[netsa-tools-discuss] 'rwfileinfo invocation failed' with iSilk and recent silk tools

Mark Thomas mthomas at cert.org
Wed Oct 12 13:48:35 EDT 2016 

Steve-

Thank you for bringing this to my attention.

A patch file for rwfileinfo's source code is attached.  To attach
the patch, save it to a temporary location, such as
/tmp/rwfileinfo.c.patch, change directory into top of the
silk-3.13.0 source tree, and run

  patch -p1 < /tmp/rwfileinfo.c.patch

Then re-build and re-install the SiLK tools.


Explanation:

When adding the --help-fields switch to rwfileinfo in SiLK 3.12.2, I
unintentionally changed the title of the compression field from:

  compression(id)     lzo1x(2)

to

  compression         lzo1x(2)

The missing "(id)" is causing iSiLK to reject rwfileinfo's output.

The attached patch restores the old title.  The patch applies
cleanly to both 3.12.2 and 3.13.0.

This fix will be included in the next SiLK release, but there is no
firm date for when that will occur.

Thanks again.

-Mark


-----Original Message-----
From: Steve Kersley <steve.kersley at keble.ox.ac.uk>
Date: Wed, 12 Oct 2016 15:54:08 +0000
To: "netsa-tools-discuss at cert.org" <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] 'rwfileinfo invocation failed' with iSilk and
	recent silk tools

Hello all,
I've been using the silk tools for a while to capture netflow data and
only occasionally need to query it which we generally do with iSilk.

It had been working fine until yesterday, using iSilk 0.62 and silk
3.11.0.1.  However, since upgrading silk to both 3.12.2 and 3.13.0,
iSilk is unable to run a query.  I create a new problem set, use the
query builder but on running the query, after it finishes running
rwfilter it pops up an error: 'rwfileinfo invocation failed'
'Unexpected output', and fails to save the query.

The files it created are still present in the remote directory.  If I
look in the command log and run the commands directly on the server,
they all work with no errors, including rwfileinfo.  I've compared the
output of rwfileinfo from the 3.11.0.1 version of silk to that from
the later versions and can see no difference.  Doesn't seem to matter
what the query parameters are, they all fail.  I couldn't see anything
in the changelog after 3.11.0.1 that stood out.

Does anyone have any idea where to start looking for the problem?  Is
iSilk working for others with current releases of silk? Or do most
people simply use the processing tools natively?

Thanks,
Steve Kersley,
IT Manager,
Keble College, University of Oxford.

More information about the netsa-tools-discuss mailing list