hustler - the shoki packet hustler
hustler [-c max_count] [-C conf_file] [-d density] [-D chrdir] [-E stop] [-f] [-F filterfile] [-h] [-L logfname] [-o] [-P] [-r dumpfile] [-R radix] [-s snaplen] [-S start] [-U luser] [-v verbosity] [-w outdump] [-W wconf] [-x]
The shoki packet hustler is a tool for visualising network traffic. Some of the things it does are:
- Plot any three user-specified packet header variables against each other simultaneously: as three 2d plots (x-y, x-z, and y-z) and as a 3d isometric view.
- Plots using derived variables (i.e., relative times, running averages, u.s.w.)
- Highlighting and selecting via shoki filter rules
- Cluster analysis
- Fast Fourier transformation of packet header variables
- Phase space visualisation of packet header variables
File reading is handled via zlib(3), so hustler can read gzip'd dumpfiles.
-c max_count Read no more than max_count packets. -C conf_file Read an alternate config file. By default, /usr/local/shoki/etc/hustler.conf will be used. -d density Sets the clustering density threshold to density. -D chrdir If specified, does a chroot(2) to chrdir -E stop Only look at packets with timestamps on or before stop. A value of seconds after the start of the epoch is assumed.
See also -S.
-f Attempt fragment reassembly. Consult the README and/or the source for more information about how frag reassembly works. -F filterfile Read filter expressions from filterfile. Consult the shoki.filters(5) manpage for details of the filter format. -h Display a usage message and exit. -L logfname For filter methods that support logging to a file, output will be sent to logfile. Use `-' (without the quotes) for stdout. -o Turn off filter rule optimisation. Unless you have very few filter rules you almost certainly want to use optimisation.
NOTE: This is the opposite of the behaviour of the flag prior to shoki-0.3.0 .
-P Turn on passive fingerprinting. Consult the fp(1) manpage for more details. -r dumpfile Read packets from dumpfile. The specified file must be a libpcap-style dumpfile. It may be gzip'd. -R radix Sets the clustering radix to radix. -s snaplen Sets the default snaplen. If not specified, 65535 is assumed.
Individual filter rules can specify a different snaplenfor packets matching that filter.
-S start Only packets with timestamps on or after start will be used. A value of seconds after the start of the epoch is assumed.
See also -E .
-U luser If specified, setuid/setgid to specified luser. -v verbosity Set the verbosity level to verbose. Exactly what this entails tends to vary from release to release. In general, you won't want to specify a verbosity level unless you're doing debugging. -W wconf Reads a set of whitening (or sanitising) rules from wconf and applies them to the data. The format of the config file is documented in the whiten.conf(5) man page.
By default, whitening takes place after filtering. See also the -x flag below.
-x Does whitening before applying filters. By default, whitening takes place after filtering.
This option has no effect if the -W option is not also used.
.An Stephen P. Berry <email@example.com>
More information can be found at the shoki homepage:
Check the README at the top of the source tree.
|December 10, 2003||HUSTLER (1)||shoki|