Provided by: flow-tools_0.68-12.5build6_amd64 bug

flow-tools(1)                        General Commands Manual                        flow-tools(1)

NAME

       flow-tools — Tool set for working with NetFlow data.

DESCRIPTION

       Flow-tools  is  library  and  a collection of programs used to collect, send, process, and
       generate reports from NetFlow data.  The tools can be used together on a single server  or
       distributed  to  multiple servers for large deployments.  The flow-toools library provides
       an API for development of custom applications for NetFlow export versions 1,5,6 and the 14
       currently  defined  version  8  subversions.   A  Perl  and  Python  interface  have  been
       contributed and are included in the distribution.

       Flow data is collected and stored by default  in  host  byte  order,  yet  the  files  are
       portable across big and little endian architectures.

       Commands   that   utilize   the   network  use  a  localip/remoteip/port  designation  for
       communication.  "localip" is the IP address the host will use as a source for  sending  or
       bind  to  when  receiving  NetFlow  PDU's  (ie  the  destination  address of the exporter.
       Configuring the "localip" to 0 will force the kernel to decide what IP address to use  for
       sending  and  listen  on all IP addresses for receiving.  "remoteip" is the destination IP
       address used for sending or the expected address of the source  when  receiving.   If  the
       "remoteip"  is  0  then  the  application  will accept flows from any source address.  The
       "port" is the UDP port number  used  for  sending  or  receiving.   When  using  multicast
       addresses  the  localip/remoteip/port  is  used  to  represent the source, group, and port
       respectively.

       Flows are exported from a router in a number of different configurable versions.   A  flow
       is  a  collection  of  key fields and additional data.  The flow key is {srcaddr, dstaddr,
       input, output, srcport, dstport, prot, ToS}.  Flow-tools supports one export  version  per
       file.

       Export versions 1, 5, 6, and 7 all maintain {nexthop, dPkts, dOctets, First, Last, flags},
       ie the next-hop IP address, number of packets, number of octets (bytes), start  time,  end
       time,  and  flags  such  as  the  TCP  header  bits.  Version 5 adds the additional fields
       {src_as, dst_as, src_mask, dst_mask}, ie source AS, destination AS, source  network  mask,
       and  destination  network mask.  Version 7 which is specific to the Catalyst switches adds
       in addition to the version 5 fields {router_sc}, which is  the  Router  IP  address  which
       populates  the  flow  cache shortcut in the Supervisor.  Version 6 which is not officially
       supported by Cisco adds in addition  to  the  version  5  fields  {in_encaps,  out_encaps,
       peer_nexthop}, ie the input and output interface encapsulation size, and the IP address of
       the next hop within the peer.  Version 1 exports do not  contain  a  sequence  number  and
       therefore  should  be  avoided,  although it is safe to store the data as version 1 if the
       additional fields are not used.

       Version 8 IOS NetFlow is a second level flow cache that reduces the data exported from the
       router.   There  are  currently  11 formats, all of which provide {dFlows, dOctets, dPkts,
       First, Last} for the key fields.

         8.1 -  Source and Destination AS, Input and Output interface
         8.2 -  Protocol and Port
         8.3 -  Source Prefix and Input interface
         8.4 -  Destination Prefix and Output interface
         8.5 -  Source/Destination Prefix and Input/Output interface
         8.9 -  8.1 + ToS
         8.10 - 8.2 + ToS
         8.11 - 8.3 + ToS
         8.12 - 8.5 + ToS
         8.13 - 8.2 + ToS
         8.14 - 8.3 + ports + ToS

       Version 8 CatIOS NetFlow appears to be a less fine grained first level flow cache.

         8.6 - Destination IP, ToS, Marked ToS,
         8.7 - Source/Destination IP, Input/Output interface, ToS, Marked ToS,
         8.8 - Source/Destination IP, Source/Destination Port,
               Input/Output interface, ToS, Marked ToS,

       The following programs are included in the flow-tools distribution.

       flow-capture - Collect, compress, store, and manage disk space for exported flows  from  a
       router.

       flow-cat  - Concatenate flow files.  Typically flow files will contain a small window of 5
       or 15 minutes of exports.  Flow-cat can be used to append  files  for  generating  reports
       that span longer time periods.

       flow-fanout  -  Replicate  NetFlow  datagrams to unicast or multicast destinations.  Flow-
       fanout is used to facilitate multiple collectors attached to a single router.

       flow-report - Generate reports for NetFlow data sets.  Reports include  source/destination
       IP  pairs,  source/destination  AS,  and  top  talkers.   Over  50  reports  are currently
       supported.

       flow-tag - Tag flows based on IP address or AS #.  Flow-tag is  used  to  group  flows  by
       customer  network.  The tags can later be used with flow-fanout or flow-report to generate
       customer based traffic reports.

       flow-filter - Filter flows based on any of the export fields.  Flow-filter is used in-line
       with other programs to generate reports based on flows matching filter expressions.

       flow-import - Import data from ASCII or cflowd format.

       flow-export - Export data to ASCII or cflowd format.

       flow-send - Send data over the network using the NetFlow protocol.

       flow-receive  -  Receive  exports  using the NetFlow protocol without storing to disk like
       flow-capture.

       flow-gen - Generate test data.

       flow-dscan - Simple tool for detecting some  types  of  network  scanning  and  Denial  of
       Service attacks.

       flow-merge - Merge flow files in chronoligical order.

       flow-xlate - Perform translations on some flow fields.

       flow-expire -  Expire flows using the same policy of flow-capture.

       flow-header - Display meta information in flow file.

       flow-split - Split flow files into smaller files based on size, time, or tags.

AUTHOR

       Mark Fullmer maf@splintered.net

       flow-merge by Larry Lidz ellidz@eridu.uchicago.edu

       Patches and other contribitions by a list too long to mention here.

       flow-tools is avalable at
        (link to URL http://www.splintered.net/sw/flow-tools) .

       A mailing list is maintained at flow-tools@splintered.net

SEE ALSO

       flow-capture(1)  flow-cat(1)  flow-dscan(1)  flow-expire(1)  flow-export(1) flow-fanout(1)
       flow-filter(1) flow-nfilter(1)  flow-gen(1)  flow-header(1)  flow-import(1)  flow-merge(1)
       flow-print(1) flow-receive(1) flow-report(1) flow-send(1) flow-split(1) flow-stat(1) flow-
       tag(1) flow-xlate(1)

                                                                                    flow-tools(1)