If rwstats runs out of memory, the current key and aggregate value data is written to a temporary file. Rwstats attempts to keep all key and aggregate value data in the computer's memory. The display of the percentage columns may be suppressed by specifying -no-percents. The percentage columns contain a question mark when the primary aggregate value comes from a plug-in since rwstats does not know whether summing the aggregate values is reasonable. When the primary aggregate value is a distinct count, the cumulative percentage may be greater than 100. In addition, a cumulative percentage column is printed. When printing the results, the output for each bin includes the ratio of the bin's aggregate value to the total aggregate value (displayed as a percentage). In addition to computing the primary aggregate value for the flows in each bin, rwstats computes that aggregate value across all flow records. As with the key fields, requesting more aggregate values slows performance. If the user does not select any aggregate value(s), rwstats defaults to computing the number of flow records for each bin. The preferred way to specify the aggregate fields is to use the -values switch the aggregate fields are printed in the order they occur in the -values switch. As with the key fields, the user may extend the list of aggregate fields by using PySiLK or plug-ins. The aggregate value(s) to compute for each bin are also chosen by the user. A larger key more quickly uses the available the memory and results in slower performance. The size of the key is limited to 256 octets. The fields are printed in the order in which they occur in the -fields switch. The list of fields may be extended by loading PySiLK files (see silkpython(3)) or plug-ins ( silk-plugin(3)). The available fields are similar to those supported by rwcut(1) see the description of the -fields switch in the "OPTIONS" section below for the details or run rwstats with the -help-fields switch.
The user must provide the -fields switch to select the flow attribute(s) (or field(s)) that comprise the key for each bin. The bins are printed as text, and the number of bins to print may be specified as a fixed value (e.g., print 10 bins), as a threshold (print bins whose byte count is greater than 400), or as a percentage of the total volume across all bins (print bins that contain at least 10% of all the packets).
The ordering of bins that have the same primary aggregate value is arbitrary. Once all the SiLK Flow records are read, rwstats sorts the bins by the primary aggregate value in either decreasing order (for a top-N list) or increasing order (for a bottom-N list). The first aggregate value is called the primary aggregate value. For each group (or bin), a collection of aggregate values is computed these values are typically related to the volume of the bin, such as the sum of the bytes fields for all records that match the key. Rwstats reads SiLK Flow records and groups them by a key composed of user-specified attributes of the flows. The input to -xargs must contain one file name per line. When the -xargs switch is provided, rwstats reads the names of the files to process from the named text file or from the standard input if no file name argument is provided to the switch. gz, the file is uncompressed as it is read. To read the standard input in addition to the named files, use - or stdin as a file name. In either mode, rwstats reads SiLK Flow records from the files named on the command line or from the standard input when no file names are specified and -xargs is not present.
Rwstats has two modes of operation: it can compute a Top-N or Bottom-N list, or it can summarize data for a list of protocols. Rwstats - Print top-N or bottom-N lists or summarize data by protocol SYNOPSIS rwstats -fields=KEY
0 kommentar(er)
