Provided by: flow-tools_0.68-12.1build1_amd64
flow-filter(1) General Commands Manual flow-filter(1)
NAME
flow-filter — Filter flows.
SYNOPSIS
flow-filter [-hko] [-a src_as_filter] [-A dst_as_filter] [-b big|little] [-C comment] [-D dstaddr_filter_name] [-d debug_level] [-e exaddr_filter] [-f acl_fname] [-i input_filter] [-I output_filter] [-p srcport_filter] [-P dstport_filter] [-r ipprot_filter] [-S srcaddr_filter_name] [-t tos_filter] [-T tcp_flags_filter] [-x nexthop_filter_name] [-z z_level]
DESCRIPTION
The flow-filter utility will filter flows based on user selectable criteria. The IP address filters are defined in flow.acl or by the filename specified by -f. Other filters such as input interface and ports are defined on the command line. These filters accept range and negation operators, ie -i1-15 for input interfaces 1 through 15 or -i1,15 for input interfaces 1 and 15, or !1,15 for not input interfaces 1 and 15. The syntax is kludgy and needs reworked but works for most applications.
OPTIONS
-a src_as_filter Source AS filter, ie -a159 to permit Autonomous System 159. -A dst_as_filter Destination AS filter, ie -A159,3112 to permit Autonomous Systems 159 and 3112. -b big|little Byte order of output. -C Comment Add a comment. -d debug_level Enable debugging. -D dstaddr_filter_name Destination IP address filter. This is the name or number of a standard access list defined in flow.acl or the file specified by -f. -e exaddr_filter Exporter IP address filter. One exporter address can be filtered. -f acl_fname Access list filename. Defaults to flow.acl. -h Display help. -i input_filter Input interface filter, ie -i0 to permit traffic from interface 0. -k Keep time from input. -I output_filter Output interface filter, ie -I0 to permit traffic to interface 0. -o Logical OR instead of AND filters. -p srcport_filter Source port filter, ie -p80 to only permit source port 80. -P dstport_filter Destination port filter, ie -P80,8080 to permit destination ports 80 and 8080. -r ipprot_filter IP Protocol filter, ie -r6 to only permit TCP traffic. -S srcaddr_filter_name Source IP address filter. This is the name or number of a standard access list defined in flow.acl or the file specified by -f. -t tos_filter ToS bits filter. An optional mask is available which is applied to the tos field before comparing to the filter list. For example to match a tos bit pattern of 101xxxxx use 0xA0/0xE0. -T tcp_flags_filter TCP bits filter. An optional mask is available which is applied to the TCP flags field before comparing to the filter list. For example to match a flows with the SYN bit set use 0x2/0x2. -x nexthop_filter_name NextHop IP address filter. This is the name or number of a standard access list defined in flow.acl or the file specified by -f. -z z_level Configure compression level to z_level. 0 is disabled (no compression), 9 is highest compression.
EXAMPLES
Print all traffic with a destination port of 80. flow-cat /flows/krc4 | flow-filter -P80 | flow-print Print all traffic with with source IP 10.0.0.1. Populate flow.acl with ip access-list standard badguy permit host 10.0.0.1 flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-print Report all destinations that IP 10.0.0.1 has sent traffic to. Sort by octets. Populate flow.acl with ip access-list standard badguy permit host 10.0.0.1 flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-stat -f8 -S2
BUGS
Extended access lists are not fully implemented. The command line filter syntax is a kludge.
NOTES
Use flow-nfilter.
AUTHOR
Mark Fullmer maf@splintered.net
SEE ALSO
flow-tools(1) flow-filter(1)