Provided by: flow-tools_0.68-12.3build2_amd64 bug

flow-filter(1)                       General Commands Manual                       flow-filter(1)

NAME

       flow-filter — Filter flows.

SYNOPSIS

       flow-filter  [-hko]  [-a src_as_filter]  [-A dst_as_filter]  [-b big|little]  [-C comment]
       [-D dstaddr_filter_name]   [-d  debug_level]   [-e  exaddr_filter]   [-f  acl_fname]   [-i
       input_filter]    [-I   output_filter]    [-p  srcport_filter]   [-P  dstport_filter]   [-r
       ipprot_filter]  [-S srcaddr_filter_name]   [-t  tos_filter]   [-T  tcp_flags_filter]   [-x
       nexthop_filter_name]  [-z z_level]

DESCRIPTION

       The  flow-filter  utility  will  filter  flows  based on user selectable criteria.  The IP
       address filters are defined in flow.acl or by the filename specified by -f.

       Other filters such as input interface and ports are defined on the  command  line.   These
       filters  accept  range and negation operators, ie -i1-15 for input interfaces 1 through 15
       or -i1,15 for input interfaces 1 and 15, or !1,15 for not input interfaces 1 and 15.

       The syntax is kludgy and needs reworked but works for most applications.

OPTIONS

       -a src_as_filter
                 Source AS filter, ie -a159 to permit Autonomous System 159.

       -A dst_as_filter
                 Destination AS filter, ie -A159,3112 to permit Autonomous Systems 159 and 3112.

       -b big|little
                 Byte order of output.

       -C Comment
                 Add a comment.

       -d debug_level
                 Enable debugging.

       -D dstaddr_filter_name
                 Destination IP address filter.  This is the name or number of a standard  access
                 list defined in flow.acl or the file specified by -f.

       -e exaddr_filter
                 Exporter IP address filter.  One exporter address can be filtered.

       -f acl_fname
                 Access list filename.  Defaults to flow.acl.

       -h        Display help.

       -i input_filter
                 Input interface filter, ie -i0 to permit traffic from interface 0.

       -k        Keep time from input.

       -I output_filter
                 Output interface filter, ie -I0 to permit traffic to interface 0.

       -o        Logical OR instead of AND filters.

       -p srcport_filter
                 Source port filter, ie -p80 to only permit source port 80.

       -P dstport_filter
                 Destination port filter, ie -P80,8080 to permit destination ports 80 and 8080.

       -r ipprot_filter
                 IP Protocol filter, ie -r6 to only permit TCP traffic.

       -S srcaddr_filter_name
                 Source  IP address filter.  This is the name or number of a standard access list
                 defined in flow.acl or the file specified by -f.

       -t tos_filter
                 ToS bits filter.  An optional mask is available which  is  applied  to  the  tos
                 field  before  comparing  to  the  filter  list.  For example to match a tos bit
                 pattern of 101xxxxx use 0xA0/0xE0.

       -T tcp_flags_filter
                 TCP bits filter.  An optional mask is available which  is  applied  to  the  TCP
                 flags  field  before comparing to the filter list.  For example to match a flows
                 with the SYN bit set use 0x2/0x2.

       -x nexthop_filter_name
                 NextHop IP address filter.  This is the name or number of a standard access list
                 defined in flow.acl or the file specified by -f.

       -z z_level
                 Configure  compression  level to  z_level.  0 is disabled (no compression), 9 is
                 highest compression.

EXAMPLES

       Print all traffic with a destination port of 80.

         flow-cat /flows/krc4 | flow-filter -P80 | flow-print

       Print all traffic with with source IP 10.0.0.1.  Populate flow.acl with
         ip access-list standard badguy permit host 10.0.0.1

         flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-print

       Report all destinations that IP 10.0.0.1 has sent traffic to.  Sort by  octets.   Populate
       flow.acl with
         ip access-list standard badguy permit host 10.0.0.1

         flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-stat -f8 -S2

BUGS

       Extended  access  lists  are  not  fully implemented.  The command line filter syntax is a
       kludge.

NOTES

       Use flow-nfilter.

AUTHOR

       Mark Fullmer maf@splintered.net

SEE ALSO

       flow-tools(1)

                                                                                   flow-filter(1)