...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $ ...\" ...\" transcript compatibility for postscript use. ...\" ...\" synopsis: .P! ...\" .de P! \\&. .fl \" force out current output buffer \\!%PB \\!/showpage{}def ...\" the following is from Ken Flowers -- it prevents dictionary overflows \\!/tempdict 200 dict def tempdict begin .fl \" prolog .sy cat \\$1\" bring in postscript file ...\" the following line matches the tempdict above \\!end % tempdict % \\!PE \\!. .sp \\$2u \" move below the image .. .de pF .ie \\*(f1 .ds f1 \\n(.f .el .ie \\*(f2 .ds f2 \\n(.f .el .ie \\*(f3 .ds f3 \\n(.f .el .ie \\*(f4 .ds f4 \\n(.f .el .tm ? font overflow .ft \\$1 .. .de fP .ie !\\*(f4 \{\ . ft \\*(f4 . ds f4\" ' br \} .el .ie !\\*(f3 \{\ . ft \\*(f3 . ds f3\" ' br \} .el .ie !\\*(f2 \{\ . ft \\*(f2 . ds f2\" ' br \} .el .ie !\\*(f1 \{\ . ft \\*(f1 . ds f1\" ' br \} .el .tm ? font underflow .. .ds f1\" .ds f2\" .ds f3\" .ds f4\" .ta 8n 16n 24n 32n 40n 48n 56n 64n 72n .TH "\fBflow-fanout\fP" "1" .SH "NAME" \fBflow-fanout\fP \(em Fanout (replicate) flow exports to many destinations\&. .SH "SYNOPSIS" .PP \fBflow-fanout\fP [-h] [-A\fI AS0_substitution\fP] [-d\fI debug_level\fP] [-f\fI filter_fname\fP] [-F\fI filter_definition\fP] [-m\fI privacy_mask\fP] [-p\fI pidfile\fP] [-s] [-S\fI stat_interval\fP] [-V\fI pdu_version\fP] [-x\fI xmit_delay\fP] \fIlocalip/remoteip/port\fP \fIlocalip/remoteip/port\fP \&... .SH "DESCRIPTION" .PP The \fBflow-fanout\fP utility will replicate flows arriving on localip/remoteip/port to destination(s) specified by localip/remoteip/port\&. .PP Flows processed by multiple exporters will be mixed into a single output stream\&. This functionality appeared to support Cisco Catalyst exports and may have other uses\&. .PP A SIGQUIT or SIGTERM signal will cause \fBflow-fanout\fP to exit\&. .SH "OPTIONS" .IP "-A\fI AS0_substitution\fP" 10 Cisco\&'s NetFlow exports represent the local autonomous system as 0 instead of the real value\&. This option can be used to replace the 0 in the export with the a configured value\&. Unfortunately under certain configurations AS 0 can also represent a cache miss or non forwarded traffic so use with caution\&. .IP "-d\fI debug_level\fP" 10 Enable debugging\&. .IP "-f\fI filter_fname\fP" 10 Filter list filename\&. Defaults to \fB/etc/flow-tools/cfg/filter\fP\&. .IP "-F\fI filter_definition\fP" 10 Select the active definition\&. Defaults to default\&. .IP "-h" 10 Display help\&. .IP "-m\fI privacy_mask\fP" 10 Apply \fIprivacy_mask\fP to the source and destination IP address of flows\&. For example a privacy_mask of 255\&.255\&.255\&.0 would convert flows with source/destination IP addresses 10\&.1\&.1\&.1 and 10\&.2\&.2\&.2 to 10\&.1\&.1\&.0 and 10\&.2\&.2\&.0 respectively\&. .IP "-p\fI pidfile\fP" 10 Configure the process ID file\&. Use - to disable pid file creation\&. .IP "-s" 10 Spoof the source IP address\&. If the IP address is 0 then it is replaced with the exporter source IP\&. .IP "-S\fI stat_interval\fP" 10 When configured \fBflow-fanout\fP will emit a timestamped message on stderr every \fIstat_interval\fP minutes indicating counters such as the number of flows received, packets processed, and lost flows\&. .IP "-V\fI pdu_version\fP" 10 Use \fIpdu_version\fP format output\&. .PP .nf 1 NetFlow version 1 (No sequence numbers, AS, or mask) 5 NetFlow version 5 6 NetFlow version 6 (5+ Encapsulation size) 7 NetFlow version 7 (Catalyst switches) 8\&.1 NetFlow AS Aggregation 8\&.2 NetFlow Proto Port Aggregation 8\&.3 NetFlow Source Prefix Aggregation 8\&.4 NetFlow Destination Prefix Aggregation 8\&.5 NetFlow Prefix Aggregation 8\&.6 NetFlow Destination (Catalyst switches) 8\&.7 NetFlow Source Destination (Catalyst switches) 8\&.8 NetFlow Full Flow (Catalyst switches) 8\&.9 NetFlow ToS AS Aggregation 8\&.10 NetFlow ToS Proto Port Aggregation 8\&.11 NetFlow ToS Source Prefix Aggregation 8\&.12 NetFlow ToS Destination Prefix Aggregation 8\&.13 NetFlow ToS Prefix Aggregation 8\&.14 NetFlow ToS Prefix Port Aggregation 1005 Flow-Tools tagged version 5 .fi .IP "-x\fI xmit_delay\fP" 10 Configure a microsecond transmit delay between packets\&. This may be necessary in some configurations to prevent a transmit buffer overrun\&. .SH "EXAMPLES" .PP Replicate flows arriving to local IP address 10\&.0\&.0\&.1 from the router exporting with IP address 10\&.1\&.1\&.1 on port 9500 to localhost port 9500 and 10\&.5\&.5\&.5 port 9200\&. The exports sent to 10\&.5\&.5\&.5 will be sent with a source IP address of 10\&.0\&.0\&.5 which must be a valid local IP address\&. .PP \fBflow-fanout 10\&.0\&.0\&.1/10\&.1\&.1\&.1/9500 0/0/9500 10\&.0\&.0\&.5/10\&.5\&.5\&.5/9200\fP .SH "BUGS" .PP NetFlow exports do not contain the exporter IP address inside the payload so the original exporter IP address (typically a router) will be lost when using \fBflow-fanout\fP\&. A work around for this protocol limitation is to use local IP aliases and the \fIlocalip\fP option\&. When the spoofing option is used multiple exporters with different IP addresses will share the same sequence number but will have the original source IP\&. Fixing this requires per source : destination sequence number mapping\&. It is much easier to just use multiple instances of flow-fanout running on different ports\&. .SH "AUTHOR" .PP Mark Fullmer maf@splintered\&.net .SH "SEE ALSO" .PP \fBflow-tools\fP(1) ...\" created by instant / docbook-to-man, Sat 29 Nov 2003, 01:41