flow-xlate.1

来自「netflow,抓包」· 1 代码 · 共 149 行

...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
...\"
...\"	transcript compatibility for postscript use.
...\"
...\"	synopsis:  .P! <file.ps>
...\"
.de P!
\\&.
.fl			\" force out current output buffer
\\!%PB
\\!/showpage{}def
...\" the following is from Ken Flowers -- it prevents dictionary overflows
\\!/tempdict 200 dict def tempdict begin
.fl			\" prolog
.sy cat \\$1\" bring in postscript file
...\" the following line matches the tempdict above
\\!end % tempdict %
\\!PE
\\!.
.sp \\$2u	\" move below the image
..
.de pF
.ie     \\*(f1 .ds f1 \\n(.f
.el .ie \\*(f2 .ds f2 \\n(.f
.el .ie \\*(f3 .ds f3 \\n(.f
.el .ie \\*(f4 .ds f4 \\n(.f
.el .tm ? font overflow
.ft \\$1
..
.de fP
.ie     !\\*(f4 \{\
.	ft \\*(f4
.	ds f4\"
'	br \}
.el .ie !\\*(f3 \{\
.	ft \\*(f3
.	ds f3\"
'	br \}
.el .ie !\\*(f2 \{\
.	ft \\*(f2
.	ds f2\"
'	br \}
.el .ie !\\*(f1 \{\
.	ft \\*(f1
.	ds f1\"
'	br \}
.el .tm ? font underflow
..
.ds f1\"
.ds f2\"
.ds f3\"
.ds f4\"
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n 
.TH "\fBflow-xlate\fP" "1"
.SH "NAME"
\fBflow-xlate\fP \(em Apply translations to selected fields of a flow\&.
.SH "SYNOPSIS"
.PP
\fBflow-xlate\fP [-fhl]  [-0\fI AS0_substitution\fP]  [-b\fI big\fP|\fIlittle\fP]  [-C\fI comment\fP]  [-d\fI debug_level\fP]  [-m\fI privacy_mask\fP]  [-s\fI scale\fP]  [-t\fI src_tag_mask\fP]  [-T\fI dst_tag_mask\fP]  [-V\fI pdu_version\fP]  [-z\fI z_level\fP] 
.SH "DESCRIPTION"
.PP
The \fBflow-xlate\fP utility can translate between the
non aggregated flow export versions (1,5,6,7) and modify some fields
of a flow\&.
.SH "OPTIONS"
.IP "-0\fI AS0_substitution\fP" 10
Cisco\&'s NetFlow exports represent the local autonomous system as 0 instead of
the real value\&.  This option can be used to replace the 0 in the export with
the a configured value\&.  Unfortunately under certain configurations AS 0 can
also represent a cache miss or non forwarded traffic so use with caution\&.
.IP "-b\fI big\fP|\fIlittle\fP" 10
Byte order of output\&.
.IP "-C\fI Comment\fP" 10
Add a comment\&.
.IP "-d\fI debug_level\fP" 10
Enable debugging\&.
.IP "-f" 10
Convert the source and destination IP addresses to network addresses
using the mask bits in the flow\&.  For example 128\&.146\&.1\&.7/16 would become
128\&.146/16
.IP "-h" 10
Display help\&.
.IP "-l" 10
Convert the source and destination IP addresses to legacy classful
network addresses\&.  For example 128\&.146\&.1\&.7 would become 128\&.146\&.0\&.0\&.
.IP "-m\fI privacy_mask\fP" 10
Apply \fIprivacy_mask\fP to the source and destination IP
address of flows\&.  For example a privacy_mask of 255\&.255\&.255\&.0 would convert
flows with source/destination IP addresses 10\&.1\&.1\&.1 and 10\&.2\&.2\&.2 to 10\&.1\&.1\&.0
and 10\&.2\&.2\&.0 respectively\&.
.IP "-n\fI version\fP" 10
Generate version type exports\&.  Supported versions are:
.PP
.nf
    1    NetFlow version 1 (No sequence numbers, AS, or mask)
    5    NetFlow version 5
    6    NetFlow version 6 (5+ Encapsulation size)
    7    NetFlow version 7 (Catalyst switches)
    8\&.1  NetFlow AS Aggregation
    8\&.2  NetFlow Proto Port Aggregation
    8\&.3  NetFlow Source Prefix Aggregation
    8\&.4  NetFlow Destination Prefix Aggregation
    8\&.5  NetFlow Prefix Aggregation
    8\&.6  NetFlow Destination (Catalyst switches)
    8\&.7  NetFlow Source Destination (Catalyst switches)
    8\&.8  NetFlow Full Flow (Catalyst switches)
    8\&.9  NetFlow ToS AS Aggregation
    8\&.10 NetFlow ToS Proto Port Aggregation
    8\&.11 NetFlow ToS Source Prefix Aggregation
    8\&.12 NetFlow ToS Destination Prefix Aggregation
    8\&.13 NetFlow ToS Prefix Aggregation
    8\&.14 NetFlow ToS Prefix Port Aggregation
    1005 Flow-Tools tagged version 5
.fi
.IP "-s\fI scale\fP" 10
Scale the flows and octets and packets fields by \fIscale\fP\&.
.IP "-t\fI src_tag_mask\fP" 10
AND \fIsrc_tag_mask\fP with src_tag in flow\&.
.IP "-T\fI dst_tag_mask\fP" 10
AND \fIdst_tag_mask\fP with dst_tag in flow\&.
.IP "-z\fI z_level\fP" 10
Configure compression level to \fI z_level\fP\&.  0 is
disabled (no compression), 9 is highest compression\&.
.SH "EXAMPLES"
.PP
Convert the version 7 flows in \fBflows\&.v7\fP to version 5,
storing the result in \fBflows\&.v5\fP\&.
.PP
  \fBflow-xlate -V5 < flows\&.v7 > flows\&.v5\fP
.SH "EXAMPLES"
.PP
Summarize IP addresses to IP network numbers and generate a source prefix
list report sorted by octets\&.
.PP
  \fBflow-xlate -f < flows | flow-stat -f9 -w -S2\fP
.SH "BUGS"
.PP
The scale option can overflow the 32 bit flow counters\&.  This could be
solved by detecting this condition and splitting the flow in two\&.
.PP
Translation between aggregated and non aggregated formats is not supported\&.
.SH "AUTHOR"
.PP
Mark Fullmer maf@splintered\&.net
.SH "SEE ALSO"
.PP
\fBflow-tools\fP(1)
...\" created by instant / docbook-to-man, Sat 08 Jun 2002, 23:41