Manual Reference Pages - RT (1)

NAME

rt - the shoki randomness tester

Synopsis
Description
Options
Files
Authors
Bugs

SYNOPSIS

rt [-b] [-c max_count] [-C conf_file] [-D chrdir] [-E stop] [-f] [-F filterfile] [-h] [-L logfname] [-r dumpfile] [-s snaplen] [-S start] [-t] [-T test_field] [-u] [-U luser] [-v verbosity] [-X] [bpf_filter]

DESCRIPTION

rt reads through one or more pcap dumpfiles and estimates the randomness of various features of the captured traffic.
Note that this is not a tool which is intended to give simple or are not familiar with the significance testing, the output of rt is unlikely to edify you.
You should also keep in mind that you need to understand the expected behaviour of the data you are testing before you test them. Some packet variables should be random, and others should not.
All that rt will do for you is estimate the similarity between the distribution of the specified fields in the input data and a random distribution.
Note also that a meaningful conclusion can only be drawn if there is a good match. The null hypothesis is that the distribution is random (or rather that it is isomorphic to a random distribution). A good match supports this hypothesis. A poor match does not contradict this hypothesis, nor does it support the contrapositive hypothesis. If this distinction isn’t clear to you, consult a statistics text.

OPTIONS

-b Run the birthday spacings test. This test is based on a test in Marsaglia's DIEHARD. It is also described in Knuth's v. 2.

-c max_count
Only read max_count packets.

-C conf_file
Read an alternate config file. By default, /usr/local/shoki/etc/rt.conf will be used.

-D chrdir If specified, will do a chroot(2) to chrdir

-E start Only look at packets with timestamps on or before start. A value of seconds after the start of the epoch is assumed.
See also -S.

-f Attempt fragment reassembly.
Consult the README and/or the source for more information about how frag reassembly works.

-F filterfile
Read filter expressions from filterfile. Consult the shoki.filters(5) manpage for details of the filter format.

-h Display a usage message and exit.

-L logfile
For filter methods that support logging to a file, output will be sent to logfile. Use ‘-’ (without the quotes) for stdout.

-r dumpfile
Read packets from dumpfile. The specified file must be a libpcap-style dumpfile. It may be gzip’d.

-s snaplen
Sets the default snaplen. If not specified, 65535 is assumed.
Individual filter rules can specify a different snaplenfor packets matching that filter.

-S start Only packets with timestamps on or after start will be used. A value of seconds after the start of the epoch is assumed.
See also -E.

-t Run the serial spacings test.

-T test_field
Specifies the field to be tested for randomness. Currently, valid values include: ip_id, ip_src, ip_dst, sport, dport, and th_seq.

-u Run the coupon collector’s test.

-U luser If specified, setuid/setgid to specified luser.

-v verbosity
Set the verbosity level to verbose. If this is nonzero, then source IP addresses whose traffic matched no fingerprints will also be printed.

-X Run the Chi-square goodness of fit test.

FILES

/usr/local/shoki/etc/rt.conf rt config file.

AUTHORS

.An Stephen P. Berry <spb@meshuggeneh.net>
More information can be found at the shoki homepage:

BUGS

Check the README at the top of the source tree.

November 27, 2003

RT (1)

shoki

Generated by manServer 1.07 from rt.1 using doc macros.

-b	Run the birthday spacings test. This test is based on a test in Marsaglia's DIEHARD. It is also described in Knuth's v. 2.
-c max_count
	Only read max_count packets.
-C conf_file
	Read an alternate config file. By default, /usr/local/shoki/etc/rt.conf will be used.
-D chrdir	If specified, will do a chroot(2) to chrdir
-E start	Only look at packets with timestamps on or before start. A value of seconds after the start of the epoch is assumed. See also -S.
-f	Attempt fragment reassembly. Consult the README and/or the source for more information about how frag reassembly works.
-F filterfile
	Read filter expressions from filterfile. Consult the shoki.filters(5) manpage for details of the filter format.
-h	Display a usage message and exit.
-L logfile
	For filter methods that support logging to a file, output will be sent to logfile. Use ‘-’ (without the quotes) for stdout.
-r dumpfile
	Read packets from dumpfile. The specified file must be a libpcap-style dumpfile. It may be gzip’d.
-s snaplen
	Sets the default snaplen. If not specified, 65535 is assumed. Individual filter rules can specify a different snaplenfor packets matching that filter.
-S start	Only packets with timestamps on or after start will be used. A value of seconds after the start of the epoch is assumed. See also -E.
-t	Run the serial spacings test.
-T test_field
	Specifies the field to be tested for randomness. Currently, valid values include: ip_id, ip_src, ip_dst, sport, dport, and th_seq.
-u	Run the coupon collector’s test.
-U luser	If specified, setuid/setgid to specified luser.
-v verbosity
	Set the verbosity level to verbose. If this is nonzero, then source IP addresses whose traffic matched no fingerprints will also be printed.
-X	Run the Chi-square goodness of fit test.

Manual Reference Pages - RT (1)

NAME

CONTENTS

SYNOPSIS

DESCRIPTION

OPTIONS

FILES

AUTHORS

BUGS