lunar (1) ipfixDump.1.gz

Provided by: libfixbuf-tools_2.4.1+ds-2_amd64 bug

NAME

       ipfixDump - Print contents of an IPFIX file as human-readable text

SYNOPSIS

        ipfixDump [--in FILE_NAME] [--out FILE_NAME]
                  [--rfc5610] [--element-file FILE_NAME] [--yaf]
                  [--templates] [--data] [--stats]
                  [--hexdump[=LEN]]

        ipfixDump [--version]

        ipfixDump [--help]

DESCRIPTION

       ipfixDump is a tool to read an IPFIX file and print its contents as human-readable ASCII
       to assist the user in analyzing the file.  ipfixDump prints all message headers,
       templates, data records, options templates, and options records to the output, plus a one
       line summary of the file's content.

       ipfixDump supports IPFIX structured data in the form of basicLists, subTemplateLists, and
       subTemplateMultiLists.

       By default, ipfixDump reads the IPFIX file from the standard input and writes the text to
       the standard output.  To specify the input or output file's location, use the --in or
       --out option, respectively.

       ipfixDump requires the input file to contain the IPFIX templates that describe the data
       records within the file, and the template must appear before the records that use it.  Any
       records that do not have a corresponding template are ignored.

       The default information model used by ipfixDump includes only the standard information
       elements defined by IANA <https://www.iana.org/assignments/ipfix/ipfix.xhtml> and provided
       by libfixbuf.  There are three ways to augment the set of elements:

       1.  The --rfc5610 option instructs ipfixDump to watch the input for options records that
           define private enterprise information elements (as defined by RFC5610
           <https://tools.ietf.org/html/rfc5610.html>) and to add those elements to the
           information model.

       2.  The --element-file=FILE_NAME option tells ipfixDump to parse the contents of FILE_NAME
           and add those information elements to the information model.  The argument is an XML
           file whose schema is that used by IANA's XML Information Element Registry
           <https://www.iana.org/assignments/ipfix/ipfix.xml>, with the following additions:

           cert:enterpriseId
               A number representing the Private Enterprise Number of the element

           cert:reversible
               A boolean value ("true", "yes", or 1 for true; "false", "no", or 0 for false) that
               specifies whether the element may have a separate identity in a reverse flow.

           The --element-file option may be used multiple times to load multiple files, and the
           loaded elements replace existing elements with the same identifier.

       3.  The --yaf option loads the CERT private enterprise information elements into the
           information model.  These elements are used by the NetSA tools yaf(1), pipeline(8),
           super_mediator(1), and rwsilk2ipfix(1).  This option is implemented as a wrapper over
           the --element-file option where the file name is cert_ipfix.xml and ipfixDump checks
           several directories to attempt to find this file, stopping once it finds the first
           file.  The list of directories, in search order, is

           •   the directory ../share/libfixbuf relative to the directory containing the
               application

           •   the libfixbuf subdirectory of the "datadir" directory specified when ipfixDump was
               configured (defaults to $prefix/share)

           •   the share/libfixbuf subdirectory installation folder for the GLib-2 library

           •   the libfixbuf subdirectory of the directories specified by the $XDG_DATA_DIRS
               environment variable, or /usr/local/share and /usr/share/libfixbuf when that
               variable is empty

           ipfixDump exits with an error if it is unable to find the cert_ipfix.xml file.  See
           <https://tools.netsa.cert.org/cert-ipfix-registry/> for additional information about
           this file.

OPTIONS

       The following options are available for ipfixDump:

       --in FILE_NAME
           Sets the input file name to FILE_NAME.  When the option is not specified, ipfixDump
           reads from the standard input or exits with an error when the standard input is a
           terminal.  ipfixDump reads from the standard input if FILE_NAME is '"-"'.

       --out FILE_NAME
           Sets the output file name to FILE_NAME.  If FILE_NAME exists, it is overwritten.  The
           string '"-"' may be used to write to standard output (the default).

       --rfc5610
           Tells ipfixDump to scan the IPFIX input file for options records that define private
           enterprise information elements and to add those elements to the information model.

       --element-file FILE_NAME
           Loads the XML file FILE_NAME and incorporates information element information found in
           it.  The format of the file is described above.  The option may be used multiple times
           to load multiple files, and later elements replace existing elements when they have
           the same identifier.

       --yaf
           Searches for a file named cert_ipfix.xml in several locations and loads that file as
           if it was an argument to --element-file.  ipfixDump exits with an error if it is
           unable to find the cert_ipfix.xml file.

       --templates
           Suppresses the printing of records, causing the output to contain only message
           headers, templates, and a summary line.

       --data
           Suppresses the printing of templates, causing the output to contain only message
           headers, records, and a summary line.

       --stats
           Suppresses the printing of all message headers, templates, and records.  The output
           consists of the number of messages, templates, and records present in the input, and a
           two-column list showing template IDs found in the input and a count of the number of
           records that used that template.

       --hexdump
           For data record elements whose type is octetArray, prints each octet as a 2-digit
           hexadecimal value with a no separator between the values.  The length of the element
           precedes the hexadecimal output.  ipfixDump uses this display for octetArray elements
           that are variable length or whose length is greater than eight.  Without this option,
           only the length of the octetArray elements are printed.  Note that fixed-width
           octetArray elements whose length is less than or equal to eight are always printed as
           a decimal number regardless of this option.

       --hexdump=LEN
           When the optional parameter LEN is provided to --hexdump, only the first LEN octets of
           the value are printed.  If LEN is zero, only the length of octetArray values is
           printed.  A LEN that is negative or larger than 65535 is treated as the maximum,
           65535.

       --version
           Prints version and copyright information to standard error and exits.

       --help
           Prints a brief usage message to the standard output and exits.

Examples

       In the following examples, the dollar sign ("$") represents the shell prompt.  The text
       after the dollar sign represents the command line.

        $ ipfixDump --in - --out -

        $ ipfixDump --in /data/ipfix.ipfix --out /data/text.txt --yaf

Known Issues

       Bug reports may be sent directly to the Network Situational Awareness team at
       <netsa-help@cert.org>.

AUTHORS

       Emily Sarneso and the CERT Network Situational Awareness Group Engineering Team,
       <http://www.cert.org/netsa>.

SEE ALSO

       yaf(1), yafscii(1), yafdpi(1), super_mediator(1), pipeline(8), rwsilk2ipfix(1),
       <https://tools.netsa.cert.org/cert-ipfix-registry/>,
       <https://www.iana.org/assignments/ipfix/ipfix.xhtml>