Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
flow-tools(1)		    General Commands Manual		 flow-tools(1)

NAME
       flow-tools -- Tool set for working with NetFlow data.

DESCRIPTION
       Flow-tools  is  library	and  a collection of programs used to collect,
       send, process, and generate reports from	NetFlow	data.  The  tools  can
       be  used	together on a single server or distributed to multiple servers
       for large deployments.  The flow-toools library provides	an API for de-
       velopment  of custom applications for NetFlow export versions 1,5,6 and
       the 14 currently	defined	version	8 subversions.	A Perl and Python  in-
       terface have been contributed and are included in the distribution.

       Flow  data  is  collected and stored by default in host byte order, yet
       the files are portable across big and little endian architectures.

       Commands	that utilize the network use a localip/remoteip/port  designa-
       tion  for communication.	 "localip" is the IP address the host will use
       as a source for sending or bind to when receiving NetFlow PDU's (ie the
       destination  address  of	 the exporter.	Configuring the	"localip" to 0
       will force the kernel to	decide what IP address to use for sending  and
       listen  on  all IP addresses for	receiving.  "remoteip" is the destina-
       tion IP address used for	sending	or the expected	address	of the	source
       when  receiving.	  If the "remoteip" is 0 then the application will ac-
       cept flows from any source address.  The	"port" is the UDP port	number
       used  for sending or receiving.	When using multicast addresses the lo-
       calip/remoteip/port is used to represent	the source,  group,  and  port
       respectively.

       Flows  are exported from	a router in a number of	different configurable
       versions.  A flow is a collection of key	fields	and  additional	 data.
       The  flow  key  is  {srcaddr, dstaddr, input, output, srcport, dstport,
       prot, ToS}.  Flow-tools supports	one export version per file.

       Export versions 1, 5, 6,	and 7 all maintain {nexthop,  dPkts,  dOctets,
       First,  Last,  flags},  ie  the next-hop	IP address, number of packets,
       number of octets	(bytes), start time, end time, and flags such  as  the
       TCP header bits.	 Version 5 adds	the additional fields {src_as, dst_as,
       src_mask, dst_mask}, ie source AS, destination AS, source network mask,
       and destination network mask.  Version 7	which is specific to the Cata-
       lyst switches adds in addition to the  version  5  fields  {router_sc},
       which  is the Router IP address which populates the flow	cache shortcut
       in the Supervisor.  Version 6 which  is	not  officially	 supported  by
       Cisco  adds in addition to the version 5	fields {in_encaps, out_encaps,
       peer_nexthop}, ie the input and output  interface  encapsulation	 size,
       and  the	IP address of the next hop within the peer.  Version 1 exports
       do not contain a	sequence number	and therefore should be	 avoided,  al-
       though  it  is  safe  to	 store the data	as version 1 if	the additional
       fields are not used.

       Version 8 IOS NetFlow is	a second level flow  cache  that  reduces  the
       data  exported from the router.	There are currently 11 formats,	all of
       which provide {dFlows, dOctets, dPkts, First, Last} for the key fields.

	 8.1 -	Source and Destination AS, Input and Output interface
	 8.2 -	Protocol and Port
	 8.3 -	Source Prefix and Input	interface
	 8.4 -	Destination Prefix and Output interface
	 8.5 -	Source/Destination Prefix and Input/Output interface
	 8.9 -	8.1 + ToS
	 8.10 -	8.2 + ToS
	 8.11 -	8.3 + ToS
	 8.12 -	8.5 + ToS
	 8.13 -	8.2 + ToS
	 8.14 -	8.3 + ports + ToS

       Version 8 CatIOS	NetFlow	appears	to be a	less fine grained first	 level
       flow cache.

	 8.6 - Destination IP, ToS, Marked ToS,
	 8.7 - Source/Destination IP, Input/Output interface, ToS, Marked ToS,
	 8.8 - Source/Destination IP, Source/Destination Port,
	       Input/Output interface, ToS, Marked ToS,

       The following programs are included in the flow-tools distribution.

       flow-capture  - Collect,	compress, store, and manage disk space for ex-
       ported flows from a router.

       flow-cat	- Concatenate flow files.  Typically flow files	will contain a
       small  window  of  5 or 15 minutes of exports.  Flow-cat	can be used to
       append files for	generating reports that	span longer time periods.

       flow-fanout - Replicate NetFlow datagrams to unicast or multicast  des-
       tinations.   Flow-fanout	 is used to facilitate multiple	collectors at-
       tached to a single router.

       flow-report - Generate reports for NetFlow data sets.  Reports  include
       source/destination  IP  pairs,  source/destination AS, and top talkers.
       Over 50 reports are currently supported.

       flow-tag	- Tag flows based on IP	address	or AS #.  Flow-tag is used  to
       group flows by customer network.	 The tags can later be used with flow-
       fanout or flow-report to	generate customer based	traffic	reports.

       flow-filter - Filter flows based	on any of the  export  fields.	 Flow-
       filter is used in-line with other programs to generate reports based on
       flows matching filter expressions.

       flow-import - Import data from ASCII or cflowd format.

       flow-export - Export data to ASCII or cflowd format.

       flow-send - Send	data over the network using the	NetFlow	protocol.

       flow-receive - Receive exports using the	NetFlow	protocol without stor-
       ing to disk like	flow-capture.

       flow-gen	- Generate test	data.

       flow-dscan  -  Simple tool for detecting	some types of network scanning
       and Denial of Service attacks.

       flow-merge - Merge flow files in	chronoligical order.

       flow-xlate - Perform translations on some flow fields.

       flow-expire -  Expire flows using the same policy of flow-capture.

       flow-header - Display meta information in flow file.

       flow-split - Split flow files into smaller files	based on  size,	 time,
       or tags.

AUTHOR
       Mark Fullmer maf@splintered.net

       flow-merge by Larry Lidz	ellidz@eridu.uchicago.edu

       Patches and other contribitions by a list too long to mention here.

       flow-tools is avalable at
	(link to URL http://www.splintered.net/sw/flow-tools) .

       A mailing list is maintained at flow-tools@splintered.net

SEE ALSO
       flow-capture(1) flow-cat(1) flow-dscan(1) flow-expire(1)	flow-export(1)
       flow-fanout(1)	flow-filter(1)	 flow-nfilter(1)   flow-gen(1)	 flow-
       header(1)  flow-import(1)  flow-merge(1)	 flow-print(1) flow-receive(1)
       flow-report(1)  flow-send(1)  flow-split(1)  flow-stat(1)   flow-tag(1)
       flow-xlate(1)

								 flow-tools(1)

NAME | DESCRIPTION | AUTHOR | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=flow-tools&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help