flow-fanout.1.in

来自「netflow,抓包」· IN 代码 · 共 150 行

...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
...\"
...\"	transcript compatibility for postscript use.
...\"
...\"	synopsis:  .P! <file.ps>
...\"
.de P!
\\&.
.fl			\" force out current output buffer
\\!%PB
\\!/showpage{}def
...\" the following is from Ken Flowers -- it prevents dictionary overflows
\\!/tempdict 200 dict def tempdict begin
.fl			\" prolog
.sy cat \\$1\" bring in postscript file
...\" the following line matches the tempdict above
\\!end % tempdict %
\\!PE
\\!.
.sp \\$2u	\" move below the image
..
.de pF
.ie     \\*(f1 .ds f1 \\n(.f
.el .ie \\*(f2 .ds f2 \\n(.f
.el .ie \\*(f3 .ds f3 \\n(.f
.el .ie \\*(f4 .ds f4 \\n(.f
.el .tm ? font overflow
.ft \\$1
..
.de fP
.ie     !\\*(f4 \{\
.	ft \\*(f4
.	ds f4\"
'	br \}
.el .ie !\\*(f3 \{\
.	ft \\*(f3
.	ds f3\"
'	br \}
.el .ie !\\*(f2 \{\
.	ft \\*(f2
.	ds f2\"
'	br \}
.el .ie !\\*(f1 \{\
.	ft \\*(f1
.	ds f1\"
'	br \}
.el .tm ? font underflow
..
.ds f1\"
.ds f2\"
.ds f3\"
.ds f4\"
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n 
.TH "\fBflow-fanout\fP" "1"
.SH "NAME"
\fBflow-fanout\fP \(em Fanout (replicate) flow exports to many destinations\&.
.SH "SYNOPSIS"
.PP
\fBflow-fanout\fP [-h]  [-A\fI AS0_substitution\fP]  [-d\fI debug_level\fP]  [-f\fI filter_fname\fP]  [-F\fI filter_definition\fP]  [-m\fI privacy_mask\fP]  [-p\fI pidfile\fP]  [-s]  [-S\fI stat_interval\fP]  [-V\fI pdu_version\fP]  [-x\fI xmit_delay\fP] \fIlocalip/remoteip/port\fP \fIlocalip/remoteip/port\fP \&... 
.SH "DESCRIPTION"
.PP
The \fBflow-fanout\fP utility will replicate flows arriving
on localip/remoteip/port to destination(s) specified by localip/remoteip/port\&.
.PP
Flows processed by multiple exporters will be mixed into a single output
stream\&.  This functionality appeared to support Cisco Catalyst exports and
may have other uses\&.
.SH "OPTIONS"
.IP "-A\fI AS0_substitution\fP" 10
Cisco\&'s NetFlow exports represent the local autonomous system as 0 instead of
the real value\&.  This option can be used to replace the 0 in the export with
the a configured value\&.  Unfortunately under certain configurations AS 0 can
also represent a cache miss or non forwarded traffic so use with caution\&.
.IP "-d\fI debug_level\fP" 10
Enable debugging\&.
.IP "-f\fI filter_fname\fP" 10
Filter list filename\&.  Defaults to \fB@localstatedir@/cfg/filter\fP\&.
.IP "-F\fI filter_definition\fP" 10
Select the active definition\&.  Defaults to default\&.
.IP "-h" 10
Display help\&.
.IP "-m\fI privacy_mask\fP" 10
Apply \fIprivacy_mask\fP to the source and destination IP
address of flows\&.  For example a privacy_mask of 255\&.255\&.255\&.0 would convert
flows with source/destination IP addresses 10\&.1\&.1\&.1 and 10\&.2\&.2\&.2 to 10\&.1\&.1\&.0
and 10\&.2\&.2\&.0 respectively\&.
.IP "-p\fI pidfile\fP" 10
Configure the process ID file\&.  Use - to disable pid file creation\&.
.IP "-s" 10
Spoof the source IP address\&.  If the IP address is 0 then it is replaced
with the exporter source IP\&.
.IP "-S\fI stat_interval\fP" 10
When configured \fBflow-fanout\fP will emit a timestamped
message on stderr every \fIstat_interval\fP minutes
indicating counters such as the number of flows received, packets processed,
and lost flows\&.
.IP "-V\fI pdu_version\fP" 10
Use \fIpdu_version\fP format output\&.
.PP
.nf
    1    NetFlow version 1 (No sequence numbers, AS, or mask)
    5    NetFlow version 5
    6    NetFlow version 6 (5+ Encapsulation size)
    7    NetFlow version 7 (Catalyst switches)
    8\&.1  NetFlow AS Aggregation
    8\&.2  NetFlow Proto Port Aggregation
    8\&.3  NetFlow Source Prefix Aggregation
    8\&.4  NetFlow Destination Prefix Aggregation
    8\&.5  NetFlow Prefix Aggregation
    8\&.6  NetFlow Destination (Catalyst switches)
    8\&.7  NetFlow Source Destination (Catalyst switches)
    8\&.8  NetFlow Full Flow (Catalyst switches)
    8\&.9  NetFlow ToS AS Aggregation
    8\&.10 NetFlow ToS Proto Port Aggregation
    8\&.11 NetFlow ToS Source Prefix Aggregation
    8\&.12 NetFlow ToS Destination Prefix Aggregation
    8\&.13 NetFlow ToS Prefix Aggregation
    8\&.14 NetFlow ToS Prefix Port Aggregation
    1005 Flow-Tools tagged version 5
.fi
.IP "-x\fI xmit_delay\fP" 10
Configure a microsecond transmit delay between packets\&.  This may be necessary in some configurations to prevent a transmit buffer overrun\&.
.SH "EXAMPLES"
.PP
Replicate flows arriving to local IP address 10\&.0\&.0\&.1 from the router
exporting with IP address 10\&.1\&.1\&.1 on port 9500 to localhost port 9500
and 10\&.5\&.5\&.5 port 9200\&.  The exports sent to 10\&.5\&.5\&.5 will be sent with
a source IP address of 10\&.0\&.0\&.5 which must be a valid local IP address\&.
.PP
  \fBflow-fanout 10\&.0\&.0\&.1/10\&.1\&.1\&.1/9500 0/0/9500 10\&.0\&.0\&.5/10\&.5\&.5\&.5/9200\fP
.SH "BUGS"
.PP
NetFlow exports do not contain the exporter IP address inside the payload so
the original exporter IP address (typically a router) will be lost when using
\fBflow-fanout\fP\&.  A work around for this protocol limitation
is to use local IP aliases and the \fIlocalip\fP option\&.

When the spoofing option is used multiple exporters with different IP addresses
will share the same sequence number but will have the original source IP\&.
Fixing this requires per source : destination sequence number mapping\&.  It
is much easier to just use multiple instances of flow-fanout running on
different ports\&.
.SH "AUTHOR"
.PP
Mark Fullmer maf@splintered\&.net
.SH "SEE ALSO"
.PP
\fBflow-tools\fP(1)
...\" created by instant / docbook-to-man, Sun 23 Feb 2003, 19:01