Provided by: stenographer-client_0.0~git20180422.0.73ce5dd-1build1_all
stenoread - read logs out of Stenographer
stenoread <stenographer_query> [tcpdump_arguments]
The stenoread command line script automates pulling packets from Stenographer and presenting them in a usable format to analysts. It requests raw packets from stenographer, then runs them through tcpdump to provide a more full-featured formatting/filtering experience. The first argument to stenoread is a stenographer query (see below). All other arguments are passed to tcpdump. For example: # Request all packets from IP 22.214.171.124 port 6543, then do extra filtering by # TCP flag, which typical stenographer does not support. $ stenoread 'host 126.96.36.199 and port 6543' 'tcp[tcpflags] & tcp-push != 0' # Request packets on port 8765, disabling IP resolution (-n) and showing # link-level headers (-e) when printing them out. $ stenoread 'port 8765' -n -e # Request packets for any IPs in the range 188.8.131.52-184.108.40.206, writing them #out to a local PCAP file so they can be opened in Wireshark. $ stenoread 'net 220.127.116.11/24' -w /tmp/output_for_wireshark.pcap
A user requests packets from stenographer by specifying them with a very simple query language. This language is a simple subset of BPF, and includes the primitives: host 18.104.22.168 # Single IP address (hostnames not allowed) net 22.214.171.124/8 # Network with CIDR net 126.96.36.199 mask 255.255.255.0 # Network with mask port 80 # Port number (UDP or TCP) ip proto 6 # IP protocol number 6 icmp # equivalent to 'ip proto 1' tcp # equivalent to 'ip proto 6' udp # equivalent to 'ip proto 17' # Stenographer-specific time additions: before 2012-11-03T11:05:00Z # Packets before a specific time (UTC) after 2012-11-03T11:05:00-0700 # Packets after a specific time (with TZ) before 45m ago # Packets before a relative time before 3h ago # Packets after a relative time Primitives can be combined with and/&& and with or/||, which have equal precedence and evaluate left-to-right. Parens can also be used to group: (udp and port 514) or (tcp and port 8080)
Set the STENOGRAPHER_CONFIG environmental variable to point to your stenographer config if it's in a nonstandard place (defaults to /etc/stenographer/config).