. The length of the returned text should not be greater than column_width_value. If the value returned from this function is not a string, the returned value is converted to a string by the Python str() function.

description_string

Provides a string giving a brief description of the field, suitable for printing in --help-fields output. This argument is optional.

initialize_func

initialize_func(). Names a callback function that will be invoked after the application has completed its argument processing, and just before it opens the first input file. This function is only called when --fields includes field_name. The function takes no arguments and its return value is ignored. This argument is optional.

If the rec_to_text argument is not present, the register_field() function will do nothing when called from rwcut. If the column_width argument is missing, rwcut will complain that the textual width of the plug-in field is 0.

rwgroup and rwsort usage

register_field(field_name, bin_bytes=bin_bytes_value, rec_to_bin=rec_to_bin_func, [description=description_string,] [initialize=initialize_func])

field_name

Names the field being defined, a string. If you attempt to add a field that already exists, you will get an an error message. To have rwgroup or rwsort use this field, include field_name in the argument to --id-fields or --fields.

bin_bytes_value

Specifies a positive integer giving the length, in bytes, of the byte sequence that the rec_to_bin_func() function produces; the byte sequence must be exactly this length.

rec_to_bin_func

byte-sequence = rec_to_bin_func(silk.RWRec). Names a callback function that takes a silk.RWRec object and returns a byte sequence that represents the field being defined. The returned value should be exactly bin_bytes_value bytes long. For proper grouping or sorting, the byte sequence should be returned in network byte order (i.e., big endian).

description_string

Provides a string giving a brief description of the field, suitable for printing in --help-fields output. This argument is optional.

initialize_func

initialize_func(). Names a callback function that will be invoked after the application has completed its argument processing, and just before it opens the first input file. This function is only called when field_name is included in the list of fields. The function takes no arguments and its return value is ignored. This argument is optional.

If the rec_to_bin argument is not present, the register_field() function will do nothing when called from rwgroup or rwsort. If the bin_bytes argument is missing, rwgroup or rwsort will complain that the binary width of the plug-in field is 0.

rwstats and rwuniq usage

Key Field

A plug-in used by rwstats or rwuniq for creating a new key field must return a value that the application can use internally to compare records, and there must be a function that converts that value to a printable representation. The following invocation of register_field() will produce a key field that can be used in the --fields switch of rwstats or rwuniq:

register_field(field_name, bin_bytes=bin_bytes_value, bin_to_text=bin_to_text_func, column_width=column_width_value, rec_to_bin=rec_to_bin_func, [description=description_string,] [initialize=initialize_func])

The arguments are:

field_name

Contains the name of the field being defined, a string. If you attempt to add a field that already exists, you will get an an error message. The field will only be active when field_name is specified as an argument to --fields.

bin_bytes_value

Contains a positive integer giving the length, in bytes, of the byte sequence that the rec_to_bin_func() function produces and that the bin_to_text_func() function accepts. The byte sequences must be exactly this length.

bin_to_text_func

string = bin_to_text_func(byte-sequence). Names a callback function that takes a byte sequence, of length bin_bytes_value, as produced by the rec_to_bin_func() function and returns a printable representation of the byte sequence. The length of the text should be no longer than the value specified by column_width. If the value returned from this function is not a string, the returned value is converted to a string by the Python str() function.

column_width_value

Contains a positive integer specifying the length of the longest textual field that the bin_to_text_func() callback function returns. This length will used as the column width when columnar output is requested.

rec_to_bin_func

byte-sequence = rec_to_bin_func(silk.RWRec). Names a callback function that takes a silk.RWRec object and returns a byte sequence that represents the field being defined. The returned value should be exactly bin_bytes_value bytes long. For proper sorting, the byte sequence should be returned in network byte order (i.e., big endian).

description_string

Provides a string giving a brief description of the field, suitable for printing in --help-fields output. This argument is optional.

initialize_func

initialize_func(). Names a callback function that is called after the command line arguments have been processed, and before opening the first file. This function is only called when --fields includes field_name. The function takes no arguments and its return value is ignored. This argument is optional.

Aggregate Value

A plug-in used by rwstats or rwuniq for creating a new aggregate value must be able to use a SiLK record to update an aggregate value, take two aggregate values and merge them to a new value, and convert that aggregate value to a printable representation. To use an aggregate value for ordering the bins in rwstats, the plug-in must also define a function to compare two aggregate values. The aggregate values are represented as byte sequences.

To define a new aggregate value in rwstats, the user calls:

register_field(agg_value_name, add_rec_to_bin=add_rec_to_bin_func, bin_bytes=bin_bytes_value, bin_merge=bin_merge_func, bin_to_text=bin_to_text_func, column_width=column_width_value, [bin_compare=bin_compare_func,] [description=description_string,] [initial_value=initial_value,] [initialize=initialize_func])

The call to define a new aggregate value in rwuniq is nearly identical:

register_field(agg_value_name, add_rec_to_bin=add_rec_to_bin_func, bin_bytes=bin_bytes_value, bin_merge=bin_merge_func, bin_to_text=bin_to_text_func, column_width=column_width_value, [description=description_string,] [initial_value=initial_value,] [initialize=initialize_func])

The arguments are:

agg_value_name

Contains the name of the aggregate value field being defined, a string. The name of value must be unique among all aggregate values, but an aggregate value field and key field can have the same name. The value will only be active when agg_value_name is specified as an argument to --values.

add_rec_to_bin_func

byte-sequence = add_rec_to_bin_func(silk.RWRec, byte-sequence). Names a callback function whose two arguments are a silk.RWRec object and an aggregate value. The function updates the aggregate value with data from the record and returns a new aggregate value. Both aggregate values are represented as byte sequences of exactly bin_bytes_value bytes.

bin_bytes_value

Contains a positive integer representing the length, in bytes, of the binary aggregate value used by the various callback functions. Every byte sequence for this field must be exactly this length, and it also governs the length of the byte sequence specified by initial_value.

bin_merge_func

byte-sequence = bin_merge_func(byte-sequence, byte-sequence). Names a callback function which returns the result of merging two binary aggregate values into a new binary aggregate value. This merge function will often be addition; however, if the aggregate value is a bitmap, the result of merge function could be the union of the bitmaps. The function should take two byte sequence arguments and return a byte sequence, where all byte sequences are exactly bin_bytes_value bytes in length. If merging the aggregate values is not possible, the function should throw an exception. This function is used when the data structure used by rwstats or rwuniq runs out memory. When that happens, the application writes its current state to a temporary file, empties its buffers, and continues reading records. Once all records have been processed, the application needs to merge the temporary files to produce the final output. The bin_merge_func() function is used when merging these binary aggregate values.

bin_to_text_func

string = bin_to_text_func(byte-sequence). Names a callback function that takes a byte sequence representing an aggregate value as an argument and returns a printable representation of that aggregate value. The byte sequence input to bin_to_text_func() will be exactly bin_bytes_value bytes long. The length of the text should be no longer than the value specified by column_width. If the value returned from this function is not a string, the returned value is converted to a string by the Python str() function.

column_width_value

Contains a positive integer specifying the length of the longest textual field that the bin_to_text_func() callback function returns. This length will used as the column width when columnar output is requested.

bin_compare_func

int = bin_compare_func(byte-sequence, byte-sequence). Names a callback function that is called with two aggregate values, each represented as a byte sequence of exactly bin_bytes_value bytes. The function returns (1) an integer less than 0 if the first argument is less than the second, (2) an integer greater than 0 if the first is greater than the second, or (3) 0 if the two values are equal. This function is used by rwstats to sort the bins into top-N order.

description_string

Provides a string giving a brief description of the aggregate value, suitable for printing in --help-fields output. This argument is optional.

initial_value

Specifies a byte sequence representing the initial state of the binary aggregate value. This byte sequence must be of length bin_bytes_value bytes. If this argument is not specified, the aggregate value is set to a byte sequence containing bin_bytes_value null bytes.

initialize_func

initialize_func(). Names a callback function that is called after the command line arguments have been processed, and before opening the first file. This function is only called when --values includes agg_value_name. The function takes no arguments and its return value is ignored. This argument is optional.

Byte sequences

When used as key fields, the values can represent uniqueness or indicate sort order. Two records with the same byte sequence for a field will be considered identical with respect to that field. When sorting, the byte sequences are compared in network byte order. That is, the most significant byte is compared first, followed by the next-most-significant byte, etc. This equates to string comparison starting with the left-hand side of the string.

When used as an aggregate field, the byte sequences are expected to behave more like numbers, with the ability to take binary record and add a value to it, or to merge (e.g., add) two byte sequences outside the context of a SiLK record.

Every byte sequence has an associated length, which is passed into the register_field() function in the bin_bytes argument. The length determines how many values the byte sequence can represent. A byte sequence with a length of 1 can represent up to 256 unique values (from 0 to 255 inclusive). A byte sequence with a length of 2 can represent up to 65536 unique values (0 to 65535). To generalize, a byte sequence with a length of n can represent up to 2^(8n) unique values (0 to 2^(8n)-1).

How byte sequences are represented in Python depends on the version of Python. Python represents a sequence of characters using either the bytes type (introduced in 2.6) or the unicode type. The bytes type can encode byte sequences while the unicode type cannot. In Python 2, the str (string) type was an alias for bytes, so that any Python 2 string is in effect a byte sequence. In Python 3, str is an alias for unicode, thus Python 3 strings are unicode objects and cannot represent byte sequences.

Python does not make conversions between integers and byte sequences particularly natural. As a result, here are some pointers on how to do these conversions:

Use the bytes() and ord() methods

If you converting a single integer value that is less than 256, the easiest way to convert it to a byte sequence is to use the bytes() function; to convert it back, use the ord() function.

 seq = bytes([num])
 num = ord(seq)

The bytes() function takes a list of integers between 0 and 255 inclusive, and returns a bytes sequence of the length of that list. To convert a single byte, use a list of a single element. The ord() function takes a byte sequence of a single byte and returns an integer between 0 and 255.

Note: In versions of Python earlier than 2.6, use the chr() function instead of the bytes() function. It takes a single number as its argument. chr() will work in Python 2.6 and 2.7 as well, but there are compatibility problems in Python 3.x.

Use the struct module

When the value you are converting to a byte sequence is 255 or greater, you have to go with another option. One of the simpler options is to use Python's built-in struct module. With this module, you can encode a number or a set of numbers into a byte sequence and convert the result back using a struct.Struct object. Encoding the numbers to a byte sequence uses the object's pack() method. To convert that byte sequence back to the number or set of numbers, use the object's unpack() method. The length of the resulting byte sequences can be found in the size attribute of the struct. Struct() object. A formatting string is used to indicate how the numbers are encoded into binary. For example:

 import struct

 # Set up the format for two 64-bit numbers
 two64 = struct.Struct("!QQ)
 # Encode two 64-bit numbers as a byte sequence
 seq = two64.pack(num1, num2)
 #Unpack a byte sequence back into two 64-bit numbers
 (num1, num2) = two64.unpack(seq)
 #Length of the encoded byte sequence
 bin_bytes = two64.size

In the above, "Q" represents a single unsigned 64-bit number (an unsigned long long or quad). The "!" at the beginning of the string forces network byte order. (For sort comparison purposes, always pack in network byte order.)

Here is another example, which encodes a signed 16-bit integer and a floating point number:

 import struct

 # Set up the format for a 16-bit signed integer and a float
 obj = struct.Struct("!hf")
 #Encode a 16-bit signed integer and a float as a byte sequence
 seq = obj.pack(intval, floatval)
 #Unpack a byte sequence back into a 16-bit signed integer and a float
 (intval, floatval) = obj.unpack(seq)
 #Length of the encoded byte sequence
 bin_bytes = obj.size

Note that unpack() returns a sequence. When unpacking a single value, assign the result of unpack to (variable_name,), as shown:

 import struct

 u32 = struct.Struct("!I")
 #Encode an unsigned 32-bit integer as a byte sequence
 seq = u32.pack(num1)
 #Unpack a byte sequence back into a unsigned 32-bit integer
 (num1,) = struct.unpack(seq)
 #Length of the encoded byte sequence
 bin_bytes = u32.size

The full list of codes can be found in the Python library documentation for the struct module, <http://docs.python.org/library/struct.html>.

Note: Python versions prior to 2.5 do not include support for the struct.Struct object. For older versions of Python, you have to use struct's functional interface. For example:

 import struct

 #Encode a 16-bit signed integer and a float as a byte sequence
 seq = struct.pack("!hf", intval, floatval)
 #Unpack a byte sequence back into a 16-bit signed integer and a float
 (intval, floatval) = struct.unpack("!hf", seq)
 #Length of the encoded byte sequence
 bin_bytes = struct.calcsize("!hf")

This method works in Python 2.5 and above as well, but is inherently slower, as it requires re-evaluation of the format string for each packing and unpacking operation. Only use this if there is a need to inter-operate with older versions of Python.

Use the array module

The Python array module provides another way to create byte sequences. Beware that the array module does not provide an automatic way to encode the values in network byte order.

rwfilter --python-expr

 $ rwfilter --daddr=10.0.0.23 --proto=1,17 --sport=1434         \
        --pass=outfile.rw  flowrec.rw

the --sport option will not match any of the ICMP traffic, and your result will not contain ICMP records. To avoid having to use two invocations of rwfilter, you can use the SiLK Python plugin to do the check in a single pass:

 $ rwfilter --daddr=10.0.0.23 --proto=1,17                      \
        --python-expr 'rec.protocol==1 or rec.sport==1434'      \
        --pass=outfile.rw  flowrec.rw

Since the Python code is slower than the C code used internally by rwfilter, we want to limit the number of records processed in Python as much as possible. We use the rwfilter switches to do the address check and protocol check, and in Python we only need to check whether the record is ICMP or if the source port is 1434 (if the record is not ICMP we know it is UDP because of the --proto switch).

rwfilter --python-file

 import sys

 def filter(rec):
     global lastproto
     if rec.protocol != lastproto:
         lastproto = rec.protocol
         return True
     return False

 def initialize():
     global lastproto
     lastproto = None

 def finalize():
     sys.stdout.write("Finished processing records.\n")

 register_filter(filter, initialize = initialize, finalize = finalize)

The preceding file, if called lastproto.py, can be used like this:

 $ rwfilter --python-file lastproto.py --pass=outfile.rw flowrec.rw

Note: Be careful when using a Python plug-in to write to the standard output, since the Python output could get intermingled with the output from --pass=stdout and corrupt the SiLK output file. In general, printing to the standard error is safer.

Command line switch

 import sys
 from silk.plugin import *

 pro_count = {}

 def proto_count(rec):
     global pro_count
     if rec.protocol in pro_count.keys():
         pro_count[rec.protocol] += 1
         return True
     return False

 def print_counts():
     for p,c in pro_count.iteritems():
         sys.stderr.write("%3d|%10d|\n" % (p, c))

 def parse_protocols(protocols):
     global pro_count
     for p in protocols.split(","):
         pro_count[int(p)] = 0
     register_filter(proto_count, finalize = print_counts)

 register_switch("count-protocols", handler=parse_protocols,
                 help="Like --proto, but prints count of flow records")

When this code is saved to the file count-proto.py, it can be used with rwfilter as shown to get a count of TCP and UDP flow records:

 $ rwfilter --start-date=2008/08/08 --type=out                  \
        --python-file=count-proto.py --count-proto=6,17         \
        --print-statistics=/dev/null

rwfilter does not know that the plug-in will be generating output, and rwfilter will complain unless an output switch is given, such as --pass or --print-statistics. Since our plug-in is printing the data we want, we send the output to /dev/null.

Create integer key field with simple API

 def port_sum(rec):
     return rec.sport + rec.dport

 register_int_field("port-sum", port_sum)

If the above code is saved in a file named portsum.py, it can be used to sort traffic prior to printing it (low-port to low-port will appear first):

 $ rwfilter --start-date=2008/08/08 --type=out,outweb       \
        --proto=6,17 --pass=stdout                          \
   | rwsort --python-file=portsum.py --fields=port-sum      \
   | rwcut

To see high-port to high-port traffic first, reverse the sort:

 $ rwfilter --start-date=2008/08/08 --type=out,outweb       \
        --proto=6,17 --pass=stdout                          \
   | rwsort --python-file=portsum.py --fields=port-sum      \
        --reverse                                           \
   | rwcut

Create IP key field with simple API

The following Python plug-in file defines two new fields: "internal-ip" will display the destination IP for an incoming flow, and the source IP for an outgoing flow, and "external-ip" field shows the reverse.

 import silk

 # for convenience, create lists of the types
 in_types = ['in', 'inweb', 'innull', 'inicmp']
 out_types = ['out', 'outweb', 'outnull', 'outicmp']

 def internal(rec):
     "Returns the IP Address of the internal side of the connection"
     if rec.typename in out_types:
         return rec.sip
     else:
         return rec.dip

 def external(rec):
     "Returns the IP Address of the external side of the connection"
     if rec.typename in in_types:
         return rec.sip
     else:
         return rec.dip

 register_ip_field("internal-ip", internal)
 register_ip_field("external-ip", external)

If the above code is saved in a file named direction.py, it can be used to show the internal and external IP addresses and flow direction for all traffic on 1434/udp from Aug 8, 2008.

 $ rwfilter --start-date=2008/08/08 --type=all              \
        --proto=17 --aport=1434 --pass=stdout               \
   | rwcut --python-file direction.py                       \
        --fields internal-ip,external-ip,3-12

Create enumerated key field with simple API

Here we take the previous example, add a command line switch to specify the path to a prefix map file, and have the internal and external functions return the label.

 import silk

 # for convenience, create lists of the types
 in_types = ['in', 'inweb', 'innull', 'inicmp']
 out_types = ['out', 'outweb', 'outnull', 'outicmp']

 # handler for the --int-ext-pmap command line switch
 def set_pmap(arg):
     global pmap
     pmap = silk.PrefixMap(arg)
     labels = pmap.values()
     width = max(len(x) for x in labels)
     register_enum_field("internal-label", internal, width, labels)
     register_enum_field("external-label", external, width, labels)

 def internal(rec):
     "Returns the label for the internal side of the connection"
     global pmap
     if rec.typename in out_types:
         return pmap[rec.sip]
     else:
         return pmap[rec.dip]

 def external(rec):
     "Returns the label for the external side of the connection"
     global pmap
     if rec.typename in in_types:
         return pmap[rec.sip]
     else:
         return pmap[rec.dip]

 register_switch("int-ext-pmap", handler=set_pmap,
                 help="Prefix map file for internal-label, external-label")

Assuming the above is saved in the file int-ext-pmap.py, the following will group the flows by the internal and external labels contained in the file ip-map.pmap.

 $ rwfilter --start-date=2008/08/08 --type=all              \
        --proto=17 --aport=1434 --pass=stdout               \
   | rwuniq --python-file int-ext-pmap.py                   \
        --int-ext-pmap ip-map.pmap                          \
        --fields internal-label,external-label

Create minimum/maximum integer value field with simple API

 register_int_min_aggregator("min-bytes", lambda rec: rec.bytes,
                             (1 << 32) - 1)
 register_int_max_aggregator("max-bytes", lambda rec: rec.bytes,
                             (1 << 32) - 1)

The lambda expression allows one to create an anonymous function. In this code, we need to return the number of bytes for the given record, and we can easily do that with the anonymous function. Since the SiLK bytes field is 32 bits, the maximum 32-bit number is passed the registration functions.

Assuming the code is stored in a file bytes.py, it can be used with rwuniq to see the minimum and maximum byte counts for each source IP address:

 $ rwuniq --python-file=bytes.py --fields=sip               \
        --values=records,bytes,min-bytes,max-bytes

Create IP key for rwcut with advanced API

 import silk, os

 # for convenience, create lists of the types
 in_types = ['in', 'inweb', 'innull', 'inicmp']
 out_types = ['out', 'outweb', 'outnull', 'outicmp']
 internal_only = ['int2int']
 external_only = ['ext2ext']

 # determine the width of the IP field depending on whether SiLK
 # was compiled with IPv6 support, and allow the IP_WIDTH environment
 # variable to override that width.
 ip_len = 15
 if silk.ipv6_enabled():
     ip_len = 39
 ip_len = int(os.getenv("IP_WIDTH", ip_len))

 def cut_internal(rec):
     "Returns the IP Address of the internal side of the connection"
     if rec.typename in in_types:
         return rec.dip
     if rec.typename in out_types:
         return rec.sip
     if rec.typename in internal_only:
         return "both"
     if rec.typename in external_only:
         return "neither"
     return "unknown"

 def cut_external(rec):
     "Returns the IP Address of the external side of the connection"
     if rec.typename in in_types:
         return rec.sip
     if rec.typename in out_types:
         return rec.dip
     if rec.typename in internal_only:
         return "neither"
     if rec.typename in external_only:
         return "both"
     return "unknown"

 def internal_external_direction(rec):
     """Generates a string pointing from the sip to the dip, assuming
     internal is on the left, and external is on the right."""
     if rec.typename in in_types:
         return "<---"
     if rec.typename in out_types:
         return "--->"
     if rec.typename in internal_only:
         return "-><-"
     if rec.typename in external_only:
         return "<-->"
     return "????"

 register_field("internal-ip", column_width = ip_len,
                rec_to_text = cut_internal)
 register_field("external-ip", column_width = ip_len,
                rec_to_text = cut_external)
 register_field("int_to_ext", column_width = 4,
                rec_to_text = internal_external_direction)

The cut_internal() and cut_external() functions may return an IPAddr object instead of a string. For those cases, the Python str() function is invoked automatically to convert the IPAddr to a string.

If the above code is saved in a file named direction.py, it can be used to show the internal and external IP addresses and flow direction for all traffic on 1434/udp from Aug 8, 2008.

 $ rwfilter --start-date=2008/08/08 --type=all              \
        --proto=17 --aport=1434 --pass=stdout               \
   | rwcut --python-file direction.py                       \
        --fields internal-ip,int_to_ext,external-ip,3-12

Create integer key field for rwsort with the advanced API

 import struct

 portpair = struct.Struct("!HH")

 def lowest_port(rec):
     if rec.sport < rec.dport:
         return portpair.pack(rec.sport, rec.dport)
     else:
         return portpair.pack(rec.dport, rec.sport)

 register_field("lowest_port", bin_bytes = portpair.size,
                rec_to_bin = lowest_port)

To use this example to sort the records in flowrec.rw, one saves the code to the file sort.py and uses it as shown:

 $ rwsort --python-file=sort.py --fields=lowest_port        \
        flowrec.rw > outfile.rw

Create integer key for rwstats and rwuniq with advanced API

 import os, struct
 from silk import *

 default_prefix = 16

 u32 = struct.Struct("!L")

 def set_mask(prefix):
     global mask
     mask = 0xFFFFFFFF
     # the value we are handed is a string
     prefix = int(prefix)
     if 0 < prefix < 32:
         mask = mask ^ (mask >> prefix)

 # Convert from an IPv4Addr to a byte sequence
 def cidr_to_bin(ip):
     if ip.is_ipv6():
         raise ValueError, "Does not support IPv6"
     return u32.pack(int(ip) & mask)

 # Convert from a byte sequence to an IPv4Addr
 def cidr_bin_to_text(string):
     (num,) = u32.unpack(string)
     return IPv4Addr(num)

 register_field("prefixed-sip", column_width = 15,
                rec_to_bin = lambda rec: cidr_to_bin(rec.sip),
                bin_to_text = cidr_bin_to_text,
                bin_bytes = u32.size)

 register_field("prefixed-dip", column_width = 15,
                rec_to_bin = lambda rec: cidr_to_bin(rec.dip),
                bin_to_text = cidr_bin_to_text,
                bin_bytes = u32.size)

 register_switch("prefix", handler=set_mask,
                 help="Set prefix for prefixed-sip/prefixed-dip fields")

 set_mask(default_prefix)

The lambda expression allows one to create an anonymous function. In this code, the lambda function is used to pass the appropriate IP address into the cidr_to_bin() function. To write the code without the lambda would require separate functions for the source and destination IP addresses:

 def sip_cidr_to_bin(rec):
     return cidr_to_bin(rec.sip)

 def dip_cidr_to_bin(rec):
     return cidr_to_bin(rec.dip)

The lambda expression helps to simplify the code.

If the code is saved in the file mask.py, it can be used as follows to count the number of flow records seen in the /8 of each source IP address. The flow records are read from flowrec.rw. The --ipv6-policy=ignore switch is used to restrict processing to IPv4 addresses.

 $ rwuniq --ipv6-policy=ignore --python-file mask.py        \
        --prefix 8 --fields prefixed-sip flowrec.rw

Create new average bytes value field for rwstats and rwuniq

 import struct

 fmt = struct.Struct("QQ")
 initial = fmt.pack(0, 0)
 textsize = 15
 textformat = "%%%d.2f" % textsize

 # add byte and flow count from 'rec' to 'current'
 def avg_bytes(rec, current):
     (total, count) = fmt.unpack(current)
     return fmt.pack(total + rec.bytes, count + 1)

 # return printable representation
 def avg_to_text(bin):
     (total, count) = fmt.unpack(bin)
     return textformat % (float(total) / count)

 # merge two encoded values.
 def avg_merge(rec1, rec2):
     (total1, count1) = fmt.unpack(rec1)
     (total2, count2) = fmt.unpack(rec2)
     return fmt.pack(total1 + total2, count1 + count2)

 # compare two encoded values
 def avg_compare(rec1, rec2):
     (total1, count1) = fmt.unpack(rec1)
     (total2, count2) = fmt.unpack(rec2)
     # Python 2:
     #return cmp((float(total1) / count1), (float(total2) / count2))
     # Python 3:
     avg1 = float(total1) / count1
     avg2 = float(total2) / count2
     if avg1 < avg2:
         return -1
     return avg1 > avg2

 register_field("avg-bytes",
                column_width    = textsize,
                bin_bytes       = fmt.size,
                add_rec_to_bin  = avg_bytes,
                bin_to_text     = avg_to_text,
                bin_merge       = avg_merge,
                bin_compare     = avg_compare,
                initial_value   = initial)

To use this code, save it as avg-bytes.py, specify the name of the Python file in the --python-file switch, and list the field in the --values switch:

 $ rwuniq --python-file=avg-bytes.py --fields=sip           \
        --values=avg-bytes infile.rw

This particular example will compute the average number of bytes per flow for each distinct source IP address in the file infile.rw.

Create integer key field for all tools that use fields

 import os,socket,struct

 u16 = struct.Struct("!H")

 # utility function to convert number to a service name,
 # or to a string if no service is defined
 def num_to_service(num):
     try:
         serv = socket.getservbyport(num)
     except socket.error:
         serv = "%d" % num
     return serv

 # convert the encoded port to a service name
 def bin_to_service(bin):
     (port,) = u16.unpack(bin)
     return num_to_service(port)

 # width of service columns can be specified with the
 # SERVICE_WIDTH environment variable; default is 12
 col_width = int(os.getenv("SERVICE_WIDTH", 12))

 register_field("sport-service", bin_bytes = u16.size,
                column_width = col_width,
                rec_to_text = lambda rec: num_to_service(rec.sport),
                rec_to_bin = lambda rec: u16.pack(rec.sport),
                bin_to_text = bin_to_service)

 register_field("dport-service", bin_bytes = u16.size,
                column_width = col_width,
                rec_to_text = lambda rec: num_to_service(rec.dport),
                rec_to_bin = lambda rec: u16.pack(rec.dport),
                bin_to_text = bin_to_service)

If this file is named service.py, it can be used by rwcut to print the source port and its service:

 $ rwcut --python-file service.py                           \
        --fields sport,sport-service flowrec.rw

Although the plug-in can be used with rwsort, the records will be sorted in the same order as the numerical source port or destination port.

 $ rwsort --python-file service.py                          \
        --fields sport-service flowrec.rw > outfile.rw

When used with rwuniq, it can count flows, bytes, and packets indexed by the service of the destination port:

 $ rwuniq --python-file service.py --fields dport-service   \
        --values=flows,bytes,packets flowrec.rw

Create human-readable fields for all tools that use fields

When used as a key, the "hu-bytes" field presents the value 1234567 as 1205.6Ki or as 1234.6k when the HUMAN_USE_BINARY environment variable is set to "False".

When used as a key, the "hu-packets" field adds a comma (or the character specified by the HUMAN_THOUSANDS_SEP environment variable) to the display of the packets field. The value 1234567 becomes 1,234,567.

The "hu-bytes" and "hu-packets" fields can also be used as aggregate value fields, in which case they compute the sum of the bytes and packets, respectively, and display it as for the key field.

The code for the plug-in is shown here, and an example of using the plug-in follows the code.

 import silk, silk.plugin
 import os, struct
 from netsa.data.format import num_prefix, num_fixed

 # Whether the use Base-2 (True) or Base-10 (False) values for
 # Kibi/Mebi/Gibi/Tebi/... vs Kilo/Mega/Giga/Tera/...
 use_binary = True
 if (os.getenv("HUMAN_USE_BINARY")):
     if (os.getenv("HUMAN_USE_BINARY").lower() == "false"
         or os.getenv("HUMAN_USE_BINARY") == "0"):
         use_binary = False
     else:
         use_binary = True

 # Character to use for Thousands separator
 thousands_sep = ','
 if (os.getenv("HUMAN_THOUSANDS_SEP")):
     thousands_sep = os.getenv("HUMAN_THOUSANDS_SEP")

 # Number of significant digits
 sig_fig=5

 # Use a 64-bit number for packing the bytes or packets data
 fmt = struct.Struct("Q")
 initial = fmt.pack(0)

 ### Bytes functions
 # add_rec_to_bin
 def hu_ar2b_bytes(rec, current):
     global fmt
     (cur,) = fmt.unpack(current)
     return fmt.pack(cur + rec.bytes)

 # rec_to_binary
 def hu_r2b_bytes(rec):
     global fmt
     return fmt.pack(rec.bytes)

 # bin_to_text
 def hu_b2t_bytes(current):
     global use_binary, sig_fig, fmt
     (cur,) = fmt.unpack(current)
     return num_prefix(cur, use_binary=use_binary, sig_fig=sig_fig)

 # rec_to_text
 def hu_r2t_bytes(rec):
     global use_binary, sig_fig
     return num_prefix(rec.bytes, use_binary=use_binary, sig_fig=sig_fig)

 ### Packets functions
 # add_rec_to_bin
 def hu_ar2b_packets(rec, current):
     global fmt
     (cur,) = fmt.unpack(current)
     return fmt.pack(cur + rec.packets)

 # rec_to_binary
 def hu_r2b_packets(rec):
     global fmt
     return fmt.pack(rec.packets)

 # bin_to_text
 def hu_b2t_packets(current):
     global thousands_sep, fmt
     (cur,) = fmt.unpack(current)
     return num_fixed(cur, dec_fig=0, thousands_sep=thousands_sep)

 # rec_to_text
 def hu_r2t_packets(rec):
     global thousands_sep
     return num_fixed(rec.packets, dec_fig=0, thousands_sep=thousands_sep)

 ### Non-specific functions
 # bin_compare
 def hu_bin_compare(cur1, cur2):
     if (cur1 < cur2):
         return -1
     return (cur1 > cur2)

 # bin_merge
 def hu_bin_merge(current1, current2):
     global fmt
     (cur1,) = fmt.unpack(current1)
     (cur2,) = fmt.unpack(current2)
     return fmt.pack(cur1 + cur2)

 ### Register the fields
 register_field("hu-bytes", column_width=10, bin_bytes=fmt.size,
                rec_to_text=hu_r2t_bytes, rec_to_bin=hu_r2b_bytes,
                bin_to_text=hu_b2t_bytes, add_rec_to_bin=hu_ar2b_bytes,
                bin_merge=hu_bin_merge, bin_compare=hu_bin_compare,
                initial_value=initial)

 register_field("hu-packets", column_width=10, bin_bytes=fmt.size,
                rec_to_text=hu_r2t_packets, rec_to_bin=hu_r2b_packets,
                bin_to_text=hu_b2t_packets, add_rec_to_bin=hu_ar2b_packets,
                bin_merge=hu_bin_merge, bin_compare=hu_bin_compare,
                initial_value=initial)

This shows an example of the plug-in's invocation and output when the code below is stored in the file human.py.

 $ rwstats --count=5 --no-percent --python-file=human.py    \
        --fields=proto,hu-bytes,hu-packets                  \
        --values=records,hu-bytes,hu-packets data.rw
 INPUT: 501876 Records for 305417 Bins and 501876 Total Records
 OUTPUT: Top 5 Bins by Records
 pro|  hu-bytes|hu-packets|   Records|  hu-bytes|hu-packets|
  17|       328|         1|     15922|    4.98Mi|    15,922|
  17|      76.0|         1|     15482|    1.12Mi|    15,482|
   1|       840|        10|      5895|    4.72Mi|    58,950|
  17|      68.0|         1|      4249|     282Ki|     4,249|
  17|      67.0|         1|      4203|     275Ki|     4,203|

Identifying SMTP Servers

We run the rwfilter command as follows:

 $ rwfilter --start-date=2008/4/21 --end-date=2008/4/21       \
        --type=out,outweb --sipset=possible_SMTP_servers.set  \
        --python-file=SMTP.py --print-statistics

This command first collects all records of type "out" and "outweb" that have a start date on April 21, 2008. Since there are no additional command line options to filter records, all records are passed to the "rwfilter(rec)" function in SMTP.py. "rec" is an instance of the object "RWRec", which represent the record being passed.

The function "rwfilter(rec)" in SMTP.py begins by importing the global variable "counts" and "smtpports". "counts" is a dictionary indexed by source IP address and contains an array of size two, where the first element is the total number of bytes that the IP address has transferred and the second element is the number of bytes that the source address has transferred that are likely to be related to mail delivery.

Using the source IP address from the record, the function retrieves the current byte counts from the "counts" dictionary. If this is the first occurrence of the IP address, a new entry is added. The function then adds the byte count of this record to the total byte count and determines if the record is a mail delivery message. If it is a mail message, the function adds the bytes to the total of bytes transferred as mail and returns True. Otherwise, a value of False is returned.

After rwfilter processes all records it calls the "finalize()" function, which evaluates the collection of IP addresses. If the percentage of bytes that the host transferred in mail operations is greater than 85% of the total bytes transferred, the IP address is added to a final set of SMTP servers. The final set of SMTP servers is then saved to the SMTP.set file, and rwfilter exits.

 from silk import *

 # Collection of ports commonly used by SMTP servers
 smtpports = set([25, 109, 110, 143, 220, 273, 993, 995, 113])

 # Minimum percentage of mail traffic before being considered a mail server
 threshold = 0.85

 # Collection of byte counts
 counts = dict()

 # This function is run over all records.
 # Input:  An instance of the RWRec class representing the
 #         current record being processesed
 # Output: True or false value indicating if the record passes
 #         or fails the filter
 def rwfilter(rec):
     # Import the global variables needed for processing the record
     global smtpports, counts

     # Pull data from the record
     sip = rec.sip
     bytes = rec.bytes

     # Get a reference to the current data on the IP address in question
     data = counts.setdefault(sip, [0, 0])

     # Update the total byte count for the IP address
     data[0] += bytes

     # Is the flow mail related?  If so add the byte count to the mail bytes
     if (rec.protocol == 6 and rec.sport in smtpports and
         rec.packets > 3 and rec.bytes > 120):
         data[1] += bytes
         return True

     # If not mail related, fail the record
     return False

 # This is run after all records have been processed
 def finalize():
     # Import the global vriables needed to evaluate the results
     global counts, threshold

     # The IP set of SMTP servers
     smtp = IPSet()

     # Iterate through all of the IP addresses.
     for ip, data in counts.iteritems():
         if (float(data[1]) / data[0]) > threshold:
             smtp.add(ip)

     # Generate the IPset of all smtp servers.
     smtp.save('smtp.set')

 # Register these functions with rwfilter
 register_filter(rwfilter, finalize=finalize)