ac - the shoki anomaly counter
ar [-a score] [-b dbname] [-c max_count] [-C conf_file] [-D chrdir] [-E stop] [-f] [-h] [-l linktype] [-L logfname] [-r dumpfile] [-s snaplen] [-S start] [-q count_queue] [-Q] [-U luser] [-v verbosity] [bpf_filter]
ac is a tool for reading through pcap dumpfiles and logging information about the regularity with which certain features occur within the packets.
If the -a flag is given, then anomaly scores will be reported and no data will be added to the anomaly database. If the -a flag is not given, no anomaly scores will be reported and anomaly counting information will be logged to the specified database. In other words, the -a flag determines if ac will operate in input mode (flag not given) or output mode (flag given).
-a score If specified, the -a flag specifies that anomaly scores be reported on the packets in the input dumpfile. The score must be given if the -a flag is used, and is the minimum anomaly score which will be logged (so a score of 0.0 will cause anomaly scores for all matching packets to be logged. -b dbname Specifies the name of the postgres database containing anomaly information.
For more information, consult the README.database file in the doc directory of the shoki distribution.
-c max_count Only read max_count packets. -C conf_file Read an alternate config file. By default, /usr/local/shoki/etc/ac.conf will be used. -D chrdir If specified, does a chroot(2) to chrdir -E start Only look at packets with timestamps on or before start. A value of seconds after the start of the epoch is assumed.
See also -S .
-f Attempt fragment reassembly.
Consult the README and/or the source for more information about how frag reassembly works.
-h Display a usage message and exit. -l linktype The (numeric) linktype to use when compiling BPF filters. Defaults to 1 (DLT_EN10MB). -L logfile For filter methods that support logging to a file, output will be sent to logfile. Use `-' (without the quotes) for stdout. -r dumpfile Read packets from dumpfile. The specified file must be a libpcap-style dumpfile. It may be gzip'd. -s snaplen Sets the default snaplen. If not specified, 65535 is assumed.
Individual filter rules can specify a different snaplenfor packets matching that filter.
-S start Only packets with timestamps on or after start will be used. A value of seconds after the start of the epoch is assumed.
See also -E.
-q count_queue If specified, sets the number of unique anomaly values to collect before connecting to the database for logging. If the -a flag is also given, this has no effect.
In general terms, setting the value of count_queue to a larger value will help performance at the cost of memory usage, and a smaller value will reduce memory usage at the cost of performance.
The default value is 65535.
-Q If specified, quick anomaly scoring is conducted. By default, all source and destination ports are considered in computing anomaly scores. If the -Q flag is given, source and destination ports greater than 1024 are ignored if the other port in the source/destination pair is less than or equal to 1024. In other word, this flag will cause high-numbered ports to be ignored if one of the ports in a packet is a low-numbered port. -U luser If specified, setuid/setgid to specified luser. -v verbosity Set the verbosity level to verbosity. Exactly what this entails tends to vary from release to release. In general, you won't want to specify a verbosity level unless you're doing debugging.
See also -f.
/usr/local/shoki/etc/ac.conf ac config file.
.An Stephen P. Berry <email@example.com>
More information can be found at the shoki homepage:
Check the README at the top of the source tree.
|November 6, 2003||AC (1)||shoki|