flow-xlate.html

来自「netflow,抓包」· HTML 代码 · 共 426 行

<HTML
><HEAD
><TITLE
>flow-xlate</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.71
"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="AEN1"
><SPAN
CLASS="APPLICATION"
>flow-xlate</SPAN
></A
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6"
></A
><H2
>Name</H2
><SPAN
CLASS="APPLICATION"
>flow-xlate</SPAN
>&nbsp;--&nbsp;Apply translations to selected fields of a flow.</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>flow-xlate</B
>  [-fhl] [-0<TT
CLASS="REPLACEABLE"
><I
> AS0_substitution</I
></TT
>] [-b<TT
CLASS="REPLACEABLE"
><I
> big</I
></TT
>|<TT
CLASS="REPLACEABLE"
><I
>little</I
></TT
>] [-C<TT
CLASS="REPLACEABLE"
><I
> comment</I
></TT
>] [-d<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
>] [-m<TT
CLASS="REPLACEABLE"
><I
> privacy_mask</I
></TT
>] [-s<TT
CLASS="REPLACEABLE"
><I
> scale</I
></TT
>] [-t<TT
CLASS="REPLACEABLE"
><I
> src_tag_mask</I
></TT
>] [-T<TT
CLASS="REPLACEABLE"
><I
> dst_tag_mask</I
></TT
>] [-V<TT
CLASS="REPLACEABLE"
><I
> pdu_version</I
></TT
>] [-z<TT
CLASS="REPLACEABLE"
><I
> z_level</I
></TT
>]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN35"
></A
><H2
>DESCRIPTION</H2
><P
>The <B
CLASS="COMMAND"
>flow-xlate</B
> utility can translate between the
non aggregated flow export versions (1,5,6,7) and modify some fields
of a flow.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN39"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-0<TT
CLASS="REPLACEABLE"
><I
> AS0_substitution</I
></TT
></DT
><DD
><P
>Cisco's NetFlow exports represent the local autonomous system as 0 instead of
the real value.  This option can be used to replace the 0 in the export with
the a configured value.  Unfortunately under certain configurations AS 0 can
also represent a cache miss or non forwarded traffic so use with caution.</P
></DD
><DT
>-b<TT
CLASS="REPLACEABLE"
><I
> big</I
></TT
>|<TT
CLASS="REPLACEABLE"
><I
>little</I
></TT
></DT
><DD
><P
>Byte order of output.</P
></DD
><DT
>-C<TT
CLASS="REPLACEABLE"
><I
> Comment</I
></TT
></DT
><DD
><P
>Add a comment.</P
></DD
><DT
>-d<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
></DT
><DD
><P
>Enable debugging.</P
></DD
><DT
>-f</DT
><DD
><P
>Convert the source and destination IP addresses to network addresses
using the mask bits in the flow.  For example 128.146.1.7/16 would become
128.146/16</P
></DD
><DT
>-h</DT
><DD
><P
>Display help.</P
></DD
><DT
>-l</DT
><DD
><P
>Convert the source and destination IP addresses to legacy classful
network addresses.  For example 128.146.1.7 would become 128.146.0.0.</P
></DD
><DT
>-m<TT
CLASS="REPLACEABLE"
><I
> privacy_mask</I
></TT
></DT
><DD
><P
>Apply <TT
CLASS="REPLACEABLE"
><I
>privacy_mask</I
></TT
> to the source and destination IP
address of flows.  For example a privacy_mask of 255.255.255.0 would convert
flows with source/destination IP addresses 10.1.1.1 and 10.2.2.2 to 10.1.1.0
and 10.2.2.0 respectively.</P
></DD
><DT
>-n<TT
CLASS="REPLACEABLE"
><I
> version</I
></TT
></DT
><DD
><P
>Generate version type exports.  Supported versions are:
<P
CLASS="LITERALLAYOUT"
>&nbsp;&nbsp;&nbsp;&nbsp;1&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;1&nbsp;(No&nbsp;sequence&nbsp;numbers,&nbsp;AS,&nbsp;or&nbsp;mask)<br>
&nbsp;&nbsp;&nbsp;&nbsp;5&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;5<br>
&nbsp;&nbsp;&nbsp;&nbsp;6&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;6&nbsp;(5+&nbsp;Encapsulation&nbsp;size)<br>
&nbsp;&nbsp;&nbsp;&nbsp;7&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;7&nbsp;(Catalyst&nbsp;switches)<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.1&nbsp;&nbsp;NetFlow&nbsp;AS&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.2&nbsp;&nbsp;NetFlow&nbsp;Proto&nbsp;Port&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.3&nbsp;&nbsp;NetFlow&nbsp;Source&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.4&nbsp;&nbsp;NetFlow&nbsp;Destination&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.5&nbsp;&nbsp;NetFlow&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.6&nbsp;&nbsp;NetFlow&nbsp;Destination&nbsp;(Catalyst&nbsp;switches)<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.7&nbsp;&nbsp;NetFlow&nbsp;Source&nbsp;Destination&nbsp;(Catalyst&nbsp;switches)<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.8&nbsp;&nbsp;NetFlow&nbsp;Full&nbsp;Flow&nbsp;(Catalyst&nbsp;switches)<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.9&nbsp;&nbsp;NetFlow&nbsp;ToS&nbsp;AS&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.10&nbsp;NetFlow&nbsp;ToS&nbsp;Proto&nbsp;Port&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.11&nbsp;NetFlow&nbsp;ToS&nbsp;Source&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.12&nbsp;NetFlow&nbsp;ToS&nbsp;Destination&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.13&nbsp;NetFlow&nbsp;ToS&nbsp;Prefix&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;8.14&nbsp;NetFlow&nbsp;ToS&nbsp;Prefix&nbsp;Port&nbsp;Aggregation<br>
&nbsp;&nbsp;&nbsp;&nbsp;1005&nbsp;Flow-Tools&nbsp;tagged&nbsp;version&nbsp;5</P
></P
></DD
><DT
>-s<TT
CLASS="REPLACEABLE"
><I
> scale</I
></TT
></DT
><DD
><P
>Scale the flows and octets and packets fields by <TT
CLASS="REPLACEABLE"
><I
>scale</I
></TT
>.</P
></DD
><DT
>-t<TT
CLASS="REPLACEABLE"
><I
> src_tag_mask</I
></TT
></DT
><DD
><P
>AND <TT
CLASS="REPLACEABLE"
><I
>src_tag_mask</I
></TT
> with src_tag in flow.</P
></DD
><DT
>-T<TT
CLASS="REPLACEABLE"
><I
> dst_tag_mask</I
></TT
></DT
><DD
><P
>AND <TT
CLASS="REPLACEABLE"
><I
>dst_tag_mask</I
></TT
> with dst_tag in flow.</P
></DD
><DT
>-z<TT
CLASS="REPLACEABLE"
><I
> z_level</I
></TT
></DT
><DD
><P
>Configure compression level to <TT
CLASS="REPLACEABLE"
><I
> z_level</I
></TT
>.  0 is
disabled (no compression), 9 is highest compression.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN111"
></A
><H2
>EXAMPLES</H2
><DIV
CLASS="INFORMALEXAMPLE"
><A
NAME="AEN113"
></A
><P
></P
><P
>Convert the version 7 flows in <TT
CLASS="FILENAME"
>flows.v7</TT
> to version 5,
storing the result in <TT
CLASS="FILENAME"
>flows.v5</TT
>.</P
><P
>  <B
CLASS="COMMAND"
>flow-xlate -V5 &lt; flows.v7 &gt; flows.v5</B
></P
><P
></P
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN119"
></A
><H2
>EXAMPLES</H2
><DIV
CLASS="INFORMALEXAMPLE"
><A
NAME="AEN121"
></A
><P
></P
><P
>Summarize IP addresses to IP network numbers and generate a source prefix
list report sorted by octets.</P
><P
>  <B
CLASS="COMMAND"
>flow-xlate -f &lt; flows | flow-stat -f9 -w -S2</B
></P
><P
></P
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN125"
></A
><H2
>BUGS</H2
><P
>The scale option can overflow the 32 bit flow counters.  This could be
solved by detecting this condition and splitting the flow in two.</P
><P
>Translation between aggregated and non aggregated formats is not supported.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN129"
></A
><H2
>AUTHOR</H2
><P
>Mark Fullmer
<TT
CLASS="EMAIL"
>&#60;<A
HREF="mailto:maf@splintered.net"
>maf@splintered.net</A
>&#62;</TT
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN136"
></A
><H2
>SEE ALSO</H2
><P
><SPAN
CLASS="APPLICATION"
>flow-tools</SPAN
>(1)</P
></DIV
></BODY
></HTML
>