|
NAMErwguess - Determine which SNMP interfaces are activeSYNOPSISrwguess [{ --top=NUM | --print-all }] PDU_FILE [PDU_FILE...] rwguess --help rwguess --version DESCRIPTIONrwguess is deprecated as of SiLK 3.8.3 and it will be removed in the SiLK 4.0 release. Replace invocations of rwguess with rwpdu2silk (1) and either rwstats(1) or rwuniq(1) as shown in "EXAMPLES".rwguess reads NetFlow v5 PDUs from file(s) specified on the command line and counts the number of flow records that are seen on each input and output SNMP interface. Once all input has been processed, rwguess sorts the SNMP interfaces by the number of records each interface saw, and prints the two sorted lists, one for the input interfaces and one for the output interfaces. By default, only the top-10 interfaces are printed; the number of rows printed may be changed with the --top switch. When the --print-all switch is specified, the results are printed in SNMP interface order, with one column for the input record count and another for the output record count, and one row for each interface that saw traffic. The purpose of rwguess is to help one configure the "sensor" blocks in the silk.conf (5) file used by rwflowpack(8) to categorize flow records into classes and types. The PDU files are expected to be in the form created by NetFlow Collector: Each file's size must be an integer multiple of 1464, where each 1464 byte chunk contains a 24 byte NetFlow v5 header and space for thirty 48 byte NetFlow records. The number of valid records per chunk is specified in the PDU header. To convert a PDU file to a stream of SiLK Flow records, use rwpdu2silk(1). OPTIONSOption names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.
EXAMPLESrwguess is deprecated. This section demonstrates how to get equivalent functionality by piping the output from rwpdu2silk(1) into either rwstats(1) or rwuniq(1).In the following examples, the dollar sign ("$") represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash ("\") is used to indicate a wrapped line. Top-N ListBy default, rwguess creates a top-10 list of SNMP interfaces.$ rwguess file.pdu Top 10 (of 36) SNMP Input Interfaces Index| Input_Recs| 54| 3466| 38| 1374| 84| 770| 88| 746| 56| 737| 68| 513| 106| 508| 62| 373| 114| 323| 8| 321| Top 10 (of 37) SNMP Output Interfaces Index| Output_Recs| 54| 3507| 38| 885| 98| 699| 84| 673| 88| 671| 56| 605| 58| 538| 106| 501| 92| 460| 62| 380| Use rwpdu2silk to convert the file to SiLK flow format, and pipe the result to rwstats. You must invoke rwstats twice, once the input interface (--field=in) and once for the output interface (--field=out). The --copy-input switch allows the second rwstats command to read output from rwpdu2silk. $ rwpdu2silk file.pdu \ | rwstats --count=10 --fields=in --copy-input=- --output-path=stderr \ | rwstats --count=10 --fields=out INPUT: 12056 Records for 36 Bins and 12056 Total Records OUTPUT: Top 10 Bins by Records in| Records| %Records| cumul_%| 54| 3466| 28.750663| 28.750663| 38| 1374| 11.398869| 40.149532| 84| 770| 6.388336| 46.537868| 88| 746| 6.193106| 52.730975| 56| 737| 6.117718| 58.848693| 68| 513| 4.261379| 63.110072| 106| 508| 4.216760| 67.326831| 62| 373| 3.094729| 70.421560| 114| 323| 2.681877| 73.103437| 8| 321| 2.666285| 75.769722| INPUT: 12056 Records for 37 Bins and 12056 Total Records OUTPUT: Top 10 Bins by Records out| Records| %Records| cumul_%| 54| 3507| 29.089205| 29.089205| 38| 885| 7.347980| 36.437185| 98| 699| 5.801735| 42.238920| 84| 673| 5.588923| 47.827843| 88| 671| 5.572502| 53.400345| 56| 605| 5.022807| 58.423152| 58| 538| 4.462497| 62.885649| 106| 501| 4.155802| 67.041451| 92| 460| 3.821822| 70.863273| 62| 380| 3.157428| 74.020701| Seeing all interfacesThe --print-all switch shows all interfaces.$ rwguess --print-all file2.pdu Index| Input_Recs| Output_Recs| 10| 17099| 17115| 172| 7893| 7893| 192| 25008| 24992| Use rwuniq to generate similar output, though you must run rwuniq twice (as with rwstats in the previous example). $ rwpdu2silk file2.pdu \ | rwuniq --sort --fields=in --copy-input=- --output-path=stderr \ | rwuniq --sort --fields=out in| Records| 10| 17099| 172| 7893| 192| 25008| out| Records| 10| 17115| 172| 7893| 192| 24992| SEE ALSOrwpdu2silk(1), rwstats(1), rwuniq(1), rwflowpack(8), silk.conf(5), silk(7)
Visit the GSP FreeBSD Man Page Interface. |