flow-import.html

来自「netflow,抓包」· HTML 代码 · 共 381 行

<HTML
><HEAD
><TITLE
>flow-import</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.73
"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="AEN1"
><SPAN
CLASS="APPLICATION"
>flow-import</SPAN
></A
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6"
></A
><H2
>Name</H2
><SPAN
CLASS="APPLICATION"
>flow-import</SPAN
>&nbsp;--&nbsp;Import flows into flow-tools from other NetFlow packages.</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>flow-import</B
>  [-h] [-b<TT
CLASS="REPLACEABLE"
><I
> big|little</I
></TT
>] [-d<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
>] [-f<TT
CLASS="REPLACEABLE"
><I
> format</I
></TT
>] [-m<TT
CLASS="REPLACEABLE"
><I
> mask_fields</I
></TT
>] [-V<TT
CLASS="REPLACEABLE"
><I
> pdu_version</I
></TT
>] [-z<TT
CLASS="REPLACEABLE"
><I
> z_level</I
></TT
>]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN26"
></A
><H2
>DESCRIPTION</H2
><P
>The <B
CLASS="COMMAND"
>flow-import</B
> utility will convert data from
cflowd and ASCII CSV files into flow-tools format.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN30"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-b<TT
CLASS="REPLACEABLE"
><I
> big</I
></TT
>|<TT
CLASS="REPLACEABLE"
><I
>little</I
></TT
></DT
><DD
><P
>Byte order of output.</P
></DD
><DT
>-d<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
></DT
><DD
><P
>Enable debugging.</P
></DD
><DT
>-f<TT
CLASS="REPLACEABLE"
><I
> format</I
></TT
></DT
><DD
><P
>Export format.  Supported formats are:
<P
CLASS="LITERALLAYOUT"
>&nbsp;&nbsp;0&nbsp;cflowd<br>
&nbsp;&nbsp;2&nbsp;ASCII&nbsp;CSV<br>
&nbsp;&nbsp;3&nbsp;Cisco&nbsp;NFCollector</P
></P
></DD
><DT
>-h</DT
><DD
><P
>Display help.</P
></DD
><DT
>-m<TT
CLASS="REPLACEABLE"
><I
> mask_fields</I
></TT
></DT
><DD
><P
>Select fields for cflowd and ASCII formats.  The
<TT
CLASS="REPLACEABLE"
><I
>mask_fields</I
></TT
>
is built from a bitwise OR of the following:</P
><P
><PRE
CLASS="SCREEN"
>    UNIX_SECS       0x0000000000000001LL
    UNIX_NSECS      0x0000000000000002LL
    SYSUPTIME       0x0000000000000004LL
    EXADDR          0x0000000000000008LL
    
    DFLOWS          0x0000000000000010LL
    DPKTS           0x0000000000000020LL
    DOCTETS         0x0000000000000040LL
    FIRST           0x0000000000000080LL
    
    LAST            0x0000000000000100LL
    ENGINE_TYPE     0x0000000000000200LL
    ENGINE_ID       0x0000000000000400LL
    
    SRCADDR         0x0000000000001000LL
    DSTADDR         0x0000000000002000LL
    SRC_PREFIX      0x0000000000004000LL
    DST_PREFIX      0x0000000000008000LL
    NEXTHOP         0x0000000000010000LL
    INPUT           0x0000000000020000LL
    OUTPUT          0x0000000000040000LL
    SRCPORT         0x0000000000080000LL
    
    DSTPORT         0x0000000000100000LL
    PROT            0x0000000000200000LL
    TOS             0x0000000000400000LL
    TCP_FLAGS       0x0000000000800000LL
    
    SRC_MASK        0x0000000001000000LL
    DST_MASK        0x0000000002000000LL
    SRC_AS          0x0000000004000000LL
    DST_AS          0x0000000008000000LL
    
    IN_ENCAPS       0x0000000010000000LL
    OUT_ENCAPS      0x0000000020000000LL
    PEER_NEXTHOP    0x0000000040000000LL
    ROUTER_SC       0x0000000080000000LL
    EXTRA_PKTS      0x0000000100000000LL
    MARKED_TOS      0x0000000200000000LL</PRE
></P
><P
>The default value is all fields applicable to the <TT
CLASS="REPLACEABLE"
><I
>pdu_version</I
></TT
>.</P
></DD
><DT
>-V<TT
CLASS="REPLACEABLE"
><I
> pdu_version</I
></TT
></DT
><DD
><P
>Use <TT
CLASS="REPLACEABLE"
><I
>pdu_version</I
></TT
> format output.
<P
CLASS="LITERALLAYOUT"
>&nbsp;&nbsp;&nbsp;&nbsp;1&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;1&nbsp;(No&nbsp;sequence&nbsp;numbers,&nbsp;AS,&nbsp;or&nbsp;mask)<br>
&nbsp;&nbsp;&nbsp;&nbsp;5&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;5<br>
&nbsp;&nbsp;&nbsp;&nbsp;6&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;6&nbsp;(5+&nbsp;Encapsulation&nbsp;size)<br>
&nbsp;&nbsp;&nbsp;&nbsp;7&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;7&nbsp;(Catalyst&nbsp;switches)<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.1&nbsp;&nbsp;NetFlow&nbsp;AS&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.2&nbsp;&nbsp;NetFlow&nbsp;Proto&nbsp;Port&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.3&nbsp;&nbsp;NetFlow&nbsp;Source&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.4&nbsp;&nbsp;NetFlow&nbsp;Destination&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.5&nbsp;&nbsp;NetFlow&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.6&nbsp;&nbsp;NetFlow&nbsp;Destination&nbsp;(Catalyst&nbsp;switches)<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.7&nbsp;&nbsp;NetFlow&nbsp;Source&nbsp;Destination&nbsp;(Catalyst&nbsp;switches)<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.8&nbsp;&nbsp;NetFlow&nbsp;Full&nbsp;Flow&nbsp;(Catalyst&nbsp;switches)<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.9&nbsp;&nbsp;NetFlow&nbsp;ToS&nbsp;AS&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.10&nbsp;NetFlow&nbsp;ToS&nbsp;Proto&nbsp;Port&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.11&nbsp;NetFlow&nbsp;ToS&nbsp;Source&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.12&nbsp;NetFlow&nbsp;ToS&nbsp;Destination&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.13&nbsp;NetFlow&nbsp;ToS&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.14&nbsp;NetFlow&nbsp;ToS&nbsp;Prefix&nbsp;Port&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;1005&nbsp;Flow-Tools&nbsp;tagged&nbsp;version&nbsp;5</P
></P
></DD
><DT
>-z<TT
CLASS="REPLACEABLE"
><I
> z_level</I
></TT
></DT
><DD
><P
>Configure compression level to <TT
CLASS="REPLACEABLE"
><I
> z_level</I
></TT
>.  0 is
disabled (no compression), 9 is highest compression.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN77"
></A
><H2
>EXAMPLES</H2
><DIV
CLASS="INFORMALEXAMPLE"
><A
NAME="AEN79"
></A
><P
></P
><P
>Convert the cflowd file <TT
CLASS="FILENAME"
>flows.cflowd</TT
> to the flow-tools
file <TT
CLASS="FILENAME"
>flows</TT
>.  Store as Version 5 with compression level 5.</P
><P
>  <B
CLASS="COMMAND"
>flow-import -V5 -z5 -f0 &lt; flows.cflowd &#62; flows</B
></P
><P
></P
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN85"
></A
><H2
>EXAMPLES</H2
><DIV
CLASS="INFORMALEXAMPLE"
><A
NAME="AEN87"
></A
><P
></P
><P
>Convert the ASCII CSV data in flows.ascii to flow-tools format.  The
ASCII data must include all fields represented by 0xFF31EF in the order
listed above.  Store as Version 5 with no compression.  </P
><P
>  <B
CLASS="COMMAND"
>flow-import -z0 -f2 -m0xFF31EF &lt; flows.ascii &#62; flows</B
></P
><P
></P
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN91"
></A
><H2
>BUGS</H2
><P
>The pcap format is a hack.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN94"
></A
><H2
>AUTHOR</H2
><P
>Mark Fullmer
<TT
CLASS="EMAIL"
>&#60;<A
HREF="mailto:maf@splintered.net"
>maf@splintered.net</A
>&#62;</TT
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN101"
></A
><H2
>SEE ALSO</H2
><P
><SPAN
CLASS="APPLICATION"
>flow-tools</SPAN
>(1)</P
></DIV
></BODY
></HTML
>