...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $...\"...\"	transcript compatibility for postscript use....\"...\"	synopsis:  .P! <file.ps>...\".de P!\\&..fl			\" force out current output buffer\\!%PB\\!/showpage{}def...\" the following is from Ken Flowers -- it prevents dictionary overflows\\!/tempdict 200 dict def tempdict begin.fl			\" prolog.sy cat \\$1\" bring in postscript file...\" the following line matches the tempdict above\\!end % tempdict %\\!PE\\!..sp \\$2u	\" move below the image...de pF.ie     \\*(f1 .ds f1 \\n(.f.el .ie \\*(f2 .ds f2 \\n(.f.el .ie \\*(f3 .ds f3 \\n(.f.el .ie \\*(f4 .ds f4 \\n(.f.el .tm ? font overflow.ft \\$1...de fP.ie     !\\*(f4 \{\.	ft \\*(f4.	ds f4\"'	br \}.el .ie !\\*(f3 \{\.	ft \\*(f3.	ds f3\"'	br \}.el .ie !\\*(f2 \{\.	ft \\*(f2.	ds f2\"'	br \}.el .ie !\\*(f1 \{\.	ft \\*(f1.	ds f1\"'	br \}.el .tm ? font underflow...ds f1\".ds f2\".ds f3\".ds f4\".ta 8n 16n 24n 32n 40n 48n 56n 64n 72n .TH "\fBflow-nfilter\fP" "1".SH "NAME"\fBflow-nfilter\fP \(em Filter flows\&..SH "SYNOPSIS".PP\fBflow-nfilter\fP [-hk]  [-b\fI big\fP|\fIlittle\fP]  [-C\fI comment\fP]  [-d\fI debug_level\fP]  [-f\fI filter_fname\fP]  [-F\fI filter_definition\fP]  [-z\fI z_level\fP] .SH "DESCRIPTION".PPThe \fBflow-nfilter\fP utility will filter flows based onuser selectable criteria\&.  Filters are composed of primitives and a definition\&.  Definitions contain match lines grouped to formlogical AND and OR operations on the flow using the selected primitives\&.A definition may contain the invert command which will invert theresult of the evaluation\&..PPFilter primitives begin with the filter-primitive keyword followed bya symbolic name\&.  Each primitive has a type defined below\&.A list of permit and or deny keywords followedby an argument are later evaulated to determine if the flow is permitted ordenied\&.  The default action for a primitive is to deny which may be changed with the default keyword\&.  Symbolic substitutions are done whereappropriate\&..PP.PPThe match keyword in a definition selects the criteria to match a primitive\&.A match type may allow more than one type of primitive, for example thesrc-ip-addr match type will accept any of {ip-address, ip-address-mask,ip-address-prefix} primitive types\&..PP.PP.nf Primitive type          Type       Description/Example-------------------------------------------------------------------as                      Bucket     Autonomous System Number\&.                                   600,159,3112ip-address-prefix-len   Numeric    Integer from 0 to 32\&.                                   16-31ip-protocol             Bucket     Integer from 0 to 255\&.                                    6,17,1ip-tos                  Bucket     Integer from 0 to 255 with mask\&.                                   0xA0/0xE0ip-tcp-flags            Bucket     Integer from 0 to 255 with mask\&.                                   0x2/0x2ifindex                 Bucket     Integer from 0 to 65535                                   0,5,10engine                  Bucket     Integer from 0 to 255\&.                                   0ip-port                 Bucket     Integer from 0 to 255\&.                                   80,8080,23,22ip-address              Hash       List of IP Addresses\&.                                   10\&.0\&.0\&.1ip-address-mask         List       List of IP address/mask pairs\&.                                   10\&.1\&.0\&.0 255\&.255\&.0\&.0ip-address-prefix       Trie       List of IP address/mask pairs\&.                                   10\&.1/16tag                     Hash       List of tags\&.                                   0xFF00tag-mask                List       List of tags\&.                                   0xF000/0xFF00counter                 List       List of Integers with qualifier\&.                                   lt 32time                    List       List of relative time specifiers\&.                                   gt 5:00time-date               List       List of absolute time specifiers\&.                                   gt December 12, 2002 5:13:21double                  List       List of doubles with qualifier\&.                                   lt 32\&.0rate                    Element    Rate is calculated as 1/rate\&.                                   permit 100Match type              Description             Primitives accepted-------------------------------------------------------------------source-as               Source AS               asdestination-as          Destination AS          asip-source-address       Source IP Address       ip-address,                                                ip-address-mask,                                                ip-address-prefixip-destination-address  Destination IP Address  ip-address,                                                ip-address-mask,                                                ip-address-prefixip-exporter-address     Exporter IP Address     ip-address,                                                ip-address-mask,                                                ip-address-prefixip-nexthop-address      NextHop IP Address      ip-address,                                                ip-address-mask,                                                ip-address-prefixip-shortcut-address     Shortcut IP Address     ip-address,                                                ip-address-mask,                                                ip-address-prefixip-protocol             IP Protocol             ip-protocolip-source-address-prefix-len                        Source IP address       ip-address-prefix-len                        prefix lengthip-destination-address-prefix-len                        Destination IP address  ip-address-prefix-len                        prefix length           ip-tos                  IP Type Of Service      ip-tosip-marked-tos           IP Type Of Service      ip-tosip-tcp-flags            IP/TCP Flags            ip-tcp-flagsip-source-port          Source IP Port          ip-port                        eg TCP/UDPip-destination-port     Destination IP Port     ip-port                        eg TCP/UDPinput-interface         Source ifIndex          ifindex                        eg Input Interfaceoutput-interface        Destination ifIndex     ifindex                        eg Output Interfacestart-time              Start Time of flow      time, time-dateend-time                End Time of Flow        time, time-dateflows                   Number of flows         counteroctets                  Number of octets        counterpackets                 Number of packets       counterduration                Duration of flow in ms  counterengine-id               Engine ID               engineengine-type             Engine Type             enginesource-tag              Source Tag              tag, tag-maskdestination-tag         Destination Tag         tag, tag-maskpps                     Packets Per Second      doublebps                     Bits Per Second         doublerandom-sample           Random Sample           rate.fi.SH "OPTIONS".IP "-b\fI big\fP|\fIlittle\fP" 10Byte order of output\&..IP "-C\fI Comment\fP" 10Add a comment\&. .IP "-d\fI debug_level\fP" 10Enable debugging\&..IP "-f\fI filter_fname\fP" 10Filter list filename\&.  Defaults to \fB@localstatedir@/cfg/filter\fP\&..IP "-F\fI filter_definition\fP" 10Select the active definition\&.  Defaults to default\&..IP "-h" 10Display help\&..IP "-k" 10Keep time from input\&..IP "-z\fI z_level\fP" 10Configure compression level to \fI z_level\fP\&.  0 isdisabled (no compression), 9 is highest compression\&..SH "EXAMPLES".PPAn example of filter configuration file\&..PP.nf filter-primitive srate  type rate  permit 100filter-primitive test-as  type as  permit 600,159filter-primitive test-prefix-len  type ip-address-prefix-len  permit 32filter-primitive test-protocol  type ip-protocol  permit tcpfilter-primitive test-tos  type ip-tos  mask 0xA0  permit 0xE0filter-primitive test-tcp-flags  type ip-tcp-flags  mask 0x2  permit 0x2filter-primitive test-ifindex  type ifindex  permit 0,5,10filter-primitive test-engine  type engine  permit 0filter-primitive test-port  type ip-port  permit https  permit 80  default denyfilter-primitive test-address  type ip-address  permit 0\&.0\&.0\&.1  permit 0\&.0\&.0\&.2  default denyfilter-primitive test-address-mask  type ip-address-mask  permit 128\&.146\&.197\&.1 255\&.255\&.255\&.255  permit 128\&.146\&.197\&.2 255\&.255\&.255\&.255filter-primitive test-prefix  type ip-address-prefix  permit 128\&.146\&.0\&.0/16  default denyfilter-primitive test-tag  type tag  permit 0x00  permit 0x01  permit 0xFFfilter-primitive test-tag-mask  type tag-mask    permit OSU 0xFF  permit 0xFF 0xFF  default denyfilter-primitive test-counter  type counter  permit lt 5   permit gt 10  default denyfilter-primitive test-time-date  type time-date  permit gt December 12, 2002 5:13:21filter-primitive test-time  type time-date  permit gt 12:15:00filter-definition sample-1-in-100  match random-sample sratefilter-definition t1  match engine-type test-engine  or  match destination-tag test-tag-mask.fi.PPDisplay all flows with a destination port of 80 or source port of 25 (smtp)starting after Dec 12, 2001\&.  The file \fBtest\fP ispopulated with the following:.PP.nffilter-primitive port80  type ip-port  permit 80filter-primitive port25  type ip-port  permit smtpfilter-primitive dec12  type time-date  permit gt Dec 12, 2001filter-definition foo  match ip-source-port port80  match start-time dec12  or  match ip-destination-port port25  match start-time dec12.fi \fBflow-cat \fBflows\fP | flow-nfilter -ftest -Ffoo | flow-print\fP.SH "BUGS".PPNone known\&..SH "AUTHOR".PPMark Fullmer maf@splintered\&.net.SH "SEE ALSO".PP\fBflow-tools\fP(1)...\" created by instant / docbook-to-man, Wed 02 Apr 2003, 12:53