xenial (1) flow-filter.1.gz

Provided by: flow-tools_0.68-12.3build2_amd64 bug

flow-filter(1)                               General Commands Manual                              flow-filter(1)

NAME

       flow-filter — Filter flows.

SYNOPSIS

       flow-filter   [-hko]   [-a  src_as_filter]   [-A  dst_as_filter]   [-b  big|little]   [-C  comment]   [-D
       dstaddr_filter_name]  [-d debug_level]   [-e  exaddr_filter]   [-f  acl_fname]   [-i  input_filter]   [-I
       output_filter]   [-p  srcport_filter]   [-P dstport_filter]  [-r ipprot_filter]  [-S srcaddr_filter_name]
       [-t tos_filter]  [-T tcp_flags_filter]  [-x nexthop_filter_name]  [-z z_level]

DESCRIPTION

       The flow-filter utility will filter flows based on user selectable criteria.  The IP address filters  are
       defined in flow.acl or by the filename specified by -f.

       Other  filters  such  as input interface and ports are defined on the command line.  These filters accept
       range and negation operators, ie -i1-15 for input interfaces 1 through 15 or -i1,15 for input  interfaces
       1 and 15, or !1,15 for not input interfaces 1 and 15.

       The syntax is kludgy and needs reworked but works for most applications.

OPTIONS

       -a src_as_filter
                 Source AS filter, ie -a159 to permit Autonomous System 159.

       -A dst_as_filter
                 Destination AS filter, ie -A159,3112 to permit Autonomous Systems 159 and 3112.

       -b big|little
                 Byte order of output.

       -C Comment
                 Add a comment.

       -d debug_level
                 Enable debugging.

       -D dstaddr_filter_name
                 Destination IP address filter.  This is the name or number of a standard access list defined in
                 flow.acl or the file specified by -f.

       -e exaddr_filter
                 Exporter IP address filter.  One exporter address can be filtered.

       -f acl_fname
                 Access list filename.  Defaults to flow.acl.

       -h        Display help.

       -i input_filter
                 Input interface filter, ie -i0 to permit traffic from interface 0.

       -k        Keep time from input.

       -I output_filter
                 Output interface filter, ie -I0 to permit traffic to interface 0.

       -o        Logical OR instead of AND filters.

       -p srcport_filter
                 Source port filter, ie -p80 to only permit source port 80.

       -P dstport_filter
                 Destination port filter, ie -P80,8080 to permit destination ports 80 and 8080.

       -r ipprot_filter
                 IP Protocol filter, ie -r6 to only permit TCP traffic.

       -S srcaddr_filter_name
                 Source IP address filter.  This is the name or number of a  standard  access  list  defined  in
                 flow.acl or the file specified by -f.

       -t tos_filter
                 ToS  bits  filter.   An  optional  mask  is  available which is applied to the tos field before
                 comparing to the filter list.  For  example  to  match  a  tos  bit  pattern  of  101xxxxx  use
                 0xA0/0xE0.

       -T tcp_flags_filter
                 TCP  bits filter.  An optional mask is available which is applied to the TCP flags field before
                 comparing to the filter list.  For example to match a flows with the SYN bit set use 0x2/0x2.

       -x nexthop_filter_name
                 NextHop IP address filter.  This is the name or number of a standard  access  list  defined  in
                 flow.acl or the file specified by -f.

       -z z_level
                 Configure  compression  level  to   z_level.   0  is  disabled  (no  compression), 9 is highest
                 compression.

EXAMPLES

       Print all traffic with a destination port of 80.

         flow-cat /flows/krc4 | flow-filter -P80 | flow-print

       Print all traffic with with source IP 10.0.0.1.  Populate flow.acl with
         ip access-list standard badguy permit host 10.0.0.1

         flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-print

       Report all destinations that IP 10.0.0.1 has sent traffic to.  Sort by octets.  Populate flow.acl with
         ip access-list standard badguy permit host 10.0.0.1

         flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-stat -f8 -S2

BUGS

       Extended access lists are not fully implemented.  The command line filter syntax is a kludge.

NOTES

       Use flow-nfilter.

AUTHOR

       Mark Fullmer maf@splintered.net

SEE ALSO

       flow-tools(1)

                                                                                                  flow-filter(1)