flow-nfilter.1.in
来自「netflow,抓包」· IN 代码 · 共 374 行
IN
374 行
...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $...\"...\" transcript compatibility for postscript use....\"...\" synopsis: .P! <file.ps>...\".de P!\\&..fl \" force out current output buffer\\!%PB\\!/showpage{}def...\" the following is from Ken Flowers -- it prevents dictionary overflows\\!/tempdict 200 dict def tempdict begin.fl \" prolog.sy cat \\$1\" bring in postscript file...\" the following line matches the tempdict above\\!end % tempdict %\\!PE\\!..sp \\$2u \" move below the image...de pF.ie \\*(f1 .ds f1 \\n(.f.el .ie \\*(f2 .ds f2 \\n(.f.el .ie \\*(f3 .ds f3 \\n(.f.el .ie \\*(f4 .ds f4 \\n(.f.el .tm ? font overflow.ft \\$1...de fP.ie !\\*(f4 \{\. ft \\*(f4. ds f4\"' br \}.el .ie !\\*(f3 \{\. ft \\*(f3. ds f3\"' br \}.el .ie !\\*(f2 \{\. ft \\*(f2. ds f2\"' br \}.el .ie !\\*(f1 \{\. ft \\*(f1. ds f1\"' br \}.el .tm ? font underflow...ds f1\".ds f2\".ds f3\".ds f4\".ta 8n 16n 24n 32n 40n 48n 56n 64n 72n .TH "\fBflow-nfilter\fP" "1".SH "NAME"\fBflow-nfilter\fP \(em Filter flows\&..SH "SYNOPSIS".PP\fBflow-nfilter\fP [-hk] [-b\fI big\fP|\fIlittle\fP] [-C\fI comment\fP] [-d\fI debug_level\fP] [-f\fI filter_fname\fP] [-F\fI filter_definition\fP] [-z\fI z_level\fP] .SH "DESCRIPTION".PPThe \fBflow-nfilter\fP utility will filter flows based onuser selectable criteria\&. Filters are composed of primitives and a definition\&. Definitions contain match lines grouped to formlogical AND and OR operations on the flow using the selected primitives\&.A definition may contain the invert command which will invert theresult of the evaluation\&..PPFilter primitives begin with the filter-primitive keyword followed bya symbolic name\&. Each primitive has a type defined below\&.A list of permit and or deny keywords followedby an argument are later evaulated to determine if the flow is permitted ordenied\&. The default action for a primitive is to deny which may be changed with the default keyword\&. Symbolic substitutions are done whereappropriate\&..PP.PPThe match keyword in a definition selects the criteria to match a primitive\&.A match type may allow more than one type of primitive, for example thesrc-ip-addr match type will accept any of {ip-address, ip-address-mask,ip-address-prefix} primitive types\&..PP.PP.nf Primitive type Type Description/Example-------------------------------------------------------------------as Bucket Autonomous System Number\&. 600,159,3112ip-address-prefix-len Numeric Integer from 0 to 32\&. 16-31ip-protocol Bucket Integer from 0 to 255\&. 6,17,1ip-tos Bucket Integer from 0 to 255 with mask\&. 0xA0/0xE0ip-tcp-flags Bucket Integer from 0 to 255 with mask\&. 0x2/0x2ifindex Bucket Integer from 0 to 65535 0,5,10engine Bucket Integer from 0 to 255\&. 0ip-port Bucket Integer from 0 to 255\&. 80,8080,23,22ip-address Hash List of IP Addresses\&. 10\&.0\&.0\&.1ip-address-mask List List of IP address/mask pairs\&. 10\&.1\&.0\&.0 255\&.255\&.0\&.0ip-address-prefix Trie List of IP address/mask pairs\&. 10\&.1/16tag Hash List of tags\&. 0xFF00tag-mask List List of tags\&. 0xF000/0xFF00counter List List of Integers with qualifier\&. lt 32time List List of relative time specifiers\&. gt 5:00time-date List List of absolute time specifiers\&. gt December 12, 2002 5:13:21double List List of doubles with qualifier\&. lt 32\&.0rate Element Rate is calculated as 1/rate\&. permit 100Match type Description Primitives accepted-------------------------------------------------------------------source-as Source AS asdestination-as Destination AS asip-source-address Source IP Address ip-address, ip-address-mask, ip-address-prefixip-destination-address Destination IP Address ip-address, ip-address-mask, ip-address-prefixip-exporter-address Exporter IP Address ip-address, ip-address-mask, ip-address-prefixip-nexthop-address NextHop IP Address ip-address, ip-address-mask, ip-address-prefixip-shortcut-address Shortcut IP Address ip-address, ip-address-mask, ip-address-prefixip-protocol IP Protocol ip-protocolip-source-address-prefix-len Source IP address ip-address-prefix-len prefix lengthip-destination-address-prefix-len Destination IP address ip-address-prefix-len prefix length ip-tos IP Type Of Service ip-tosip-marked-tos IP Type Of Service ip-tosip-tcp-flags IP/TCP Flags ip-tcp-flagsip-source-port Source IP Port ip-port eg TCP/UDPip-destination-port Destination IP Port ip-port eg TCP/UDPinput-interface Source ifIndex ifindex eg Input Interfaceoutput-interface Destination ifIndex ifindex eg Output Interfacestart-time Start Time of flow time, time-dateend-time End Time of Flow time, time-dateflows Number of flows counteroctets Number of octets counterpackets Number of packets counterduration Duration of flow in ms counterengine-id Engine ID engineengine-type Engine Type enginesource-tag Source Tag tag, tag-maskdestination-tag Destination Tag tag, tag-maskpps Packets Per Second doublebps Bits Per Second doublerandom-sample Random Sample rate.fi.SH "OPTIONS".IP "-b\fI big\fP|\fIlittle\fP" 10Byte order of output\&..IP "-C\fI Comment\fP" 10Add a comment\&. .IP "-d\fI debug_level\fP" 10Enable debugging\&..IP "-f\fI filter_fname\fP" 10Filter list filename\&. Defaults to \fB@localstatedir@/cfg/filter\fP\&..IP "-F\fI filter_definition\fP" 10Select the active definition\&. Defaults to default\&..IP "-h" 10Display help\&..IP "-k" 10Keep time from input\&..IP "-z\fI z_level\fP" 10Configure compression level to \fI z_level\fP\&. 0 isdisabled (no compression), 9 is highest compression\&..SH "EXAMPLES".PPAn example of filter configuration file\&..PP.nf filter-primitive srate type rate permit 100filter-primitive test-as type as permit 600,159filter-primitive test-prefix-len type ip-address-prefix-len permit 32filter-primitive test-protocol type ip-protocol permit tcpfilter-primitive test-tos type ip-tos mask 0xA0 permit 0xE0filter-primitive test-tcp-flags type ip-tcp-flags mask 0x2 permit 0x2filter-primitive test-ifindex type ifindex permit 0,5,10filter-primitive test-engine type engine permit 0filter-primitive test-port type ip-port permit https permit 80 default denyfilter-primitive test-address type ip-address permit 0\&.0\&.0\&.1 permit 0\&.0\&.0\&.2 default denyfilter-primitive test-address-mask type ip-address-mask permit 128\&.146\&.197\&.1 255\&.255\&.255\&.255 permit 128\&.146\&.197\&.2 255\&.255\&.255\&.255filter-primitive test-prefix type ip-address-prefix permit 128\&.146\&.0\&.0/16 default denyfilter-primitive test-tag type tag permit 0x00 permit 0x01 permit 0xFFfilter-primitive test-tag-mask type tag-mask permit OSU 0xFF permit 0xFF 0xFF default denyfilter-primitive test-counter type counter permit lt 5 permit gt 10 default denyfilter-primitive test-time-date type time-date permit gt December 12, 2002 5:13:21filter-primitive test-time type time-date permit gt 12:15:00filter-definition sample-1-in-100 match random-sample sratefilter-definition t1 match engine-type test-engine or match destination-tag test-tag-mask.fi.PPDisplay all flows with a destination port of 80 or source port of 25 (smtp)starting after Dec 12, 2001\&. The file \fBtest\fP ispopulated with the following:.PP.nffilter-primitive port80 type ip-port permit 80filter-primitive port25 type ip-port permit smtpfilter-primitive dec12 type time-date permit gt Dec 12, 2001filter-definition foo match ip-source-port port80 match start-time dec12 or match ip-destination-port port25 match start-time dec12.fi \fBflow-cat \fBflows\fP | flow-nfilter -ftest -Ffoo | flow-print\fP.SH "BUGS".PPNone known\&..SH "AUTHOR".PPMark Fullmer maf@splintered\&.net.SH "SEE ALSO".PP\fBflow-tools\fP(1)...\" created by instant / docbook-to-man, Wed 02 Apr 2003, 12:53⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?