Provided by: stenographer_0.0~git20161206.0.66a8e7e-7_amd64 
NAME
stenotype - dump raw packets to disk
SYNOPSIS
stenotype [-qv?] [--aiops=NUM] [--blocks=NUM] [--count=NUM]
[--dir=STRING] [--fanout_id=NUM] [--fanout_type=NUM]
[--fileage_sec=NUM] [--filesize_mb=NUM] [--filter=STRING]
[--gid=NUM] [--iface=STRING] [--index_nicelevel=NUM] [--no_index]
[--no_watchdogs] [--preallocate_file_mb=NUM] [--seccomp=STRING]
[--threads=NUM] [--uid=NUM] [--help] [--usage]
DESCRIPTION
Stenotype is a mechanism for quickly dumping raw packets to disk. It aims to have a simple
interface (no file rotation: that's left as an exercise for the reader) while being very
powerful.
stenotype uses a NIC->disk pipeline specifically designed to provide as fast an output to
disk as possible while just using the kernel's built-in mechanisms.
1. NIC -> RAM: stenotype uses MMAP'd AF_PACKET with 1MB blocks and a high timeout to
offload writing packets and deciding their layout to the kernel. The kernel packs all
the packets it can into 1MB, then lets the userspace process know there's a block
available in the MMAP'd ring buffer. Nicely, it guarantees no overruns (packets
crossing the 1MB boundary) and good alignment to memory pages.
2. RAM -> Disk: Since the kernel already gave us a single 1MB block of packets that's
nicely aligned, we can O_DIRECT write it straight to disk. This avoids any additional
copying or kernel buffering. To keep sequential reads going strong, we do all disk IO
asynchronously via io_submit (which works specifically for O_DIRECT files... joy!).
Since the data is being written to disk asynchronously, we use the time it's writing
to disk to do our own in-memory processing and indexing.
There are N (flag-specified) async IO operations available... once we've used up all N, we
block on a used one finishing, then reuse it. The whole pipeline consists of:
• kernel gives userspace a 1MB block of packets
• userspace iterates over packets in block, updates any indexes
• userspace starts async IO operation to write block to disk
• after N async IO operations are submitted, we synchronously wait for the least
recent one to finish.
• when an async IO operation finishes, we release the 1MB block back to the kernel
to write more packets.
OPTIONS
--aiops=NUM
Max number of async IO operations
--blocks=NUM
Total number of blocks to use, each is 1MB
--count=NUM
Total number of packets to read, -1 to read forever
--dir=STRING
Directory to store packet files in
--fanout_id=NUM
If fanning out across processes, set this
--fanout_type=NUM
TPACKET_V3 fanout type to fanout packets
--fileage_sec=NUM
Files older than this many secs are rotated
--filesize_mb=NUM
Max file size in MB before file is rotated
--filter=STRING
BPF compiled filter used to filter which packets will be captured. This has to be a
compiled BPF in hexadecimal, which can be obtained from a human readable filter
expression using the provided compile_bpf.sh script.
--gid=NUM
Drop privileges to this group
--iface=STRING
Interface to read packets from
--index_nicelevel=NUM
Nice level of indexing threads
--no_index
Do not compute or write indexes
--no_watchdogs
Don't start any watchdogs
--preallocate_file_mb=NUM
When creating new files, preallocate to this many MB
-q Quiet logging. Each -q counteracts one -v
--seccomp=STRING
Seccomp style, one of 'none', 'trace', 'kill'.
--threads=NUM
Number of parallel threads to read packets with
--uid=NUM
Drop privileges to this user
-v Verbose logging, may be given multiple times
-?, --help
Give this help list
--usage
Give a short usage message