Provided by: stenographer_0.0~git20180422.0.73ce5dd-1build1_amd64 bug

NAME

       stenotype - dump raw packets to disk

SYNOPSIS

       stenotype [-qv?] [--aiops=NUM] [--blocks=NUM] [--count=NUM]
                 [--dir=STRING] [--fanout_id=NUM] [--fanout_type=NUM]
                 [--fileage_sec=NUM] [--filesize_mb=NUM] [--filter=STRING]
                 [--gid=NUM] [--iface=STRING] [--index_nicelevel=NUM] [--no_index]
                 [--no_watchdogs] [--preallocate_file_mb=NUM] [--seccomp=STRING]
                 [--threads=NUM] [--uid=NUM] [--help] [--usage]

DESCRIPTION

       Stenotype is a mechanism for quickly dumping raw packets to disk. It aims to have a simple
       interface (no file rotation: that's left as an exercise for the reader) while  being  very
       powerful.

       stenotype  uses a NIC->disk pipeline specifically designed to provide as fast an output to
       disk as possible while just using the kernel's built-in mechanisms.

       1.  NIC -> RAM: stenotype uses MMAP'd AF_PACKET with 1MB blocks  and  a  high  timeout  to
           offload  writing packets and deciding their layout to the kernel. The kernel packs all
           the packets it can into 1MB, then lets the userspace  process  know  there's  a  block
           available  in  the  MMAP'd  ring  buffer.  Nicely,  it guarantees no overruns (packets
           crossing the 1MB boundary) and good alignment to memory pages.

       2.  RAM -> Disk: Since the kernel already gave us a single 1MB  block  of  packets  that's
           nicely  aligned, we can O_DIRECT write it straight to disk. This avoids any additional
           copying or kernel buffering. To keep sequential reads going strong, we do all disk  IO
           asynchronously  via  io_submit  (which works specifically for O_DIRECT files... joy!).
           Since the data is being written to disk asynchronously, we use the time  it's  writing
           to disk to do our own in-memory processing and indexing.

       There are N (flag-specified) async IO operations available... once we've used up all N, we
       block on a used one finishing, then reuse it. The whole pipeline consists of:

              ·  kernel gives userspace a 1MB block of packets

              ·  userspace iterates over packets in block, updates any indexes

              ·  userspace starts async IO operation to write block to disk

              ·  after N async IO operations are submitted, we synchronously wait for  the  least
                 recent one to finish.

              ·  when an async IO operation finishes, we release the 1MB block back to the kernel
                 to write more packets.

OPTIONS

       --aiops=NUM
              Max number of async IO operations

       --blocks=NUM
              Total number of blocks to use, each is 1MB

       --count=NUM
              Total number of packets to read, -1 to read forever

       --dir=STRING
              Directory to store packet files in

       --fanout_id=NUM
              If fanning out across processes, set this

       --fanout_type=NUM
              TPACKET_V3 fanout type to fanout packets

       --fileage_sec=NUM
              Files older than this many secs are rotated

       --filesize_mb=NUM
              Max file size in MB before file is rotated

       --filter=STRING
              BPF compiled filter used to filter which packets will be captured. This has to be a
              compiled  BPF  in  hexadecimal,  which can be obtained from a human readable filter
              expression using the provided compile_bpf.sh script.

       --gid=NUM
              Drop privileges to this group

       --iface=STRING
              Interface to read packets from

       --index_nicelevel=NUM
              Nice level of indexing threads

       --no_index
              Do not compute or write indexes

       --no_watchdogs
              Don't start any watchdogs

       --preallocate_file_mb=NUM
              When creating new files, preallocate to this many MB

       -q     Quiet logging.  Each -q counteracts one -v

       --seccomp=STRING
              Seccomp style, one of 'none', 'trace', 'kill'.

       --threads=NUM
              Number of parallel threads to read packets with

       --uid=NUM
              Drop privileges to this user

       -v     Verbose logging, may be given multiple times

       -?, --help
              Give this help list

       --usage
              Give a short usage message