=pod

=head1 NAME

B<rwbag> - Build a binary Bag from SiLK Flow records.

=head1 SYNOPSIS

  rwbag [--sip-flows=OUTPUTFILE] [--dip-flows=OUTPUTFILE]
        [--sport-flows=OUTPUTFILE] [--dport-flows=OUTPUTFILE]
        [--proto-flows=OUTPUTFILE]
        [--sip-packets=OUTPUTFILE] [--dip-packets=OUTPUTFILE]
        [--sport-packets=OUTPUTFILE] [--dport-packets=OUTPUTFILE]
        [--proto-packets=OUTPUTFILE]
        [--sip-bytes=OUTPUTFILE] [--dip-bytes=OUTPUTFILE]
        [--sport-bytes=OUTPUTFILE] [--dport-bytes=OUTPUTFILE]
        [--proto-bytes=OUTPUTFILE] [--compression-method=COMP_METHOD]
        [--print-filenames] [--copy-input=PATH]
        [--site-config-file=FILENAME] [--legacy-help]
        [INPUTFILE[ INPUTFILE...]]

=head1 DESCRIPTION

B<rwbag> reads SiLK Flow records and builds a Bag.  Source IP address,
destination IP address, next hop IP address, source port, destination
port, protocol, input interface index, output interface index, or
sensor ID may be used as the unique key by which to count volumes.
Flows, packets, or bytes may be used as the counter.  B<rwbag>
attempts to read raw flow records from the standard input or from any
I<INPUTFILE> arguments.  I<INPUTFILE> may also explicitly be the
keyword C<stdin>.  If the raw flow records do not contain the proper
key and counter fields, B<rwbag> prints an error to stderr and exits
abnormally.

=head1 OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an
exact match for an option.  A parameter to an option may be specified
as B<--arg>=I<param> or S<B<--arg> I<param>>, though the first form is
required for options that take optional parameters.

At least one of the following output flags must be defined.  For each,
I<OUTPUTFILE> is the name of a non-existent file, a named pipe, or the
keyword C<stdout> to write the binary Bag to the standard output.
Only one switch may use the standard output as its output stream.

=over 4

=item B<--sip-flows>=I<OUTPUTFILE>

Count number of flows by unique source IP.

=item B<--sip-packets>=I<OUTPUTFILE>

Count number of packets by unique source IP.

=item B<--sip-bytes>=I<OUTPUTFILE>

Count number of bytes by unique source IP.

=item B<--dip-flows>=I<OUTPUTFILE>

Count number of flows by unique destination IP.

=item B<--dip-packets>=I<OUTPUTFILE>

Count number of packets by unique destination IP.

=item B<--dip-bytes>=I<OUTPUTFILE>

Count number of bytes by unique destination IP.

=item B<--nhip-flows>=I<OUTPUTFILE>

Count number of flows by unique next hop IP.

=item B<--nhip-packets>=I<OUTPUTFILE>

Count number of packets by unique next hop IP.

=item B<--nhip-bytes>=I<OUTPUTFILE>

Count number of bytes by unique next hop IP.

=item B<--sport-flows>=I<OUTPUTFILE>

Count number of flows by unique source port.

=item B<--sport-packets>=I<OUTPUTFILE>

Count number of packets by unique source port.

=item B<--sport-bytes>=I<OUTPUTFILE>

Count number of bytes by unique source port.

=item B<--dport-flows>=I<OUTPUTFILE>

Count number of flows by unique destination port.

=item B<--dport-packets>=I<OUTPUTFILE>

Count number of packets by unique destination port.

=item B<--dport-bytes>=I<OUTPUTFILE>

Count number of bytes by unique destination port.

=item B<--proto-flows>=I<OUTPUTFILE>

Count number of flows by unique protocol.

=item B<--proto-packets>=I<OUTPUTFILE>

Count number of packets by unique protocol.

=item B<--proto-bytes>=I<OUTPUTFILE>

Count number of bytes by unique protocol.

=item B<--sensor-flows>=I<OUTPUTFILE>

Count number of flows by unique sensor ID.

=item B<--sensor-packets>=I<OUTPUTFILE>

Count number of packets by unique sensor ID.

=item B<--sensor-bytes>=I<OUTPUTFILE>

Count number of bytes by unique sensor ID.

=item B<--input-flows>=I<OUTPUTFILE>

Count number of flows by unique input interface index.

=item B<--input-packets>=I<OUTPUTFILE>

Count number of packets by unique input interface index.

=item B<--input-bytes>=I<OUTPUTFILE>

Count number of bytes by unique input interface index.

=item B<--output-flows>=I<OUTPUTFILE>

Count number of flows by unique output interface index.

=item B<--output-packets>=I<OUTPUTFILE>

Count number of packets by unique output interface index.

=item B<--output-bytes>=I<OUTPUTFILE>

Count number of bytes by unique output interface index.

=item B<--compression-method>=I<COMP_METHOD>

Set the compression method of the output to I<COMP_METHOD>.  Some SiLK
tools can use an external library to compress their binary output.
The list of available compression methods and the default method are
set when SiLK is compiled (the B<--help> and B<--version> switches
print the available and default compression methods) and depend on
which supported libraries are found.  SiLK can support:

=over 4

=item none

Do not compress the output using an external library

=item zlib

Use the B<zlib(3)> library for compressing the output

=item lzo1x

Use the I<lzo1x> algorithm from the LZO real time compression library
for compression

=item best

Use whichever available method gives the C<best> compression in
general, though not necessarily the C<best> for this particular
output.

=back

=item B<--print-filenames>

Prints to the standard error the names of input files as they are
opened.

=item B<--copy-input>=I<PATH>

Copy all binary input to the specified file or named pipe.  I<PATH>
can be C<stdout> to print flows to the standard output as long as the
B<--output-path> switch has been used to redirect B<rwuniq>'s ASCII
output.

=item B<--site-config-file>=I<FILENAME>

Read the SiLK site configuration from the named file I<FILENAME>.
When this switch is not provided, the location specified by the
C<$SILK_CONFIG_FILE> environment variable is used if that variable is
not empty.  The value of C<$SILK_CONFIG_FILE> should include the name
of the file.  Otherwise, the application looks for a file named
F<silk.conf> in the following directories: the directory specified in
the F<$SILK_DATA_ROOTDIR> environment variable; the data root
directory that is compliled into SiLK (use the B<--version> switch to
view this value); the directories F<$SILK_PATH/share/silk/>,
F<$SILK_PATH/share/>, or F<$SILK_PATH>; or in the F<share/silk/> and
F<share/> directories parallel to the application's directory.

=item B<--legacy-help>

Print the usage information for B<rwbag> and include the names of the
deprecated options in the output.

=back

The following options are deprecated.

=over 4

=item B<--sf-file>=I<OUTPUTFILE>

Deprecated alias for B<--sip-flows>.

=item B<--sp-file>=I<OUTPUTFILE>

Deprecated alias for B<--sip-packets>.

=item B<--sb-file>=I<OUTPUTFILE>

Deprecated alias for B<--sip-bytes>.

=item B<--df-file>=I<OUTPUTFILE>

Deprecated alias for B<--dip-flows>.

=item B<--dp-file>=I<OUTPUTFILE>

Deprecated alias for B<--dip-packets>.

=item B<--db-file>=I<OUTPUTFILE>

Deprecated alias for B<--dip-bytes>.

=item B<--port-sf-file>=I<OUTPUTFILE>

Deprecated alias for B<--sport-flows>.

=item B<--port-sp-file>=I<OUTPUTFILE>

Deprecated alias for B<--sport-packets>.

=item B<--port-sb-file>=I<OUTPUTFILE>

Deprecated alias for B<--sport-bytes>.

=item B<--port-df-file>=I<OUTPUTFILE>

Deprecated alias for B<--dport-flows>.

=item B<--port-dp-file>=I<OUTPUTFILE>

Deprecated alias for B<--dport-packets>.

=item B<--port-db-file>=I<OUTPUTFILE>

Deprecated alias for B<--dport-bytes>.

=item B<--proto-f-file>=I<OUTPUTFILE>

Deprecated alias for B<--proto-flows>.

=item B<--proto-p-file>=I<OUTPUTFILE>

Deprecated alias for B<--proto-packets>.

=item B<--proto-b-file>=I<OUTPUTFILE>

Deprecated alias for B<--proto-bytes>.

=back

=head1 EXAMPLES

To build both source IP and destination IP Bags of flows:

  rwfilter... | rwbag --sip-flow=sf.bag --dip-flow=df.bag

=head1 SEE ALSO

B<rwbagbuild(1)>, B<rwbagcat(1)>, B<rwbagtool(1)>, B<rwfilter(1)>

=cut

$SiLK: rwbag.pod 6679 2007-03-16 15:42:39Z mthomas $

Local Variables:
mode:text
indent-tabs-mode:nil
End: