
tm-query - Robin Sommer <robin@icir.org>
========================================

tm-query is a command line client to query the Time Machine (TM). 

It needs the Python Broccoli bindings which you can get here:

   http://www.icir.org/robin/bro/pybroccoli.html


The general usage is

    > tm-query [Options] <tm-host> <target>
    
"<tm-host>" is the host name of the system where the TM is running.
If the TM is running on a port other than 47757, you can append
":<port>" to "<tmhost>". "<target>" is the name of the destination
file into which query matches will be written; the files will be
created in the TM's query directory as configured in "tm.conf". 

Currently, tm-query supports the following query types to extract
traffic

  - Query for all traffic of a given IP address. Example:

    > tm-query --ip 192.168.1.1 localhost host.pcap
  
  - Query for a particular connection. Example for a TCP connection:

    > tm-query --connection "192.168.1.1:12345-192.168.2.1:80" --tcp \
               localhost conn.pcap
  
    For UDP, replace "--tcp" with "--udp"
  
Additional options for these queries:

  - "--mem" restricts search to in-memory data
  
  - "--time" restricts search's time interval, e.g., "--time 5m" for
  the last 5 minutes, and "--time 7h" for the last 7 hours. 

Furthermore, tm-query allows you to assign storage classes to IP
addresses. For this kind of query, the "<target>" becomes the
affected address. Example:

  > tm-query --storage-class my-storage-class localhost 192.1.168.1
  


