...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $ ...\" ...\" transcript compatibility for postscript use. ...\" ...\" synopsis: .P! ...\" .de P! \\&. .fl \" force out current output buffer \\!%PB \\!/showpage{}def ...\" the following is from Ken Flowers -- it prevents dictionary overflows \\!/tempdict 200 dict def tempdict begin .fl \" prolog .sy cat \\$1\" bring in postscript file ...\" the following line matches the tempdict above \\!end % tempdict % \\!PE \\!. .sp \\$2u \" move below the image .. .de pF .ie \\*(f1 .ds f1 \\n(.f .el .ie \\*(f2 .ds f2 \\n(.f .el .ie \\*(f3 .ds f3 \\n(.f .el .ie \\*(f4 .ds f4 \\n(.f .el .tm ? font overflow .ft \\$1 .. .de fP .ie !\\*(f4 \{\ . ft \\*(f4 . ds f4\" ' br \} .el .ie !\\*(f3 \{\ . ft \\*(f3 . ds f3\" ' br \} .el .ie !\\*(f2 \{\ . ft \\*(f2 . ds f2\" ' br \} .el .ie !\\*(f1 \{\ . ft \\*(f1 . ds f1\" ' br \} .el .tm ? font underflow .. .ds f1\" .ds f2\" .ds f3\" .ds f4\" .ta 8n 16n 24n 32n 40n 48n 56n 64n 72n .TH "\fBflow-tools\fP" "1" .SH "NAME" \fBflow-tools\fP \(em Tool set for working with NetFlow data\&. .SH "DESCRIPTION" .PP Flow-tools is library and a collection of programs used to collect, send, process, and generate reports from NetFlow data\&. The tools can be used together on a single server or distributed to multiple servers for large deployments\&. The flow-toools library provides an API for development of custom applications for NetFlow export versions 1,5,6 and the 14 currently defined version 8 subversions\&. A Perl and Python interface have been contributed and are included in the distribution\&. .PP Flow data is collected and stored by default in host byte order, yet the files are portable across big and little endian architectures\&. .PP Commands that utilize the network use a localip/remoteip/port designation for communication\&. "localip" is the IP address the host will use as a source for sending or bind to when receiving NetFlow PDU\&'s (ie the destination address of the exporter\&. Configuring the "localip" to 0 will force the kernel to decide what IP address to use for sending and listen on all IP addresses for receiving\&. "remoteip" is the destination IP address used for sending or the expected address of the source when receiving\&. If the "remoteip" is 0 then the application will accept flows from any source address\&. The "port" is the UDP port number used for sending or receiving\&. When using multicast addresses the localip/remoteip/port is used to represent the source, group, and port respectively\&. .PP Flows are exported from a router in a number of different configurable versions\&. A flow is a collection of key fields and additional data\&. The flow key is {srcaddr, dstaddr, input, output, srcport, dstport, prot, ToS}\&. Flow-tools supports one export version per file\&. .PP Export versions 1, 5, 6, and 7 all maintain {nexthop, dPkts, dOctets, First, Last, flags}, ie the next-hop IP address, number of packets, number of octets (bytes), start time, end time, and flags such as the TCP header bits\&. Version 5 adds the additional fields {src_as, dst_as, src_mask, dst_mask}, ie source AS, destination AS, source network mask, and destination network mask\&. Version 7 which is specific to the Catalyst switches adds in addition to the version 5 fields {router_sc}, which is the Router IP address which populates the flow cache shortcut in the Supervisor\&. Version 6 which is not officially supported by Cisco adds in addition to the version 5 fields {in_encaps, out_encaps, peer_nexthop}, ie the input and output interface encapsulation size, and the IP address of the next hop within the peer\&. Version 1 exports do not contain a sequence number and therefore should be avoided, although it is safe to store the data as version 1 if the additional fields are not used\&. .PP Version 8 IOS NetFlow is a second level flow cache that reduces the data exported from the router\&. There are currently 11 formats, all of which provide {dFlows, dOctets, dPkts, First, Last} for the key fields\&. .PP .PP .nf 8\&.1 - Source and Destination AS, Input and Output interface 8\&.2 - Protocol and Port 8\&.3 - Source Prefix and Input interface 8\&.4 - Destination Prefix and Output interface 8\&.5 - Source/Destination Prefix and Input/Output interface 8\&.9 - 8\&.1 + ToS 8\&.10 - 8\&.2 + ToS 8\&.11 - 8\&.3 + ToS 8\&.12 - 8\&.5 + ToS 8\&.13 - 8\&.2 + ToS 8\&.14 - 8\&.3 + ports + ToS .fi .PP Version 8 CatIOS NetFlow appears to be a less fine grained first level flow cache\&. .PP .PP .nf 8\&.6 - Destination IP, ToS, Marked ToS, 8\&.7 - Source/Destination IP, Input/Output interface, ToS, Marked ToS, 8\&.8 - Source/Destination IP, Source/Destination Port, Input/Output interface, ToS, Marked ToS, .fi .PP .PP The following programs are included in the flow-tools distribution\&. .PP \fBflow-capture\fP - Collect, compress, store, and manage disk space for exported flows from a router\&. .PP \fBflow-cat\fP - Concatenate flow files\&. Typically flow files will contain a small window of 5 or 15 minutes of exports\&. Flow-cat can be used to append files for generating reports that span longer time periods\&. .PP \fBflow-fanout\fP - Replicate NetFlow datagrams to unicast or multicast destinations\&. Flow-fanout is used to facilitate multiple collectors attached to a single router\&. .PP \fBflow-report\fP - Generate reports for NetFlow data sets\&. Reports include source/destination IP pairs, source/destination AS, and top talkers\&. Over 50 reports are currently supported\&. .PP \fBflow-tag\fP - Tag flows based on IP address or AS #\&. Flow-tag is used to group flows by customer network\&. The tags can later be used with flow-fanout or flow-report to generate customer based traffic reports\&. .PP \fBflow-filter\fP - Filter flows based on any of the export fields\&. Flow-filter is used in-line with other programs to generate reports based on flows matching filter expressions\&. .PP \fBflow-import\fP - Import data from ASCII or cflowd format\&. .PP \fBflow-export\fP - Export data to ASCII or cflowd format\&. .PP \fBflow-send\fP - Send data over the network using the NetFlow protocol\&. .PP \fBflow-receive\fP - Receive exports using the NetFlow protocol without storing to disk like flow-capture\&. .PP \fBflow-gen\fP - Generate test data\&. .PP \fBflow-dscan\fP - Simple tool for detecting some types of network scanning and Denial of Service attacks\&. .PP \fBflow-merge\fP - Merge flow files in chronoligical order\&. .PP \fBflow-xlate\fP - Perform translations on some flow fields\&. .PP \fBflow-expire\fP - Expire flows using the same policy of flow-capture\&. .PP \fBflow-header\fP - Display meta information in flow file\&. .PP \fBflow-split\fP - Split flow files into smaller files based on size, time, or tags\&. .SH "AUTHOR" .PP Mark Fullmer maf@splintered\&.net .PP \fBflow-merge\fP by Larry Lidz ellidz@eridu\&.uchicago\&.edu .PP Patches and other contribitions by a list too long to mention here\&. .PP \fBflow-tools\fP is avalable at \fI (link to URL http://www.splintered.net/sw/flow-tools) \fR\&. .PP A mailing list is maintained at flow-tools@splintered\&.net .SH "SEE ALSO" .PP \fBflow-capture\fP(1) \fBflow-cat\fP(1) \fBflow-dscan\fP(1) \fBflow-expire\fP(1) \fBflow-export\fP(1) \fBflow-fanout\fP(1) \fBflow-filter\fP(1) \fBflow-nfilter\fP(1) \fBflow-gen\fP(1) \fBflow-header\fP(1) \fBflow-import\fP(1) \fBflow-merge\fP(1) \fBflow-print\fP(1) \fBflow-receive\fP(1) \fBflow-report\fP(1) \fBflow-send\fP(1) \fBflow-split\fP(1) \fBflow-stat\fP(1) \fBflow-tag\fP(1) \fBflow-xlate\fP(1) ...\" created by instant / docbook-to-man, Tue 06 Aug 2002, 22:22