trace-summary - Man Page
generate network traffic summaries
Synopsis
trace-summary [options] [input-file]
Description
trace-summary generates break-downs of network traffic, including lists of the top hosts, protocols, ports, etc. Optionally, it can generate output separately for incoming vs. outgoing traffic, per subnet, and per time-interval.
Per default, it assumes the input-file to be a libpcap trace file. However, if it is a Zeek connection log, use -c. If input-file is not given, the script reads from stdin. It writes its output to stdout.
Options
- --version
show program's version number and exit
- -h, --help
show this help message and exit
- -b, --bytes
count fractions in terms of bytes rather than packets/connections
- -c, --conn-summaries
input file contains Zeek connection summaries
- --conn-version=CONN_VERSION
when used with -c, specify '1' for use with Bro version 1.x connection logs, or '2' for use with Bro 2.x format. '0' tries to guess the format
- -C, --chema
for packets: include only TCP, ignore when seq==0
- -e, --external
ignore strictly internal traffic
- -E EXCLUDENETS, --exclude-nets=EXCLUDENETS
excludes CIDRs in file from analysis
- -i ILEN, --intervals=ILEN
create summaries for time intervals of given length (seconds, or use suffix of 'h' for hours, or 'm' for minutes)
- -l LOCALNETS, --local-nets=LOCALNETS
differentiate in/out based on CIDRs in file
- -n TOPX, --topn=TOPX
show top <n>
- -p PORTS, --ports=PORTS
include only ports listed in file
- -P STOREPORTS, --write-ports=STOREPORTS
write top total/incoming/outgoing ports into file
- -r, --resolve-host-names
resolve host names
- -R tag, --R=tag
write output suitable for R into files <tag.*>
- -s FACTOR, --sample-factor=FACTOR
sample factor of input
- -S SAMPLE, --do-sample=SAMPLE
sample input with probability (0.0 < prob < 1.0)
- -m, --save-mem
do not make memory-expensive statistics
- -t, --tcp
include only TCP
- -u, --udp
include only UDP
- -U MINTIME, --min-time=MINTIME
minimum time in ISO format (e.g. 2005-12-31-23-59-00)
- -v, --verbose
show top-n for every interval
- -V MAXTIME, --max-time=MAXTIME
maximum time in ISO format
Author
trace-summary was written by The Zeek Project <info@zeek.org>.