RTLola Interpreter CLI

RTLola is a runtime monitoring framework. It consists of a parser, analyzer, and interpreter for the RTLola specification language. This crate contains a CLI interface to the interpreter capable of reading csv and pcap files.

For detailed usage instructions try:

rtlola-cli help

For more information on the RTLola framework make sure to visit our Website: rtlola.org

Installation Notes

If you want to use the network interface make sure to compile with the pcap_interface feature enable. In that case the PCAP library is required. If it is not already installed on your system you can do so as follows:

Windows

You can download and install the library from here: NPcap

Linux

Use the packet manager of your choice to install the libpcap-dev package. For example using apt:

apt install libpcap-dev

Mac OS

The PCAP library is already be included in Mac OS X.

Command Line Usage

Specification Analysis

rtlola-cli analyze [SPEC]

checks whether the given specification is valid

Monitoring

rtlola-cli monitor [SPEC] --offline relative --csv-in [TRACE] --verbosity trigger

For example, given the specification

input a: Int64
input b: Int64

output x := a + b
trigger x > 2

in file example.spec and the CSV

a,b,time
0,1,0.1
2,3,0.2
4,5,0.3

in file example.csv we get

rtlola-interpreter monitor example.spec --offline relative --csv-in example.csv 
Trigger: x > 2
Trigger: x > 2

See all available options with rtlola-cli help monitor

Time Representations

The RTLola interpreter supports multiple representations of time in its input and output. If run in offline mode, meaning the time for an event is parsed from the input source, the format in which the time is present in the input has to be set. The following options are supported:

Relative Timestamps

Time is considered as timestamps relative to a fixed point in time. Call this point in time x then in the example above the first event gets the timestamp x + 0.1, the second one x + 0.2 and so forth.

Absolute Timestamps

Time is parsed as absolute wall clock timestamps.

Note: The evaluation of periodic streams depends on the time passed between events. Depending on the representation, determining the time that passed before the first event is not obvious. While the relative and offset representations do not strictly need a point of reference to determine the time passed, the absolute representation requires such a point of reference. This point of time can either be directly supplied by the command line arguments: --start-time-unix and --start-time-rfc3339 or inferred as the time of the first event. The latter consequently assumes that no time has passed before the first event in the input.

Offset

Time is considered as an offset to the preceding event. This induces the following timestamps for the above example:

a,b, time
0,1, x + 0.1
2,3, x + 0.3
4,5, x + 0.6

Copyright

Copyright (C) CISPA - Helmholtz Center for Information Security 2021. Authors: Jan Baumeister, Florian Kohn, Stefan Oswald, Maximilian Schwenger. Based on original work at Universität des Saarlandes (C) 2020. Authors: Jan Baumeister, Florian Kohn, Malte Schledjewski, Maximilian Schwenger, Marvin Stenger, and Leander Tentrup.