[netsa-tools-discuss] rw* Etymology?

[Mark Thomas]

Richard-

The short answer is that the file prefix came first, and it meant "raw" network flow data.  We began to use the ".rw" suffix to denote flow files created by the rw-tools.

The longer answer:

When the project that would become SiLK began, the researchers experimented with storing three types of data: tcpdump (pcap) data, protocol-specific (http, dns) data referred to as gateway data, and raw NetFlow v5 data.

Tools that dealt with packed tcpdump data used a "td" prefix (tdfilter, tdcut), those for packed gateway data used a "gw" prefix (gwfilter, gwcut), and those for packed raw netflow used an "rw" prefix (rwfilter, rwcut).

The netflow approach was a success and the other approaches were abandoned.

Initially only the tools that supported the network flow records used the "rw" prefix.  For example, initial versions of the IPset manipulation tools were named "setintersect" and "setunion".  Eventually we decided to use the "rw" prefix for all tools as a way of identifying them as part of the same suite.

Cheers,

-Mark


-----Original Message-----
From: Richard Graham <rickhg12hs at gmail.com>
Date: Wed, 5 Jan 2022 19:33:39 +0100
To: netsa-tools-discuss at cert.org
Subject: [netsa-tools-discuss] rw* Etymology?

I'm wondering about the command prefix and file suffix "rw" - what it
means, where it came from, etc.

{r}ecords {w}ith ?
          {w}ithout ?
          {w}ho ?
          {w}hat ?
          {w}hen ?
          {w}here ?
          {w}restling ?  :-)
{r}ead {w}rite ?

Regards,
R