=pod

=head1 NAME

B<rwpackchecker> - Find unusual patterns that may indicate a corrupt file

=head1 SYNOPSIS

  rwpackchecker [--value=TEST=VALUE] [--allowable-count=TEST=ALLOWED]
        [--print-all] {[--xargs] | [FILE [FILE...]]}

=head1 DESCRIPTION

B<rwpackchecker> reads SiLK Flow records from the specified input
files or from the standard input when no files are specified and looks
for C<unusual> patterns that may indicate that the file has been
corrupted.

=head1 OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an
exact match for an option.  A parameter to an option may be specified
as B<--arg>=I<param> or B<--arg> I<param>, though the first form is
required for options that take optional parameters.

=over 4

=item B<--value>=I<TEST>=I<VALUE>

Set the value of I<TEST> to the specified I<VALUE>; separate the test
name from value by C<=>.  The available I<TEST>s are given below; the
test name can be shortened to the shortest unique prefix.  The form of
I<VALUE> depends on the type of I<TEST>:

=over 4

=item *

If I<TEST> expects a minumum or maximum, I<VALUE> should be a number.

=item *

If I<TEST> expects a list of IPs, I<VALUE> should the name of a file
containing an IPset (see B<rwsetbuild(1)>).

=item *

If I<TEST> expects a list of numbers (for example, ports or
protocols), I<VALUE> should contain a comma separated list of integers
and integer-ranges where a range is two integers separated by a hyphen
(C<->).

=back

Repeat this switch for each value that you wish to set.

=item B<--allowable-count>=I<TEST>=I<ALLOWED>

Allow the named I<TEST> to be violated I<ALLOWED> of times before
treating it as C<unusual>.  I<ALLOWED> is an integer value. Separate
the test name from the allowed count by C<=>.  Repeat this switch for
each allowable count you wish to set.

=item B<--print-all>

Print the result of all tests for all input files.  Normally only
tests that are deemed C<unusual> are printed.

=item B<--xargs>

Causes B<rwpackchecker> to read file names from the standard input;
the input should have one file name per line.  B<rwpackchecker> will
open each file in turn and read records from it, as if the files had
been listed on the command line.

=back

The following tests are always run:

=over 4

=item B<min-bpp-ratio>=I<NUMBER>

Byte-per-packet ratio is less than I<NUMBER>.  Default value: 1.
Allowed count: 0.

=item B<max-bpp-ratio>=I<NUMBER>

Byte-per-packet ratio is greater than I<NUMBER>.  Default value:
16384.  Allowed count: 0.

=item B<min-bps-ratio>=I<NUMBER>

Byte-per-second ratio is less than I<NUMBER>.  Default value: 0.
Allowed count: 0.

=item B<max-bps-ratio>=I<NUMBER>

Byte-per-second ratio is greater than I<NUMBER>.  Default value:
4294967295.  Allowed count: 0.

=item B<min-packets>=I<NUMBER>

Packet count is less than I<NUMBER>.  Default value: 1.  Allowed
count: 0.

=item B<max-packets>=I<NUMBER>

Packet count is greater than I<NUMBER>.  Default value: 67108864.
Allowed count: 0.

=item B<min-bytes>=I<NUMBER>

Byte count is less than I<NUMBER>.  Default value: 1.  Allowed count:
0.

=item B<max-bytes>=I<NUMBER>

Byte count is greater than I<NUMBER>.  Default value: 4294967295.
Allowed count: 0.

=item B<min-tcp-bpp-ratio>=I<NUMBER>

TCP byte-per-packet ratio is less than I<NUMBER>.  Default value: 1.
Allowed count: 0.

=item B<max-tcp-bpp-ratio>=I<NUMBER>

TCP byte-per-packet ratio is greater than I<NUMBER>.  Default value:
16384.  Allowed count: 0.

=item B<min-udp-bpp-ratio>=I<NUMBER>

UDP byte-per-packet ratio is less than I<NUMBER>.  Default value: 1.
Allowed count: 0.

=item B<max-udp-bpp-ratio>=I<NUMBER>

UDP byte-per-packet ratio is greater than I<NUMBER>.  Default value:
16384.  Allowed count: 0.

=item B<min-icmp-bpp-ratio>=I<NUMBER>

ICMP byte-per-packet ratio is less than I<NUMBER>.  Default value: 1.
Allowed count: 0.

=item B<max-icmp-bpp-ratio>=I<NUMBER>

ICMP byte-per-packet ratio is greater than I<NUMBER>.  Default value:
16384.  Allowed count: 0.

=back

The following tests are only run when the B<--value> switch is used to
specify a value for the test.

=over 4

=item B<match-protocol>=I<LIST>

Protocol is present in I<LIST>.  No default.  Allowed count: 0.

=item B<nomatch-protocol>=I<LIST>

Protocol is not present in I<LIST>.  No default.  Allowed count: 0.

=item B<match-flags>=I<LIST>

TCP Flag Combination is present in I<LIST>.  No default.  Allowed
count: 0.

=item B<nomatch-flags>=I<LIST>

TCP Flag Combination is not present in I<LIST>.  No default.  Allowed
count: 0.

=item B<match-sip>=I<IPSET_FILE>

Source IP is present in I<IPSET_FILE>.  No default.  Allowed count: 0.

=item B<nomatch-sip>=I<IPSET_FILE>

Source IP is not present in I<IPSET_FILE>.  No default.  Allowed
count: 0.

=item B<match-dip>=I<IPSET_FILE>

Destination IP is present in I<IPSET_FILE>.  No default.  Allowed
count: 0.

=item B<nomatch-dip>=I<IPSET_FILE>

Destination IP is not present in I<IPSET_FILE>.  No default.  Allowed
count: 0.

=item B<match-sport>=I<LIST>

Source Port is present in I<LIST>.  No default.  Allowed count: 0.

=item B<nomatch-sport>=I<LIST>

Source Port is not present in I<LIST>.  No default.  Allowed count: 0.

=item B<match-dport>=I<LIST>

Destination Port is present in I<LIST>.  No default.  Allowed count:
0.

=item B<nomatch-dport>=I<LIST>

Destination Port is not present in I<LIST>.  No default.  Allowed
count: 0.

=item B<match-nhip>=I<IPSET_FILE>

Next Hop IP is present in I<IPSET_FILE>.  No default.  Allowed count:
0.

=item B<nomatch-nhip>=I<IPSET_FILE>

Next Hop IP is not present in I<IPSET_FILE>.  No default.  Allowed
count: 0.

=item B<match-input>=I<LIST>

SNMP Input is present in I<LIST>.  No default.  Allowed count: 0.

=item B<nomatch-input>=I<LIST>

SNMP Input is not present in I<LIST>.  No default.  Allowed count: 0.

=item B<match-output>=I<LIST>

SNMP Output is present in I<LIST>.  No default.  Allowed count: 0.

=item B<nomatch-output>=I<LIST>

SNMP Output is not present in I<LIST>.  No default.  Allowed count: 0.

=back


=head1 SEE ALSO

B<rwflowpack(8)>, B<rwfilter(1)>

=cut

$SiLK: rwpackchecker.pod 6904 2007-04-14 13:00:08Z mthomas $

Local Variables:
mode:text
indent-tabs-mode:nil
End: