NAME
  stenoread - read logs out of Stenographer

SYNOPSIS
  stenoread <stenographer_query> [tcpdump_arguments]

DESCRIPTION
  The stenoread command line script automates pulling packets from Stenographer
  and presenting them in a usable format to analysts. It requests raw packets
  from stenographer, then runs them through tcpdump to provide a more
  full-featured formatting/filtering experience.

  The first argument to stenoread is a stenographer query (see below).
  All other arguments are passed to tcpdump. For example:

	# Request all packets from IP 1.2.3.4 port 6543, then do extra filtering by
	# TCP flag, which typical stenographer does not support.
	$ stenoread 'host 1.2.3.4 and port 6543' 'tcp[tcpflags] & tcp-push != 0'

	# Request packets on port 8765, disabling IP resolution (-n) and showing
	# link-level headers (-e) when printing them out.
	$ stenoread 'port 8765' -n -e

	# Request packets for any IPs in the range 1.1.1.0-1.1.1.255, writing them
	#out to a local PCAP file so they can be opened in Wireshark.
	$ stenoread 'net 1.1.1.0/24' -w /tmp/output_for_wireshark.pcap

QUERY LANGUAGE
  A user requests packets from stenographer by specifying them with a very
  simple query language. This language is a simple subset of BPF, and includes
  the primitives:

	host 8.8.8.8          # Single IP address (hostnames not allowed)
	net 1.0.0.0/8         # Network with CIDR
	net 1.0.0.0 mask 255.255.255.0  # Network with mask
	port 80               # Port number (UDP or TCP)
	ip proto 6            # IP protocol number 6
	icmp                  # equivalent to 'ip proto 1'
	tcp                   # equivalent to 'ip proto 6'
	udp                   # equivalent to 'ip proto 17'

	# Stenographer-specific time additions:
	before 2012-11-03T11:05:00Z      # Packets before a specific time (UTC)
	after 2012-11-03T11:05:00-0700   # Packets after a specific time (with TZ)
	before 45m ago        # Packets before a relative time
	before 3h ago         # Packets after a relative time

  Primitives can be combined with and/&& and with or/||, which have equal
  precedence and evaluate left-to-right. Parens can also be used to group:

	(udp and port 514) or (tcp and port 8080)

ENVIRONMENT
  Set the STENOGRAPHER_CONFIG environmental variable to point to your
  stenographer config if it's in a nonstandard place
  (defaults to /etc/stenographer/config).
