NAME¶
flow-receive — Receive flow data with the NetFlow protocol.
SYNOPSIS¶
flow-receive [-h] [-b
big|little] [-C
comment] [-d
debug_level] [-o
output_file] [-S
stat_interval] [-V
pdu_version] [-z
z_level]
localip/remoteip/port
DESCRIPTION¶
The
flow-receive utility is used to receive flows in NetFlow format. When
the
remoteip is configured only flows from that exporter will be
processed, this is the most secure and recommended configuration. When the
localip is configured
flow-receive will only process flows sent
to the
localip IP address. If
remoteip is 0 (not configured)
flows from any source IP address are accepted. Multiple non aggregated PDU
versions may be accepted at once to support Cisco's Catalyst 6500 NetFlow
implementation which exports from both the supervisor and MSFC with the same
IP address and same port but different export versions. In this case the
exports will be stored in the format specified by the -V flag or whichever
export type is received first.
OPTIONS¶
- -b big|little
- Byte order of output.
- -C Comment
- Add a comment.
- -d debug_level
- Enable debugging.
- -h
- Display help.
- -o file
- Write to file instead of the standard out.
- -S stat_interval
- When configured flow-receive will emit a timestamped message on
stderr every stat_interval minutes indicating counters such as the
number of flows received, packets processed, and lost flows.
- -V pdu_version
- Use pdu_version format output.
1 NetFlow version 1 (No sequence numbers, AS, or mask)
5 NetFlow version 5
6 NetFlow version 6 (5+ Encapsulation size)
7 NetFlow version 7 (Catalyst switches)
8.1 NetFlow AS Aggregation
8.2 NetFlow Proto Port Aggregation
8.3 NetFlow Source Prefix Aggregation
8.4 NetFlow Destination Prefix Aggregation
8.5 NetFlow Prefix Aggregation
8.6 NetFlow Destination (Catalyst switches)
8.7 NetFlow Source Destination (Catalyst switches)
8.8 NetFlow Full Flow (Catalyst switches)
8.9 NetFlow ToS AS Aggregation
8.10 NetFlow ToS Proto Port Aggregation
8.11 NetFlow ToS Source Prefix Aggregation
8.12 NetFlow ToS Destination Prefix Aggregation
8.13 NetFlow ToS Prefix Aggregation
8.14 NetFlow ToS Prefix Port Aggregation
1005 Flow-Tools tagged version 5
- -z z_level
- Configure compression level to z_level. 0 is disabled (no
compression), 9 is highest compression.
EXAMPLES¶
Listen on port 9800 on any local interface for exports from IP address 10.0.0.1,
store the exports in
flows
flow-receive 0/10.0.0.1/9800 >
flows
Listen on port 9800 on any local interface from any IP address, display the
received flows with flow-print.
flow-receive 0/0/9800 |
flow-print
BUGS¶
It is not currently possible to convert between the aggregated formats (8.x) and
the non aggregated formats (1,5,6,7).
AUTHOR¶
Mark Fullmer maf@splintered.net
SEE ALSO¶
flow-tools(1)