prevnext   » MKW-ANA: Wiimms MKWii Network Analyzer » mkw-ana: Wiimms MKWii Network Analyzer » mkw-ana analyze

mkw-ana analyze

Analyze the dump files for special information and print it a machine readable list, one line per record. Parameter MODELIST is a comma separated list of keywords. Each keyword enables one kind of analysis:

* PARAM-NAMES: Print names of STRING-PARAM records, one line for each LIST.

* NICKS: Collect data about user and their nicks and friend lists.

* QUERY: Collect data about SQL queries.

* NATNEG: Collect data about NATNEG records.

* ALL: All of above.

Contents

1.   Syntax

mkw-ana ANALYZE MODELIST [source]...

2.   Options

Options
Option Param Description
-q --quiet Suppress log messages about opened dump files.
--adjust time Adjust time stamps of the network dump by adding 'time' seconds. This may help to synchronize different dumps. The argument is scanned for SI factors, time units, plus and minus terms.
--skip time Skip first 'time' seconds of each read network dump. The argument is scanned for SI factors, time units, plus and minus terms. Negative values are relative to the end (or ignored for pipes).
--term time Terminate each dump at 'time' seconds. The argument is scanned for SI factors, time units, plus and minus terms. Negative values are relative to the end (or ignored for pipes).
--combine Logical combine network dumps to one single dump before executing options --skip and --term.
--checksum Normally, UDP packets with wrong checksums are dropped. If --checksum is set, the checksums are calculated, but no packet is dropped. Some dumps will print a status info. If set twice, checksums are never calculated and assumed to be correct. --csum is a short cut.
-f --follow Don't close the last input dump on reaching end of file. Instead wait for appended data. This works like the unix tool 'tail -f'.
--ip addr[:port] Define an address (IP or DNS name) and optional a port for filtering. Only packets from or to this host are accepted, all others are ignored.
--home addr Define an address (IP or DNS name) as home client.

Without this options, the tool tries to determine the home client by analysing sender and receiver of the first non filtered packet. A local network (10/8, 172.16/12, 192.168/16, 169.254/16) has priority over a non local network. If sender and receiver have the same priority, the IP of the sender is used.

--wii addr[:port] Define an address (IP or DNS name) and optional a port as home client and for filtering. This options is a shortcut for »--home addr --ip addr:port«.
--real-time-factor factor If set (>0.0), the time differences of the packet time is compared with the real time difference. If a packet will be served to early, the tool sleeps a while.

Value 1.0 forces a real time dump. Values >1.0 force a time-laps effect and values <1.0 a slow-motion effect. --rtf is a short cut.

The intention of this option is to simulate a regular input stream on already dumped and stored data in real time. Use this option never for live incoming data, because packets may be lost.

--real-time-wait seconds If set (>0.0) and the real time option --real-time-factor is enabled, it defines the maximum real time between 2 packets. The default is 3 seconds. --rtw is a short cut.
--write file Write filtered network packets as PCAP v2.4 to 'file' with local endian and microseconds format.
--wflush Flush the output after each packet written by --write.
-x --hex In some hexdumps well known data is replaced by its name to create more unique records. But if --hex is set, all values are printed as hex values.
-p --no-proxy Don't dump proxy packets (packets, which contains a PROXY record).
--and If one or more filters are enabled by --receive, --send, --receive-mac, --send-mac, --receive-ip or --send-ip, then a packet or record is only dumped, if it match to at least one of the enabled filters.

But if --and is set, a packet must match *all* enabled filters.

-r --receive Dump only network packets received by the home client (option --home). For combinations with other packet filters see option --and.
-s --send Dump only network packets send by the home client (option --home). For combinations with other packet filters see option --and.
--receive-mac addr Dump only network packets received by the entered MAC address. --rmac is a short cut for --receive-mac. For combinations with other packet filters see option --and.
--send-mac addr Dump only network packets send by the entered MAC address. --smac is a short cut for --send-mac. For combinations with other packet filters see option --and.
--transfer-mac addr Dump only network packets receiced or send by the entered MAC address. --tmac is a short cut for --transfer-mac and both are short cuts for »--rmac addr --smac addr«.
--receive-ip addr Dump only network packets received by the entered address (IP or DNS name). --rip is a short cut for --receive-ip. For combinations with other packet filters see option --and.
--send-ip addr Dump only network packets send by the entered address (IP or DNS name). --sip is a short cut for --send-ip. For combinations with other packet filters see option --and.
--transfer-ip addr Dump only network packets received or send by the entered address. --tip is a short cut for --transfer-ip and both are short cuts for »--rip addr --sip addr«.
-o --only-servers Dump only network packets from and to known servers.
-L --length ranges Dump only UDP packets with specified UDP data length. The 8 bytes long UDP header does not count.

The parameter is a comma separated list of INDEX, INDEX1:, INDEX1:INDEX2 and INDEX#LENGTH elements.

-S --stage list Dump UDP packets only, if one of the entered stages is active.

The parameter is a comma separated list of stage names, optional preceeded by '+' (enable) or '.' (disable). Type »mkw-ana test« for a list of stages or use the dumps to identify stage names.

--xevent Support the XEVENT record type. It is an overlay over the ITEM and EVENT records. --xeve is a shortcut. The option is automatically set, if --type or --TYPE call the XEVENT record.
-t --type list Dump UDP packets only, if at least one record of the packet match the entered record list.

The parameter is a comma separated list of record names, optional preceeded by '+' (enable) or '.' (disable). Type »mkw-ana test« for a list of records or use the dumps to identify record names.

-T --TYPE list Same as --type except for command DUMP3.