...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $ ...\" ...\" transcript compatibility for postscript use. ...\" ...\" synopsis: .P! ...\" .de P! \\&. .fl \" force out current output buffer \\!%PB \\!/showpage{}def ...\" the following is from Ken Flowers -- it prevents dictionary overflows \\!/tempdict 200 dict def tempdict begin .fl \" prolog .sy cat \\$1\" bring in postscript file ...\" the following line matches the tempdict above \\!end % tempdict % \\!PE \\!. .sp \\$2u \" move below the image .. .de pF .ie \\*(f1 .ds f1 \\n(.f .el .ie \\*(f2 .ds f2 \\n(.f .el .ie \\*(f3 .ds f3 \\n(.f .el .ie \\*(f4 .ds f4 \\n(.f .el .tm ? font overflow .ft \\$1 .. .de fP .ie !\\*(f4 \{\ . ft \\*(f4 . ds f4\" ' br \} .el .ie !\\*(f3 \{\ . ft \\*(f3 . ds f3\" ' br \} .el .ie !\\*(f2 \{\ . ft \\*(f2 . ds f2\" ' br \} .el .ie !\\*(f1 \{\ . ft \\*(f1 . ds f1\" ' br \} .el .tm ? font underflow .. .ds f1\" .ds f2\" .ds f3\" .ds f4\" .ta 8n 16n 24n 32n 40n 48n 56n 64n 72n .TH "\fBflow-xlate\fP" "1" .SH "NAME" \fBflow-xlate\fP \(em Apply translations to selected fields of a flow\&. .SH "SYNOPSIS" .PP \fBflow-xlate\fP [-hkn] [-b\fI big\fP|\fIlittle\fP] [-C\fI comment\fP] [-d\fI debug_level\fP] [-v\fI variable binding\fP] [-V\fI flow_version\fP] [-x\fI xlate_fname\fP] [-X\fI xlate_definition\fP] [-z\fI z_level\fP] .SH "DESCRIPTION" .PP The \fBflow-xlate\fP utility is used to apply translations to flows\&. Translations are defined in a configuration file and are composed of actions and a definition to invoke action(s)\&. The definitions are in the form of terms, each term can have a filter and multiple actions\&. .PP Words in the configuration file of the form @VAR or @{VAR:default} will be expanded at run-time by setting variable names with the -v option\&. .PP Translation actions begin with the xlate-action keyword followed by a symbolic name\&. Each action has a type defined below\&. .PP Translation definitions begin with the xlate-definition keyword followed by a symbolic name\&. Each definition is composed of terms which are evaluated in the order of the configuration file\&. A term may invoke a filter to conditionally invoke an action\&. .PP .nf Action type/sub-commands Description/Example ------------------------------------------------------------------------ ip-source-address-to-network Zero host bits based on mask\&. ip-destination-address-to-network Zero host bits based on mask\&. (no sub-commands) ip-source-address-to-class-network Zero source host bits to match class\&. ip-destination-address-to-class-network Zero dst host bits to match class\&. (no sub-commands) ip-source-address-anonymize Anonymize source address\&. ip-destination-address-anonymize Anonymize destination address\&. ip-address-anonymize Anonymize src/dst address\&. algorithm Algorithm\&. cryptopan-aes128 is currently supported\&. algorithm cryptopan-aes128 key Key\&. Key is 128 bits in hex\&. key 0123456789ABCDEFG key-file File to load key from\&. Key is 128 bits in hex\&. key-file /mfstmp/secret-key key-file-refresh How often to check the key file\&. Interval is in minutes, the optional second argument is hour:min:sec to specify the first refresh\&. This example will load a new key every day at 12:00:00\&. 14400 12:00:00 ip-address-privacy-mask Apply a mask to the source and destination address to remove bits\&. ip-port-privacy-mask Apply a mask to the source and destination port to remove bits\&. tag-mask Apply mask to the source and destination tag\&. mask Source and Destination mask to apply\&. mask 0xFFFF 0xFFFF scale Scale packets and bytes\&. scale Scale to apply\&. scale 100 replace-source-as0 Replace source AS 0 replace-destination-as0 Replace destination AS 0 as AS replacement value\&. as 3112 .fi .SH "OPTIONS" .IP "-b\fI big\fP|\fIlittle\fP" 10 Byte order of output\&. .IP "-C\fI Comment\fP" 10 Add a comment\&. .IP "-d\fI debug_level\fP" 10 Enable debugging\&. .IP "-h" 10 Display help\&. .IP "-k" 10 Keep time from input\&. .IP "-n" 10 Don\&'t load configuration file\&. Useful only with -V .IP "-v\fI variable binding\fP" 10 Set a variable FOO=bar\&. .IP "-V\fI pdu_version\fP" 10 Use \fIpdu_version\fP format output\&. .PP .nf 1 NetFlow version 1 (No sequence numbers, AS, or mask) 5 NetFlow version 5 6 NetFlow version 6 (5+ Encapsulation size) 7 NetFlow version 7 (Catalyst switches) 8\&.1 NetFlow AS Aggregation 8\&.2 NetFlow Proto Port Aggregation 8\&.3 NetFlow Source Prefix Aggregation 8\&.4 NetFlow Destination Prefix Aggregation 8\&.5 NetFlow Prefix Aggregation 8\&.6 NetFlow Destination (Catalyst switches) 8\&.7 NetFlow Source Destination (Catalyst switches) 8\&.8 NetFlow Full Flow (Catalyst switches) 8\&.9 NetFlow ToS AS Aggregation 8\&.10 NetFlow ToS Proto Port Aggregation 8\&.11 NetFlow ToS Source Prefix Aggregation 8\&.12 NetFlow ToS Destination Prefix Aggregation 8\&.13 NetFlow ToS Prefix Aggregation 8\&.14 NetFlow ToS Prefix Port Aggregation 1005 Flow-Tools tagged version 5 .fi .IP "-x\fI xlate_fname\fP" 10 Translation config file name\&. Defaults to \fB/etc/flow-tools/cfg/xlate\&.cfg\fP .IP "-X\fI xlate_definition\fP" 10 Translation definition\&. Defaults to default\&. .IP "-z\fI z_level\fP" 10 Configure compression level to \fI z_level\fP\&. 0 is disabled (no compression), 9 is highest compression\&. .SH "EXAMPLES" .PP Convert the version 7 flows in \fBflows\&.v7\fP to version 5, storing the result in \fBflows\&.v5\fP\&. .PP \fBflow-xlate -V5 < flows\&.v7 > flows\&.v5\fP .PP Set the low 11 bits in the IP addresses to zero unless the address is multicast or it belongs to the 192\&.88\&.99/24 network\&. .PP .nf # xlate\&.cfg include-filter filter\&.cfg xlate-action MULTICAST-PRIVACY type ip-address-privacy-mask mask 0xFFFFFFFF 0xFFFFFFFF xlate-action UNICAST-PRIVACY type ip-address-privacy-mask mask 0xFFFFFF00 0xFFFFF800 xlate-definition abilene_privacy term filter mcast action MULTICAST-PRIVACY stop term filter ucast action UNICAST-PRIVACY .fi .PP .nf # filter\&.cfg filter-primitive MCAST type ip-address-mask permit 224\&.0\&.0\&.0 240\&.0\&.0\&.0 filter-primitive UCAST type ip-address-mask deny 224\&.0\&.0\&.0 240\&.0\&.0\&.0 default permit filter-primitive SKIP type ip-address-mask deny 192\&.88\&.99\&.0 255\&.255\&.255\&.0 default permit filter-definition mcast match ip-destination-address MCAST filter-definition ucast match ip-destination-address UCAST match ip-destination-address SKIP match ip-source-address SKIP .fi \fBflow-cat \fBflows\fP | flow-xlate -xxlate\&.cfg -Xabilene_privacy | flow-print\fP .SH "FILES" .PP Configuration files: Symbols - \fB/etc/flow-tools/sym/*\fP\&. Filter - \fB/etc/flow-tools/cfg/filter\&.cfg\fP\&. Xlate - \fB/etc/flow-tools/cfg/xlate\&.cfg\fP\&. .SH "BUGS" .PP The scale option can overflow the 32 bit flow counters\&. This could be solved by detecting this condition and splitting the flow in two\&. .PP Translation between aggregated and non aggregated formats is not supported\&. .SH "AUTHOR" .PP Mark Fullmer maf@splintered\&.net .SH "SEE ALSO" .PP \fBflow-tools\fP(1) ...\" created by instant / docbook-to-man, Tue 10 May 2005, 11:19