Manual Reference Pages - HUSTLER (1)

NAME

hustler - the shoki packet hustler

Synopsis
Description
Options
Authors
Bugs

SYNOPSIS

hustler [-c max_count] [-C conf_file] [-d density] [-D chrdir] [-E stop] [-f] [-F filterfile] [-h] [-L logfname] [-o] [-P] [-r dumpfile] [-R radix] [-s snaplen] [-S start] [-U luser] [-v verbosity] [-w outdump] [-W wconf] [-x]

DESCRIPTION

The shoki packet hustler is a tool for visualising network traffic. Some of the things it does are:

Plot any three user-specified packet header variables against each other simultaneously: as three 2d plots (x-y, x-z, and y-z) and as a 3d isometric view.
Plots using derived variables (i.e., relative times, running averages, u.s.w.)
Highlighting and selecting via shoki filter rules
Cluster analysis
Fast Fourier transformation of packet header variables
Phase space visualisation of packet header variables

File reading is handled via zlib(3), so hustler can read gzip'd dumpfiles.

OPTIONS

-c max_count
Read no more than max_count packets.

-C conf_file
Read an alternate config file. By default, /usr/local/shoki/etc/hustler.conf will be used.

-d density
Sets the clustering density threshold to density.

-D chrdir If specified, does a chroot(2) to chrdir

-E stop Only look at packets with timestamps on or before stop. A value of seconds after the start of the epoch is assumed.
See also -S.

-f Attempt fragment reassembly. Consult the README and/or the source for more information about how frag reassembly works.

-F filterfile
Read filter expressions from filterfile. Consult the shoki.filters(5) manpage for details of the filter format.

-h Display a usage message and exit.

-L logfname
For filter methods that support logging to a file, output will be sent to logfile. Use `-' (without the quotes) for stdout.

-o Turn off filter rule optimisation. Unless you have very few filter rules you almost certainly want to use optimisation.
NOTE: This is the opposite of the behaviour of the flag prior to shoki-0.3.0 .

-P Turn on passive fingerprinting. Consult the fp(1) manpage for more details.

-r dumpfile
Read packets from dumpfile. The specified file must be a libpcap-style dumpfile. It may be gzip'd.

-R radix Sets the clustering radix to radix.

-s snaplen
Sets the default snaplen. If not specified, 65535 is assumed.
Individual filter rules can specify a different snaplenfor packets matching that filter.

-S start Only packets with timestamps on or after start will be used. A value of seconds after the start of the epoch is assumed.
See also -E .

-U luser If specified, setuid/setgid to specified luser.

-v verbosity
Set the verbosity level to verbose. Exactly what this entails tends to vary from release to release. In general, you won't want to specify a verbosity level unless you're doing debugging.

-W wconf Reads a set of whitening (or sanitising) rules from wconf and applies them to the data. The format of the config file is documented in the whiten.conf(5) man page.
By default, whitening takes place after filtering. See also the -x flag below.

-x Does whitening before applying filters. By default, whitening takes place after filtering.
This option has no effect if the -W option is not also used.

AUTHORS

.An Stephen P. Berry <spb@meshuggeneh.net>
More information can be found at the shoki homepage:

BUGS

Check the README at the top of the source tree.

December 10, 2003

HUSTLER (1)

shoki

Generated by manServer 1.07 from hustler.1 using doc macros.

-c max_count
	Read no more than max_count packets.
-C conf_file
	Read an alternate config file. By default, `/usr/local/shoki/etc/hustler.conf` will be used.
-d density
	Sets the clustering density threshold to density.
-D chrdir	If specified, does a chroot(2) to chrdir
-E stop	Only look at packets with timestamps on or before stop. A value of seconds after the start of the epoch is assumed. See also -S.
-f	Attempt fragment reassembly. Consult the README and/or the source for more information about how frag reassembly works.
-F filterfile
	Read filter expressions from filterfile. Consult the shoki.filters(5) manpage for details of the filter format.
-h	Display a usage message and exit.
-L logfname
	For filter methods that support logging to a file, output will be sent to logfile. Use `-' (without the quotes) for stdout.
-o	Turn off filter rule optimisation. Unless you have very few filter rules you almost certainly want to use optimisation. NOTE: This is the opposite of the behaviour of the flag prior to shoki-0.3.0 .
-P	Turn on passive fingerprinting. Consult the fp(1) manpage for more details.
-r dumpfile
	Read packets from dumpfile. The specified file must be a libpcap-style dumpfile. It may be gzip'd.
-R radix	Sets the clustering radix to radix.
-s snaplen
	Sets the default snaplen. If not specified, 65535 is assumed. Individual filter rules can specify a different snaplenfor packets matching that filter.
-S start	Only packets with timestamps on or after start will be used. A value of seconds after the start of the epoch is assumed. See also -E .
-U luser	If specified, setuid/setgid to specified luser.
-v verbosity
	Set the verbosity level to verbose. Exactly what this entails tends to vary from release to release. In general, you won't want to specify a verbosity level unless you're doing debugging.
-W wconf	Reads a set of whitening (or sanitising) rules from wconf and applies them to the data. The format of the config file is documented in the whiten.conf(5) man page. By default, whitening takes place after filtering. See also the -x flag below.
-x	Does whitening before applying filters. By default, whitening takes place after filtering. This option has no effect if the -W option is not also used.

Manual Reference Pages - HUSTLER (1)

NAME

CONTENTS

SYNOPSIS

DESCRIPTION

OPTIONS

AUTHORS

BUGS