flow-filter - Man Page

flow-filter [ -hko ]  [ -a src_as_filter ]  [ -A dst_as_filter ]  [ -b big|little ]  [ -C comment ]  [ -D dstaddr_filter_name ]  [ -d debug_level ]  [ -e exaddr_filter ]  [ -f acl_fname ]  [ -i input_filter ]  [ -I output_filter ]  [ -p srcport_filter ]  [ -P dstport_filter ]  [ -r ipprot_filter ]  [ -S srcaddr_filter_name ]  [ -t tos_filter ]  [ -T tcp_flags_filter ]  [ -x nexthop_filter_name ]  [ -z z_level ]

The flow-filter utility will filter flows based on user selectable criteria. The IP address filters are defined in  flow.acl or by the filename specified by -f.

Other filters such as input interface and ports are defined on the command line. These filters accept range and negation operators, ie -i1-15 for input interfaces 1 through 15 or -i1,15 for input interfaces 1 and 15, or !1,15 for not input interfaces 1 and 15.

The syntax is kludgy and needs reworked but works for most applications.

-a src_as_filter

Source AS filter, ie -a159 to permit Autonomous System 159.

-A dst_as_filter

Destination AS filter, ie -A159,3112 to permit Autonomous Systems 159 and 3112.

-b big|little

Byte order of output.

-C Comment

Add a comment.

-d debug_level

Enable debugging.

-D dstaddr_filter_name

Destination IP address filter. This is the name or number of a standard access list defined in flow.acl or the file specified by -f.

-e exaddr_filter

Exporter IP address filter. One exporter address can be filtered.

-f acl_fname

Access list filename. Defaults to flow.acl.

-h

Display help.

-i input_filter

Input interface filter, ie -i0 to permit traffic from interface 0.

-k

Keep time from input.

-I output_filter

Output interface filter, ie -I0 to permit traffic to interface 0.

-o

Logical OR instead of AND filters.

-p srcport_filter

Source port filter, ie -p80 to only permit source port 80.

-P dstport_filter

Destination port filter, ie -P80,8080 to permit destination ports 80 and 8080.

-r ipprot_filter

IP Protocol filter, ie -r6 to only permit TCP traffic.

-S srcaddr_filter_name

Source IP address filter. This is the name or number of a standard access list defined in flow.acl or the file specified by -f.

-t tos_filter

ToS bits filter. An optional mask is available which is applied to the tos field before comparing to the filter list. For example to match a tos bit pattern of 101xxxxx use 0xA0/0xE0.

-T tcp_flags_filter

TCP bits filter. An optional mask is available which is applied to the TCP flags field before comparing to the filter list. For example to match a flows with the SYN bit set use 0x2/0x2.

-x nexthop_filter_name

NextHop IP address filter. This is the name or number of a standard access list defined in flow.acl or the file specified by -f.

-z z_level

Configure compression level to z_level. 0 is disabled (no compression), 9 is highest compression.

Print all traffic with a destination port of 80.

flow-cat /flows/krc4 | flow-filter -P80 | flow-print

Print all traffic with with source IP 10.0.0.1. Populate flow.acl with ip access-list standard badguy permit host 10.0.0.1

flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-print

Report all destinations that IP 10.0.0.1 has sent traffic to. Sort by octets. Populate flow.acl with ip access-list standard badguy permit host 10.0.0.1

flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-stat -f8 -S2

Extended access lists are not fully implemented. The command line filter syntax is a kludge.

Use flow-nfilter.

Mark Fullmer  <maf@splintered.net>

flow-tools(1)

flow-tools(1).