...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $...\"...\"	transcript compatibility for postscript use....\"...\"	synopsis:  .P! <file.ps>...\".de P!\\&..fl			\" force out current output buffer\\!%PB\\!/showpage{}def...\" the following is from Ken Flowers -- it prevents dictionary overflows\\!/tempdict 200 dict def tempdict begin.fl			\" prolog.sy cat \\$1\" bring in postscript file...\" the following line matches the tempdict above\\!end % tempdict %\\!PE\\!..sp \\$2u	\" move below the image...de pF.ie     \\*(f1 .ds f1 \\n(.f.el .ie \\*(f2 .ds f2 \\n(.f.el .ie \\*(f3 .ds f3 \\n(.f.el .ie \\*(f4 .ds f4 \\n(.f.el .tm ? font overflow.ft \\$1...de fP.ie     !\\*(f4 \{\.	ft \\*(f4.	ds f4\"'	br \}.el .ie !\\*(f3 \{\.	ft \\*(f3.	ds f3\"'	br \}.el .ie !\\*(f2 \{\.	ft \\*(f2.	ds f2\"'	br \}.el .ie !\\*(f1 \{\.	ft \\*(f1.	ds f1\"'	br \}.el .tm ? font underflow...ds f1\".ds f2\".ds f3\".ds f4\".ta 8n 16n 24n 32n 40n 48n 56n 64n 72n .TH "\fBflow-tools\fP" "1".SH "NAME"\fBflow-tools\fP \(em Tool set for working with NetFlow data\&..SH "DESCRIPTION".PPFlow-tools is library and a collection of programs used to collect,send, process, and generate reports from NetFlow data\&.  The toolscan be used together on a single server or distributed to multipleservers for large deployments\&.  The flow-toools library provides anAPI for development of custom applications for NetFlow export versions1,5,6 and the 14 currently defined version 8 subversions\&.  A Perl andPython interface have been contributed and are included in the distribution\&..PPFlow data is collected and stored by default in host byte order, yetthe files are portable across big and little endian architectures\&..PPCommands that utilize the network use a localip/remoteip/port designationfor communication\&.  "localip" is the IP address the host will use as asource for sending or bind to when receiving NetFlow PDU\&'s (ie the destinationaddress of the exporter\&.  Configuring the "localip" to 0 will force the kernelto decide what IP address to use for sending and listen on all IP addressesfor receiving\&.  "remoteip" is the destination IP address used for sending orthe expected address of the source when receiving\&.  If the "remoteip" is0 then the application will accept flows from any source address\&.  The "port"is the UDP port number used for sending or receiving\&.  When using multicastaddresses the localip/remoteip/port is used to represent the source, group,and port respectively\&..PPFlows are exported from a router in a number of different configurableversions\&.  A flow is a collection of key fields and additional data\&.The flow key is {srcaddr, dstaddr, input, output, srcport, dstport, prot,ToS}\&.  Flow-tools supports one export version per file\&..PPExport versions 1, 5, 6, and 7 all maintain {nexthop, dPkts, dOctets,First, Last, flags}, ie the next-hop IP address, number of packets, numberof octets (bytes), start time, end time, and flags such as the TCP headerbits\&.  Version 5 adds the additional fields {src_as, dst_as, src_mask,dst_mask}, ie source AS, destination AS, source network mask, anddestination network mask\&.  Version 7 which is specific to the Catalystswitches adds in addition to the version 5 fields {router_sc}, which isthe Router IP address which populates the flow cache shortcut in theSupervisor\&.  Version 6 which is not officially supported by Cisco addsin addition to the version 5 fields {in_encaps, out_encaps, peer_nexthop},ie the input and output interface encapsulation size, and the IP addressof the next hop within the peer\&.  Version 1 exports do not contain asequence number and therefore should be avoided, although it is safeto store the data as version 1 if the additional fields are not used\&..PPVersion 8 IOS NetFlow is a second level flow cache that reduces thedata exported from the router\&.  There are currently 11 formats, allof which provide {dFlows, dOctets, dPkts, First, Last} for the keyfields\&..PP.PP.nf  8\&.1 -  Source and Destination AS, Input and Output interface  8\&.2 -  Protocol and Port  8\&.3 -  Source Prefix and Input interface  8\&.4 -  Destination Prefix and Output interface  8\&.5 -  Source/Destination Prefix and Input/Output interface  8\&.9 -  8\&.1 + ToS  8\&.10 - 8\&.2 + ToS  8\&.11 - 8\&.3 + ToS  8\&.12 - 8\&.5 + ToS  8\&.13 - 8\&.2 + ToS  8\&.14 - 8\&.3 + ports + ToS.fi.PPVersion 8 CatIOS NetFlow appears to be a less fine grained first levelflow cache\&..PP.PP.nf  8\&.6 - Destination IP, ToS, Marked ToS,   8\&.7 - Source/Destination IP, Input/Output interface, ToS, Marked ToS,   8\&.8 - Source/Destination IP, Source/Destination Port,        Input/Output interface, ToS, Marked ToS, .fi.PP.PPThe following programs are included in the flow-tools distribution\&..PP\fBflow-capture\fP - Collect, compress, store, andmanage disk space for exported flows from a router\&..PP\fBflow-cat\fP - Concatenate flow files\&.  Typically flow fileswill contain a small window of 5 or 15 minutes of exports\&.  Flow-catcan be used to append files for generating reports that span longer timeperiods\&..PP\fBflow-fanout\fP - Replicate NetFlow datagrams to unicast ormulticast destinations\&.  Flow-fanout is used to facilitatemultiple collectors attached to a single router\&..PP\fBflow-report\fP - Generate reports for NetFlow data sets\&.Reports include source/destination IP pairs, source/destination AS,and top talkers\&.  Over 50 reports are currently supported\&..PP\fBflow-tag\fP - Tag flows based on IP address or AS #\&.Flow-tag is used to group flows by customer network\&.  The tagscan later be used with flow-fanout or flow-reportto generate customer based traffic reports\&..PP\fBflow-filter\fP - Filter flows based on any of the exportfields\&.  Flow-filter is used in-line with other programsto generate reports based on flows matching filter expressions\&..PP\fBflow-import\fP - Import data from ASCII or cflowd format\&..PP\fBflow-export\fP - Export data to ASCII or cflowd format\&..PP\fBflow-send\fP - Send data over the network using the NetFlowprotocol\&..PP\fBflow-receive\fP - Receive exports using the NetFlow protocolwithout storing to disk like flow-capture\&..PP\fBflow-gen\fP - Generate test data\&..PP\fBflow-dscan\fP - Simple tool for detecting some types of networkscanning and Denial of Service attacks\&..PP\fBflow-merge\fP - Merge flow files in chronoligical order\&..PP\fBflow-xlate\fP - Perform translations on some flow fields\&..PP\fBflow-expire\fP -  Expire flows using the same policy offlow-capture\&..PP\fBflow-header\fP - Display meta information in flow file\&..PP\fBflow-split\fP - Split flow files into smaller files based onsize, time, or tags\&..SH "AUTHOR".PPMark Fullmer maf@splintered\&.net.PP\fBflow-merge\fP byLarry Lidz ellidz@eridu\&.uchicago\&.edu.PPPatches and other contribitions by a list too long to mention here\&..PP\fBflow-tools\fP is avalable at\fI (link to URL http://www.splintered.net/sw/flow-tools) \fR\&..PPA mailing list is maintained at flow-tools@splintered\&.net.SH "SEE ALSO".PP\fBflow-capture\fP(1)\fBflow-cat\fP(1)\fBflow-dscan\fP(1)\fBflow-expire\fP(1)\fBflow-export\fP(1)\fBflow-fanout\fP(1)\fBflow-filter\fP(1)\fBflow-nfilter\fP(1)\fBflow-gen\fP(1)\fBflow-header\fP(1)\fBflow-import\fP(1)\fBflow-merge\fP(1)\fBflow-print\fP(1)\fBflow-receive\fP(1)\fBflow-report\fP(1)\fBflow-send\fP(1)\fBflow-split\fP(1)\fBflow-stat\fP(1)\fBflow-tag\fP(1)\fBflow-xlate\fP(1)...\" created by instant / docbook-to-man, Tue 06 Aug 2002, 22:22