Man page - stenoread(1)

Packages contains this manual

Package:  stenographer-client
apt-get install stenographer-client

Manuals in package:
• stenocurl(1)
• stenoread(1)

Manual

stenoread

NAME
SYNOPSIS
DESCRIPTION
QUERY LANGUAGE
ENVIRONMENT

---

NAME

stenoread - read logs out of Stenographer

SYNOPSIS

stenoread <stenographer_query> [ tcpdump_arguments ]

DESCRIPTION

The stenoread command line script automates pulling packets from Stenographer and presenting them in a usable format to analysts. It requests raw packets from stenographer, then runs them through tcpdump to provide a more full-featured formatting/filtering experience.

The first argument to stenoread is a stenographer query (see below). All other arguments are passed to tcpdump. For example:

# Request all packets from IP 1.2.3.4 port 6543, then do extra filtering by
# TCP flag, which typical stenographer does not support.
$ stenoread ’host 1.2.3.4 and port 6543’ ’tcp[tcpflags] & tcp-push != 0’

# Request packets on port 8765, disabling IP resolution (-n) and showing
# link-level headers (-e) when printing them out.
$ stenoread ’port 8765’ -n -e

# Request packets for any IPs in the range 1.1.1.0-1.1.1.255, writing them
#out to a local PCAP file so they can be opened in Wireshark.
$ stenoread ’net 1.1.1.0/24’ -w /tmp/output_for_wireshark.pcap

QUERY LANGUAGE

A user requests packets from stenographer by specifying them with a very simple query language. This language is a simple subset of BPF, and includes the primitives:

host 8.8.8.8 # Single IP address (hostnames not allowed)
net 1.0.0.0/8 # Network with CIDR
net 1.0.0.0 mask 255.255.255.0 # Network with mask
port 80 # Port number (UDP or TCP)
ip proto 6 # IP protocol number 6
icmp # equivalent to ’ip proto 1’
tcp # equivalent to ’ip proto 6’
udp # equivalent to ’ip proto 17’

# Stenographer-specific time additions:
before 2012-11-03T11:05:00Z # Packets before a specific time (UTC)
after 2012-11-03T11:05:00-0700 # Packets after a specific time (with TZ)
before 45m ago # Packets before a relative time
before 3h ago # Packets after a relative time

Primitives can be combined with and/&& and with or/||, which have equal precedence and evaluate left-to-right. Parens can also be used to group:

(udp and port 514) or (tcp and port 8080)

ENVIRONMENT

Set the STENOGRAPHER_CONFIG environmental variable to point to your stenographer config if it’s in a nonstandard place (defaults to /etc/stenographer/config).

---