[netsa-tools-discuss] rw* Etymology?

Rutland, Nathan A. (CTR) Nathan.Rutland.ctr at us-cert.gov
Fri Jan 7 10:14:37 EST 2022 

I’m adding this to my repertoire of knowledge for SiLK.  [user/admin since 2009] Thank you and happy new year. VR, N

Nathan A. Rutland / MS-CS CISSP
Sr Systems Engineer / DHS CISA


From: netsa-tools-discuss <netsa-tools-discuss-bounces+nathan.rutland.ctr=us-cert.gov at cert.org> On Behalf Of Richard Graham
Sent: Thursday, January 6, 2022 7:46 PM
To: Mark Thomas <mthomas at cert.org>
Cc: netsa-tools-discuss at cert.org
Subject: Re: [netsa-tools-discuss] rw* Etymology?

Caution: This email originated from outside the MOE. DO NOT click on links or open attachments unless you recognize and/or trust the sender. Contact the NCPS NOC with questions or concerns.


Hi Mark,

Thanks for the background info - much appreciated.

I still like {r}ecord {w}restler.  :-)

Regards,
R

On Thu, Jan 6, 2022 at 9:44 PM Mark Thomas <mthomas at cert.org<mailto:mthomas at cert.org>> wrote:
Richard-

The short answer is that the file prefix came first, and it meant "raw" network flow data.  We began to use the ".rw" suffix to denote flow files created by the rw-tools.

The longer answer:

When the project that would become SiLK began, the researchers experimented with storing three types of data: tcpdump (pcap) data, protocol-specific (http, dns) data referred to as gateway data, and raw NetFlow v5 data.

Tools that dealt with packed tcpdump data used a "td" prefix (tdfilter, tdcut), those for packed gateway data used a "gw" prefix (gwfilter, gwcut), and those for packed raw netflow used an "rw" prefix (rwfilter, rwcut).

The netflow approach was a success and the other approaches were abandoned.

Initially only the tools that supported the network flow records used the "rw" prefix.  For example, initial versions of the IPset manipulation tools were named "setintersect" and "setunion".  Eventually we decided to use the "rw" prefix for all tools as a way of identifying them as part of the same suite.

Cheers,

-Mark


-----Original Message-----
From: Richard Graham <rickhg12hs at gmail.com<mailto:rickhg12hs at gmail.com>>
Date: Wed, 5 Jan 2022 19:33:39 +0100
To: netsa-tools-discuss at cert.org<mailto:netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] rw* Etymology?

I'm wondering about the command prefix and file suffix "rw" - what it
means, where it came from, etc.

{r}ecords {w}ith ?
          {w}ithout ?
          {w}ho ?
          {w}hat ?
          {w}hen ?
          {w}here ?
          {w}restling ?  :-)
{r}ead {w}rite ?

Regards,
R
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list