FreeBSD Manual Pages

home | help
cutmatch(3)			SiLK Tool Suite			   cutmatch(3)

NAME
       cutmatch	- Display value	in next-hop field written by rwmatch

SYNOPSIS
	 rwcut --plugin=cutmatch.so --fields=...,match,...  ...

DESCRIPTION
       The cutmatch plug-in creates a field in rwcut(1)	that provides a	more
       user-friendly representation of the match parameter value that
       rwmatch(1) writes into a	SiLK Flow record's next	hop IP field.

       The cutmatch plug-in defines a "match" field that displays the
       direction of the	flow ("->" represents a	query and "<-" a response) and
       the numeric match ID.

OPTIONS
       The cutmatch plug-in modifies the following switch of rwcut(1):

       --fields=FIELDS
	   FIELDS refers to a list of fields to	print.	The cutmatch plug-in
	   adds	the following field:

	   match
	       Print the direction of the flow ("->" represents	a query	and
	       "<-" a response)	and the	numeric	match ID

EXAMPLES
       In the following	examples, the dollar sign ("$")	represents the shell
       prompt.	The text after the dollar sign represents the command line.
       Lines have been wrapped for improved readability, and the back slash
       ("\") is	used to	indicate a wrapped line.

       Given two files containing unidirectional flow records, use rwsort(1)
       and rwmatch(1) to create	the file matched.rw where a query and its
       response	have been labeled with a unique	value in the next-hop IP
       field.  See the rwmatch manual page for more information.

	$ rwsort --fields=1,4,2,3,5,stime incoming.rw >	incoming-query.rw
	$ rwsort --fields=2,3,1,4,5,stime outgoing.rw >	outgoing-response.rw
	$ rwmatch --relate=1,2 --relate=4,3 --relate=2,1 --relate=3,4 \
	       --relate=5,5 incoming-query.rw outgoing-response.rw matched.rw

       To use the plug-in, you must explicitly load it into rwcut(1) by
       specifying the --plugin switch.	You can	then include "match" in	the
       list of --fields	to print:

	$ rwcut	--plugin=cutmatch.so --num-rec=8  \
	       --fields=sIP,sPort,match,dIP,dPort,type matched.rw
		    sIP|sPort| <->Match#|	     dIP|dPort|	  type|
	    10.4.52.235|29631|->       1|192.168.233.171|   80|	 inweb|
	192.168.233.171|   80|<-       1|    10.4.52.235|29631|	outweb|
	    10.9.77.117|29906|->       2| 192.168.184.65|   80|	 inweb|
	 192.168.184.65|   80|<-       2|    10.9.77.117|29906|	outweb|
	  10.14.110.214|29989|->       3| 192.168.249.96|   80|	 inweb|
	 192.168.249.96|   80|<-       3|  10.14.110.214|29989|	outweb|
	    10.18.66.79|29660|->       4| 192.168.254.69|   80|	 inweb|
	 192.168.254.69|   80|<-       4|    10.18.66.79|29660|	outweb|

       This shows external hosts querying the web server (the Match column
       contains	"->") and the web server's responses ("<-").

       Using the "sIP" and "dIP" fields	may be confusing when the file you are
       examining contains both incoming	and outgoing flow records.  To make
       the output from rwmatch more clear, consider using the
       int-ext-fields(3) plug-in as well.  That	plug-in	allows you to display
       the external IPs	in one column and the internal IPs in a	another
       column.	See its	manual page for	additional information.

	$ export INCOMING_FLOWTYPES=all/in,all/inweb
	$ export OUTGOING_FLOWTYPES=all/out,all/outweb
	$ rwcut	--plugin=cutmatch.so --plugin=int-ext-fields.so	--num-rec=8 \
	     --fields=ext-ip,ext-port,match,int-ip,int-port,proto matched.rw
		ext-ip|ext-p| <->Match#|	 int-ip|int-p|	 type|
	   10.4.52.235|29631|->	      1|192.168.233.171|   80|	inweb|
	   10.4.52.235|29631|<-	      1|192.168.233.171|   80| outweb|
	   10.9.77.117|29906|->	      2| 192.168.184.65|   80|	inweb|
	   10.9.77.117|29906|<-	      2| 192.168.184.65|   80| outweb|
	 10.14.110.214|29989|->	      3| 192.168.249.96|   80|	inweb|
	 10.14.110.214|29989|<-	      3| 192.168.249.96|   80| outweb|
	   10.18.66.79|29660|->	      4| 192.168.254.69|   80|	inweb|
	   10.18.66.79|29660|<-	      4| 192.168.254.69|   80| outweb|

ENVIRONMENT
       SILK_PATH
	   This	environment variable gives the root of the install tree.  When
	   searching for plug-ins, a SiLK application may use this environment
	   variable.  See the "FILES" section for details.

       SILK_PLUGIN_DEBUG
	   When	set to 1, the SiLK applications	print status messages to the
	   standard error as they attempt to find and open the cutmatch.so
	   plug-in.  A typical invocation using	this variable is:

	    env	SILK_PLUGIN_DEBUG=1 rwcut --plugin=cutmatch.so --version

FILES
       ${SILK_PATH}/lib64/silk/cutmatch.so
       ${SILK_PATH}/lib64/cutmatch.so
       ${SILK_PATH}/lib/silk/cutmatch.so
       ${SILK_PATH}/lib/cutmatch.so
       /usr/local/lib64/silk/cutmatch.so
       /usr/local/lib64/cutmatch.so
       /usr/local/lib/silk/cutmatch.so
       /usr/local/lib/cutmatch.so
	   Possible locations for the plug-in.

SEE ALSO
       rwcut(1), rwmatch(1), rwsort(1),	int-ext-fields(3), silk(7)

SiLK 3.22.2			  2025-11-01			   cutmatch(3)
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=cutmatch&sektion=3&manpath=FreeBSD+Ports+15.0>
home | help
Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages
