DragonFly On-Line Manual Pages

Search: Section:  

addrtype(3)                     SiLK Tool Suite                    addrtype(3)


NAME

       addrtype - Labeling IPv4 addresses as internal or external


SYNOPSIS

         rwfilter [--stype=ID] [--dtype=ID] ...

         rwcut --fields=sType,dType ...

         rwgroup --id-fields=sType,dType ...

         rwsort --fields=sType,dType ...

         rwstats --fields=sType,dType ...

         rwuniq --fields=sType,dType ...


DESCRIPTION

       The address type mapping file provides a way to map an IPv4 address to
       an integer denoting the IP as internal, external, or non-routable.
       With this mapping file, SiLK flow records can be partitioned
       (rrwwffiilltteerr(1)), displayed (rrwwccuutt(1)), grouped (rrwwggrroouupp(1)), sorted
       (rrwwssoorrtt(1)), and counted (rrwwssttaattss(1) and rrwwuunniiqq(1)) by the
       characteristic of the address.

       The address type is a specialized form of the Prefix Map,
       ppmmaappffiilltteerr(3), where the following labels are assumed to exist and to
       have the indicated values:

        0     denotes a (non-routable) IP address

        1     denotes an IP address internal to the monitored network

        2     denotes an IP address external to the monitored network

       The SiLK tools look for the address type mapping file in a standard
       location as detailed in the "FILES" section below.  To provide an
       alternate location, specify that location in the SILK_ADDRESS_TYPES
       environment variable.

       Creating the prefix map file that maps IPs to one of these labels is
       described in the "MAPPING FILE" section below.


OPTIONS

       The address type utility provides the following options to the
       indicated applications.

   rwfilter Switches
       --stype=ID
           When ID is 0, pass the record if its source address is non-
           routable.  When ID is 1, pass the record if its source address is
           internal.  When ID is 2, pass the record if its source address is
           external (i.e., routable and not internal).  When ID is 3, pass the
           record if its source address is not internal (non-routable or
           external).

       --dtype=ID
           As --stype for the destination IP address.

   rwcut, rwgroup, rwsort, rwstats, and rwuniq Switches
       --fields=FIELDS
           FIELDS refers to a list of fields to use for the operation.  The
           address type utility makes two additional fields, "sType" (alias
           16) and "dType" (17) available for display, grouping, sorting, and
           counting using the rrwwccuutt(1), rrwwggrroouupp(1), rrwwssoorrtt(1), rrwwssttaattss(1), and
           rrwwuunniiqq(1) tools:

           sType,16
               For the source IP address, prints 0 if the address is non-
               routable, 1 if it is internal, or 2 if it is routable and
               external.

           dType,17
               as sType, except for the destination address


MAPPING FILE

       To denote an address as "non-routable", "internal", or "external" at
       your site, you will need to create the address_types.pmap file and
       either install it in the appropriate location (see the "FILES" section
       below) or set the SILK_ADDRESS_TYPES environment variable to the file's
       location.

       The rrwwppmmaappbbuuiilldd(1) tool creates a prefix map file from a text file.  A
       template for the text file is available in
       $SILK_PATH/share/silk/addrtype-templ.txt.  The text file used to create
       address_types.pmap must include the following section to ensure that
       IPs are mapped to the integer values that the addrtype.so expects:

         #    Numerical mappings of labels

         label 0             non-routable
         label 1             internal
         label 2             external

         #    Default to "external" for all un-defined ranges.

         default             external

       The remainder of the file can list CIDR blocks and a label for each
       block:

         # RFC1918 space
         10.0.0.0/8          non-routable
         172.16.0.0/12       non-routable
         192.168.0.0/16      non-routable

         # My IP space (CMU)
         128.2.0.0/16        internal

       Once the text file is saved to disk, use rwpmapbuild to create
       address_types.pmap:

         rwpmapbuild --input addresses.txt --output address_types.pmap


ENVIRONMENT

       SILK_ADDRESS_TYPES
           This environment variable allows the user to specify the address
           type mapping file to use.  The value may be a complete path or a
           file relative to SILK_PATH.  If the variable is not specified, the
           code looks for a file named address_types.pmap as specified in the
           "FILES" section below.

       SILK_PATH
           This environment variable gives the root of the install tree.  The
           SiLK applications check the directories $SILK_PATH/share/silk and
           $SILK_PATH/share for the address type mapping file,
           address_types.pmap.


FILES

       The tools will look for the data file that maps IPs to labels in the
       following locations.  ($SILK_ADDRESS_TYPES is the value of the
       SILK_ADDRESS_TYPES environment variable, if it is set.  $SILK_PATH is
       value of the SILK_PATH environment variable, if it is set.  The use of
       /usr/local/ assumes the application is installed in the /usr/local/bin/
       directory.)

         $SILK_ADDRESS_TYPES
         $SILK_PATH/share/silk/address_types.pmap
         $SILK_PATH/share/address_types.pmap
         /usr/local/share/silk/address_types.pmap
         /usr/local/share/address_types.pmap


SEE ALSO

       rrwwccuutt(1), rrwwffiilltteerr(1), rrwwggrroouupp(1), rrwwppmmaappbbuuiilldd(1), rrwwppmmaappccaatt(1),
       rrwwssoorrtt(1), rrwwssttaattss(1), rrwwuunniiqq(1), ppmmaappffiilltteerr(3), ssiillkk(7)

SiLK 3.11.0.1                     2016-02-19                       addrtype(3)

Search: Section: