Command-line options for Rockfish tools.
rockfish_probe [OPTIONS]
| Option | Short | Description |
|---|
--config <FILE> | -c | Configuration file path |
--help | -h | Show help |
--version | -V | Show version |
| Option | Short | Description |
|---|
--source <SRC> | -i | Input source (interface or pcap file) |
--live <TYPE> | | Capture type: pcap, afpacket, netmap, fmadio |
--filter <EXPR> | | BPF filter expression |
--snaplen <BYTES> | | Maximum capture bytes per packet |
--promisc-off | | Disable promiscuous mode |
| Option | Description |
|---|
--idle-timeout <SECS> | Idle timeout (default: 300) |
--active-timeout <SECS> | Active timeout (default: 1800) |
--max-flows <COUNT> | Maximum flow table size |
--max-payload <BYTES> | Max payload bytes to capture |
--udp-uniflow <PORT> | UDP uniflow port (0=disabled) |
--ndpi | Enable nDPI (includes JA4/JA3s fingerprints) |
| Option | Description |
|---|
--no-frag | Disable fragment reassembly |
--max-frag-tables <N> | Max fragment tables (default: 1024) |
--frag-timeout <SECS> | Fragment timeout (default: 30) |
| Option | Description |
|---|
--afp-block-size <BYTES> | Ring buffer block size |
--afp-block-count <N> | Ring buffer block count |
--afp-fanout-group <ID> | Fanout group ID |
--afp-fanout-mode <MODE> | Fanout mode: hash, lb, cpu, rollover, random |
| Option | Description |
|---|
--parquet-dir <DIR> | Output directory for Parquet files |
--parquet-batch-size <N> | Flows per file |
--parquet-prefix <PREFIX> | Filename prefix |
--parquet-schema <TYPE> | Schema: simple or extended |
--observation <NAME> | Observation domain name |
--hive-boundary-flush | Flush at day boundaries |
| Option | Description |
|---|
--s3-bucket <NAME> | S3 bucket name |
--s3-prefix <PREFIX> | S3 key prefix |
--s3-region <REGION> | AWS region |
--s3-endpoint <URL> | Custom S3 endpoint |
--s3-force-path-style | Use path-style URLs |
--s3-hive-partitioning | Enable Hive partitioning |
--s3-delete-after-upload | Delete local after upload |
--test-s3 | Test S3 connectivity and exit |
| Option | Short | Description |
|---|
--verbose | -v | Increase verbosity (-vv for debug) |
--quiet | -q | Quiet mode |
--stats | | Print statistics |
--log-file <PATH> | | Log file path |
| Option | Description |
|---|
--license <PATH> | License file path |
Environment: ROCKFISH_LICENSE_PATH
# Basic PCAP processing
rockfish_probe -i capture.pcap --parquet-dir ./flows
# Live capture with AF_PACKET
sudo rockfish_probe -i eth0 --live afpacket \
--afp-block-size 4194304 \
--afp-fanout-group 1 \
--parquet-dir ./flows
# With all features (nDPI includes fingerprints)
rockfish_probe -i eth0 --live afpacket \
--ndpi \
--parquet-dir ./flows \
--s3-bucket my-bucket \
--s3-region us-east-1 \
--s3-hive-partitioning \
-vv
# Test S3 connectivity
rockfish_probe --test-s3 \
--s3-bucket my-bucket \
--s3-region us-east-1
rockfish_mcp [OPTIONS]
| Option | Description |
|---|
--config <FILE> | Configuration file path |
--help | Show help |
--version | Show version |
Environment: ROCKFISH_CONFIG
# Start with config file
ROCKFISH_CONFIG=config.yaml rockfish_mcp
# Or via argument
rockfish_mcp --config /etc/rockfish/mcp.yaml
# Glob pattern
rockfish_probe -i "/data/captures/*.pcap" --parquet-dir ./flows
# Multiple runs
for f in /data/captures/*.pcap; do
rockfish_probe -i "$f" --parquet-dir ./flows
done
# Pin to CPUs, large ring buffer, fanout
sudo taskset -c 0-3 rockfish_probe -i eth0 --live afpacket \
--afp-block-size 4194304 \
--afp-block-count 128 \
--afp-fanout-group 1 \
--afp-fanout-mode hash \
--parquet-dir /data/flows
# Verbose output, no S3
rockfish_probe -i test.pcap \
--parquet-dir ./test-flows \
--ndpi \
--stats \
-vv
# Full featured with S3
rockfish_probe -c /opt/rockfish/etc/config.yaml \
--license /opt/rockfish/etc/license.json