> > >flow-nfilter > NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.73 "> > CLASS="REFENTRY" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" > > NAME="AEN1" > CLASS="APPLICATION" >flow-nfilter > > > CLASS="REFNAMEDIV" > NAME="AEN6" > > >Name > CLASS="APPLICATION" >flow-nfilter > -- Filter flows. > CLASS="REFSYNOPSISDIV" > NAME="AEN10" > > >Synopsis > > CLASS="COMMAND" >flow-nfilter > [-hk] [-b CLASS="REPLACEABLE" > > big > >| CLASS="REPLACEABLE" > >little > >] [-C CLASS="REPLACEABLE" > > comment > >] [-d CLASS="REPLACEABLE" > > debug_level > >] [-f CLASS="REPLACEABLE" > > filter_fname > >] [-F CLASS="REPLACEABLE" > > filter_definition > >] [-z CLASS="REPLACEABLE" > > z_level > >] > > CLASS="REFSECT1" > NAME="AEN27" > > >DESCRIPTION > >The CLASS="COMMAND" >flow-nfilter > utility will filter flows based on user selectable criteria. Filters are composed of primitives and a definition. Definitions contain match lines grouped to form logical AND and OR operations on the flow using the selected primitives. A definition may contain the invert command which will invert the result of the evaluation. > >Filter primitives begin with the filter-primitive keyword followed by a symbolic name. Each primitive has a type defined below. A list of permit and or deny keywords followed by an argument are later evaulated to determine if the flow is permitted or denied. The default action for a primitive is to deny which may be changed with the default keyword. Symbolic substitutions are done where appropriate. > > > >The match keyword in a definition selects the criteria to match a primitive. A match type may allow more than one type of primitive, for example the src-ip-addr match type will accept any of {ip-address, ip-address-mask, ip-address-prefix} primitive types. > > CLASS="SCREEN" >
Primitive type Type Description/Example ------------------------------------------------------------------- as Bucket Autonomous System Number. 600,159,3112 ip-address-prefix-len Numeric Integer from 0 to 32. 16-31 ip-protocol Bucket Integer from 0 to 255. 6,17,1 ip-tos Bucket Integer from 0 to 255 with mask. 0xA0/0xE0 ip-tcp-flags Bucket Integer from 0 to 255 with mask. 0x2/0x2 ifindex Bucket Integer from 0 to 65535 0,5,10 engine Bucket Integer from 0 to 255. 0 ip-port Bucket Integer from 0 to 255. 80,8080,23,22 ip-address Hash List of IP Addresses. 10.0.0.1 ip-address-mask List List of IP address/mask pairs. 10.1.0.0 255.255.0.0 ip-address-prefix Trie List of IP address/mask pairs. 10.1/16 tag Hash List of tags. 0xFF00 tag-mask List List of tags. 0xF000/0xFF00 counter List List of Integers with qualifier. lt 32 time List List of relative time specifiers. gt 5:00 time-date List List of absolute time specifiers. gt December 12, 2002 5:13:21 double List List of doubles with qualifier. lt 32.0 rate Element Rate is calculated as 1/rate. permit 100 Match type Description Primitives accepted ------------------------------------------------------------------- source-as Source AS as destination-as Destination AS as ip-source-address Source IP Address ip-address, ip-address-mask, ip-address-prefix ip-destination-address Destination IP Address ip-address, ip-address-mask, ip-address-prefix ip-exporter-address Exporter IP Address ip-address, ip-address-mask, ip-address-prefix ip-nexthop-address NextHop IP Address ip-address, ip-address-mask, ip-address-prefix ip-shortcut-address Shortcut IP Address ip-address, ip-address-mask, ip-address-prefix ip-protocol IP Protocol ip-protocol ip-source-address-prefix-len Source IP address ip-address-prefix-len prefix length ip-destination-address-prefix-len Destination IP address ip-address-prefix-len prefix length ip-tos IP Type Of Service ip-tos ip-marked-tos IP Type Of Service ip-tos ip-tcp-flags IP/TCP Flags ip-tcp-flags ip-source-port Source IP Port ip-port eg TCP/UDP ip-destination-port Destination IP Port ip-port eg TCP/UDP input-interface Source ifIndex ifindex eg Input Interface output-interface Destination ifIndex ifindex eg Output Interface start-time Start Time of flow time, time-date end-time End Time of Flow time, time-date flows Number of flows counter octets Number of octets counter packets Number of packets counter duration Duration of flow in ms counter engine-id Engine ID engine engine-type Engine Type engine source-tag Source Tag tag, tag-mask destination-tag Destination Tag tag, tag-mask pps Packets Per Second double bps Bits Per Second double random-sample Random Sample rate
> > > CLASS="REFSECT1" > NAME="AEN36" > > >OPTIONS > > > CLASS="VARIABLELIST" > > >-b CLASS="REPLACEABLE" > > big > >| CLASS="REPLACEABLE" > >little > > > > >Byte order of output. > > >-C CLASS="REPLACEABLE" > > Comment > > > > >Add a comment. > > >-d CLASS="REPLACEABLE" > > debug_level > > > > >Enable debugging. > > >-f CLASS="REPLACEABLE" > > filter_fname > > > > >Filter list filename. Defaults to CLASS="FILENAME" >@localstatedir@/cfg/filter >. > > >-F CLASS="REPLACEABLE" > > filter_definition > > > > >Select the active definition. Defaults to default. > > >-h > > >Display help. > > >-k > > >Keep time from input. > > >-z CLASS="REPLACEABLE" > > z_level > > > > >Configure compression level to CLASS="REPLACEABLE" > > z_level > >. 0 is disabled (no compression), 9 is highest compression. > > > > > CLASS="REFSECT1" > NAME="AEN80" > > >EXAMPLES > CLASS="INFORMALEXAMPLE" > NAME="AEN82" > > > > >An example of filter configuration file. CLASS="SCREEN" >
filter-primitive srate type rate permit 100 filter-primitive test-as type as permit 600,159 filter-primitive test-prefix-len type ip-address-prefix-len permit 32 filter-primitive test-protocol type ip-protocol permit tcp filter-primitive test-tos type ip-tos mask 0xA0 permit 0xE0 filter-primitive test-tcp-flags type ip-tcp-flags mask 0x2 permit 0x2 filter-primitive test-ifindex type ifindex permit 0,5,10 filter-primitive test-engine type engine permit 0 filter-primitive test-port type ip-port permit https permit 80 default deny filter-primitive test-address type ip-address permit 0.0.0.1 permit 0.0.0.2 default deny filter-primitive test-address-mask type ip-address-mask permit 128.146.197.1 255.255.255.255 permit 128.146.197.2 255.255.255.255 filter-primitive test-prefix type ip-address-prefix permit 128.146.0.0/16 default deny filter-primitive test-tag type tag permit 0x00 permit 0x01 permit 0xFF filter-primitive test-tag-mask type tag-mask permit OSU 0xFF permit 0xFF 0xFF default deny filter-primitive test-counter type counter permit lt 5 permit gt 10 default deny filter-primitive test-time-date type time-date permit gt December 12, 2002 5:13:21 filter-primitive test-time type time-date permit gt 12:15:00 filter-definition sample-1-in-100 match random-sample srate filter-definition t1 match engine-type test-engine or match destination-tag test-tag-mask > > > > > CLASS="INFORMALEXAMPLE" > NAME="AEN85" > > > > >Display all flows with a destination port of 80 or source port of 25 (smtp) starting after Dec 12, 2001. The file CLASS="FILENAME" >test > is populated with the following: CLASS="LITERALLAYOUT" >filter-primitive port80 type ip-port permit 80 filter-primitive port25 type ip-port permit smtp filter-primitive dec12 type time-date permit gt Dec 12, 2001 filter-definition foo match ip-source-port port80 match start-time dec12 or match ip-destination-port port25 match start-time dec12 > CLASS="COMMAND" >flow-cat CLASS="FILENAME" >flows > | flow-nfilter -ftest -Ffoo | flow-print >
> > > > > CLASS="REFSECT1" > NAME="AEN91" > > >BUGS > >None known. > > CLASS="REFSECT1" > NAME="AEN94" > > >AUTHOR > >Mark Fullmer CLASS="EMAIL" >< HREF="mailto:maf@splintered.net" >maf@splintered.net >> > > > CLASS="REFSECT1" > NAME="AEN101" > > >SEE ALSO > > CLASS="APPLICATION" >flow-tools >(1) > > > >
