-
Notifications
You must be signed in to change notification settings - Fork 7
/
trace-summary.1
99 lines (98 loc) · 3.09 KB
/
trace-summary.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4.
.TH TRACE-SUMMARY "1" "November 2014" "trace-summary" "User Commands"
.SH NAME
trace-summary \- generate network traffic summaries
.SH SYNOPSIS
.B trace-summary
[\fI\,options\/\fR] [\fI\,input-file\/\fR]
.SH DESCRIPTION
.\" TeX users may be more comfortable with the \fB<whatever>\fP and
.\" \fI<whatever>\fP escape sequences to invode bold face and italics,
.\" respectively.
\fBtrace-summary\fP generates break-downs of
network traffic, including lists of the top hosts, protocols, ports,
etc. Optionally, it can generate output separately for incoming
vs. outgoing traffic, per subnet, and per time-interval.
Per default, it assumes the
.IR input-file
to be a libpcap trace file. However, if it is a Zeek connection log,
use \fB\-c\fR. If
.IR input-file
is not given, the script reads from stdin. It writes its output to stdout.
.SH OPTIONS
.TP
\fB\-\-version\fR
show program's version number and exit
.TP
\fB\-h\fR, \fB\-\-help\fR
show this help message and exit
.TP
\fB\-b\fR, \fB\-\-bytes\fR
count fractions in terms of bytes rather than
packets/connections
.TP
\fB\-c\fR, \fB\-\-conn\-summaries\fR
input file contains Zeek connection summaries
.TP
\fB\-\-conn\-version\fR=\fI\,CONN_VERSION\/\fR
when used with \fB\-c\fR, specify '1' for use with Bro
version 1.x connection logs, or '2' for use with Bro
2.x format. '0' tries to guess the format
.TP
\fB\-C\fR, \fB\-\-chema\fR
for packets: include only TCP, ignore when seq==0
.TP
\fB\-e\fR, \fB\-\-external\fR
ignore strictly internal traffic
.TP
\fB\-E\fR \fIEXCLUDENETS\fR, \fB\-\-exclude\-nets\fR=\fI\,EXCLUDENETS\/\fR
excludes CIDRs in file from analysis
.TP
\fB\-i\fR \fIILEN\fR, \fB\-\-intervals\fR=\fI\,ILEN\/\fR
create summaries for time intervals of given length (seconds, or use suffix
of 'h' for hours, or 'm' for minutes)
.TP
\fB\-l\fR \fILOCALNETS\fR, \fB\-\-local\-nets\fR=\fI\,LOCALNETS\/\fR
differentiate in/out based on CIDRs in file
.TP
\fB\-n\fR \fITOPX\fR, \fB\-\-topn\fR=\fI\,TOPX\/\fR
show top <n>
.TP
\fB\-p\fR \fIPORTS\fR, \fB\-\-ports\fR=\fI\,PORTS\/\fR
include only ports listed in file
.TP
\fB\-P\fR \fISTOREPORTS\fR, \fB\-\-write\-ports\fR=\fI\,STOREPORTS\/\fR
write top total/incoming/outgoing ports into file
.TP
\fB\-r\fR, \fB\-\-resolve\-host\-names\fR
resolve host names
.TP
\fB\-R\fR \fItag\fR, \fB\-\-R\fR=\fI\,tag\/\fR
write output suitable for R into files <tag.*>
.TP
\fB\-s\fR \fIFACTOR\fR, \fB\-\-sample\-factor\fR=\fI\,FACTOR\/\fR
sample factor of input
.TP
\fB\-S\fR \fISAMPLE\fR, \fB\-\-do\-sample\fR=\fI\,SAMPLE\/\fR
sample input with probability (0.0 < prob < 1.0)
.TP
\fB\-m\fR, \fB\-\-save\-mem\fR
do not make memory\-expensive statistics
.TP
\fB\-t\fR, \fB\-\-tcp\fR
include only TCP
.TP
\fB\-u\fR, \fB\-\-udp\fR
include only UDP
.TP
\fB\-U\fR \fIMINTIME\fR, \fB\-\-min\-time\fR=\fI\,MINTIME\/\fR
minimum time in ISO format (e.g. 2005\-12\-31\-23\-59\-00)
.TP
\fB\-v\fR, \fB\-\-verbose\fR
show top\-n for every interval
.TP
\fB\-V\fR \fIMAXTIME\fR, \fB\-\-max\-time\fR=\fI\,MAXTIME\/\fR
maximum time in ISO format
.SH AUTHOR
.B trace-summary
was written by The Zeek Project <[email protected]>.