Provided by: stenographer-client_0.0~git20180422.0.73ce5dd-1build1_all bug

NAME

       stenoread - read logs out of Stenographer

SYNOPSIS

       stenoread <stenographer_query> [tcpdump_arguments]

DESCRIPTION

       The  stenoread  command  line  script  automates  pulling  packets  from  Stenographer and
       presenting them in a usable format to analysts. It requests raw packets from stenographer,
       then  runs  them  through  tcpdump  to  provide  a more full-featured formatting/filtering
       experience.

       The first argument to stenoread is a stenographer query (see below).  All other  arguments
       are passed to tcpdump. For example:

               # Request all packets from IP 1.2.3.4 port 6543, then do extra filtering by
               # TCP flag, which typical stenographer does not support.
               $ stenoread 'host 1.2.3.4 and port 6543' 'tcp[tcpflags] & tcp-push != 0'

               # Request packets on port 8765, disabling IP resolution (-n) and showing
               # link-level headers (-e) when printing them out.
               $ stenoread 'port 8765' -n -e

               # Request packets for any IPs in the range 1.1.1.0-1.1.1.255, writing them
               #out to a local PCAP file so they can be opened in Wireshark.
               $ stenoread 'net 1.1.1.0/24' -w /tmp/output_for_wireshark.pcap

QUERY LANGUAGE

       A  user  requests  packets  from  stenographer by specifying them with a very simple query
       language. This language is a simple subset of BPF, and includes the primitives:

               host 8.8.8.8          # Single IP address (hostnames not allowed)
               net 1.0.0.0/8         # Network with CIDR
               net 1.0.0.0 mask 255.255.255.0  # Network with mask
               port 80               # Port number (UDP or TCP)
               ip proto 6            # IP protocol number 6
               icmp                  # equivalent to 'ip proto 1'
               tcp                   # equivalent to 'ip proto 6'
               udp                   # equivalent to 'ip proto 17'

               # Stenographer-specific time additions:
               before 2012-11-03T11:05:00Z      # Packets before a specific time (UTC)
               after 2012-11-03T11:05:00-0700   # Packets after a specific time (with TZ)
               before 45m ago        # Packets before a relative time
               before 3h ago         # Packets after a relative time

       Primitives can be combined with and/&& and with or/||, which  have  equal  precedence  and
       evaluate left-to-right. Parens can also be used to group:

               (udp and port 514) or (tcp and port 8080)

ENVIRONMENT

       Set the STENOGRAPHER_CONFIG environmental variable to point to your stenographer config if
       it's in a nonstandard place (defaults to /etc/stenographer/config).