flow-stat.1

netflow,抓包

...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
...\"
...\"	transcript compatibility for postscript use.
...\"
...\"	synopsis:  .P! <file.ps>
...\"
.de P!
\\&.
.fl			\" force out current output buffer
\\!%PB
\\!/showpage{}def
...\" the following is from Ken Flowers -- it prevents dictionary overflows
\\!/tempdict 200 dict def tempdict begin
.fl			\" prolog
.sy cat \\$1\" bring in postscript file
...\" the following line matches the tempdict above
\\!end % tempdict %
\\!PE
\\!.
.sp \\$2u	\" move below the image
..
.de pF
.ie     \\*(f1 .ds f1 \\n(.f
.el .ie \\*(f2 .ds f2 \\n(.f
.el .ie \\*(f3 .ds f3 \\n(.f
.el .ie \\*(f4 .ds f4 \\n(.f
.el .tm ? font overflow
.ft \\$1
..
.de fP
.ie     !\\*(f4 \{\
.	ft \\*(f4
.	ds f4\"
'	br \}
.el .ie !\\*(f3 \{\
.	ft \\*(f3
.	ds f3\"
'	br \}
.el .ie !\\*(f2 \{\
.	ft \\*(f2
.	ds f2\"
'	br \}
.el .ie !\\*(f1 \{\
.	ft \\*(f1
.	ds f1\"
'	br \}
.el .tm ? font underflow
..
.ds f1\"
.ds f2\"
.ds f3\"
.ds f4\"
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n 
.TH "\fBflow-stat\fP" "1"
.SH "NAME"
\fBflow-stat\fP \(em Generate reports with flow data\&.
.SH "SYNOPSIS"
.PP
\fBflow-stat\fP [-hnpPw]  [-d\fI debug_level\fP]  [-f\fI format\fP]  [-S\fI sort_field\fP]  [-s\fI sort_field\fP]  [-t\fI tally_lines\fP]  [-T\fI title\fP] 
.SH "DESCRIPTION"
.PP
The \fBflow-stat\fP utility generates usage reports for flow
data sets by IP address, IP address pairs, ports, packets, bytes,
interfaces, next hops, autonomous systems, ToS bits, exporters, and tags\&.
.SH "OPTIONS"
.IP "-d\fI debug_level\fP" 10
Enable debugging\&.
.IP "-f\fI format\fP" 10
.PP
.nf
Report format\&.  Choose from the following:

    0  Overall Summary
    1  Average packet size distribution
    2  Packets per flow distribution
    3  Octets per flow distribution
    4  Bandwidth per flow distribution
    5  UDP/TCP destination port
    6  UDP/TCP source port
    7  UDP/TCP port
    8  Destination IP
    9  Source IP
    10 Source/Destination IP
    11 Source or Destination IP
    12 IP protocol
    13 octets for flow duration plot data
    14 packets for flow duration plot data
    15 short summary
    16 IP Next Hop
    17 Input interface
    18 Output interface
    19 Source AS
    20 Destination AS
    21 Source/Destination AS
    22 IP ToS
    23 Input/Output Interface
    24 Source Prefix
    25 Destination Prefix
    26 Source/Destination Prefix
    27 Exporter IP
    28 Engine Id
    29 Engine Type
    30 Source Tag
    31 Destination Tag
    32 Source/Destination Tag
.fi
.IP "-h" 10
Display help\&.
.IP "-n" 10
Use symbolic names where appropriate\&.
.IP "-p" 10
Display header information\&.
.IP "-P" 10
Report as percent total\&.
.IP "-s\fI sort_field\fP" 10
Sort ascending on field \fIsort_field\fP\&.
.IP "-S\fI sort_field\fP" 10
Sort descending on field \fIsort_field\fP\&.
.IP "-t\fI tally_lines\fP" 10
Tally totals every \fItally_lines\fPlines\&.
.IP "-T\fI title\fP" 10
Set report title to \fItitle\fP\&.
.IP "-w" 10
Wide output\&.
.SH "EXAMPLES"
.PP
Provide a report on top source/destination IP pairs sorted by octets, report
in percent total form for the flows in \fB/flows/krc4\fP\&.
Use the preload option to flow-cat to preserve meta information and 
display it with flow-stat\&.
.PP
  \fBflow-cat -p /flows/krc4 | flow-stat -f10 -P -p -S4\fP
.SH "EXAMPLES"
.PP
Many times a campus network will have a single border router which has
one interface pointing to the internal side and many interfaces pointing
to other providers\&.  These interfaces each have a unique numerical id
known in SNMP terms as an ifIndex\&.  The ifIndex to interface name mappings
can be determined by using a tool such as \fBsnmpwalk\fP or using show commands in recent versions of IOS with the
\&'show snmp mib ifmib ifindex\&' or JunOS \&'show interfaces\&'\&.  Once the ifIndex
for each interface is known flow-filter can be combined with flow-stat to
provide reports such as inbound vs outbound top src/destination IP
addresses\&.

Provide a top source IP address report by outbound traffic, ie the top
senders of traffic on the campus network\&.  Assume the ifIndex of the
campus interface is 5\&.
.PP
  flow-cat -p /flows/krc4 | flow-filter -i5 | flow-stat -f9 -P -p -S3 
.SH "EXAMPLES"
.PP
Provide a top destination IP address report by outbound traffic, ie the top
sinks of traffic on the campus network\&.  Assume the ifIndex of the
campus interface is 5\&.
.PP
  flow-cat -p /flows/krc4 | flow-filter -I5 | flow-stat -f8 -P -p -S3 
.SH "EXAMPLES"
.PP
Provide a top source/destination AS report\&.  Use symbolic names\&.
.PP
  flow-cat -p /flows/krc4 | flow-stat -f20 -n -P -p -S4 
.SH "BUGS"
.PP
None known\&.
.SH "AUTHOR"
.PP
Mark Fullmer maf@splintered\&.net
.SH "SEE ALSO"
.PP
\fBflow-tools\fP(1)
...\" created by instant / docbook-to-man, Sat 08 Jun 2002, 23:41