flow-filter man page
flow-filter — Filter flows.
flow-filter [ -hko ] [ -a src_as_filter ] [ -A dst_as_filter ] [ -b big|little ] [ -C comment ] [ -D dstaddr_filter_name ] [ -d debug_level ] [ -e exaddr_filter ] [ -f acl_fname ] [ -i input_filter ] [ -I output_filter ] [ -p srcport_filter ] [ -P dstport_filter ] [ -r ipprot_filter ] [ -S srcaddr_filter_name ] [ -t tos_filter ] [ -T tcp_flags_filter ] [ -x nexthop_filter_name ] [ -z z_level ]
The flow-filter utility will filter flows based on user selectable criteria. The IP address filters are defined in flow.acl or by the filename specified by -f.
Other filters such as input interface and ports are defined on the command line. These filters accept range and negation operators, ie -i1-15 for input interfaces 1 through 15 or -i1,15 for input interfaces 1 and 15, or !1,15 for not input interfaces 1 and 15.
The syntax is kludgy and needs reworked but works for most applications.
- -a src_as_filter
Source AS filter, ie -a159 to permit Autonomous System 159.
- -A dst_as_filter
Destination AS filter, ie -A159,3112 to permit Autonomous Systems 159 and 3112.
- -b big|little
Byte order of output.
- -C Comment
Add a comment.
- -d debug_level
- -D dstaddr_filter_name
Destination IP address filter. This is the name or number of a standard access list defined in flow.acl or the file specified by -f.
- -e exaddr_filter
Exporter IP address filter. One exporter address can be filtered.
- -f acl_fname
Access list filename. Defaults to flow.acl.
- -i input_filter
Input interface filter, ie -i0 to permit traffic from interface 0.
Keep time from input.
- -I output_filter
Output interface filter, ie -I0 to permit traffic to interface 0.
Logical OR instead of AND filters.
- -p srcport_filter
Source port filter, ie -p80 to only permit source port 80.
- -P dstport_filter
Destination port filter, ie -P80,8080 to permit destination ports 80 and 8080.
- -r ipprot_filter
IP Protocol filter, ie -r6 to only permit TCP traffic.
- -S srcaddr_filter_name
Source IP address filter. This is the name or number of a standard access list defined in flow.acl or the file specified by -f.
- -t tos_filter
ToS bits filter. An optional mask is available which is applied to the tos field before comparing to the filter list. For example to match a tos bit pattern of 101xxxxx use 0xA0/0xE0.
- -T tcp_flags_filter
TCP bits filter. An optional mask is available which is applied to the TCP flags field before comparing to the filter list. For example to match a flows with the SYN bit set use 0x2/0x2.
- -x nexthop_filter_name
NextHop IP address filter. This is the name or number of a standard access list defined in flow.acl or the file specified by -f.
- -z z_level
Configure compression level to z_level. 0 is disabled (no compression), 9 is highest compression.
Print all traffic with a destination port of 80.
flow-cat /flows/krc4 | flow-filter -P80 | flow-print
Print all traffic with with source IP 10.0.0.1. Populate flow.acl with ip access-list standard badguy permit host 10.0.0.1
flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-print
Report all destinations that IP 10.0.0.1 has sent traffic to. Sort by octets. Populate flow.acl with ip access-list standard badguy permit host 10.0.0.1
flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-stat -f8 -S2
Extended access lists are not fully implemented. The command line filter syntax is a kludge.
Mark Fullmer <email@example.com>