<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN"><refentry><refmeta><refentrytitle><application>flow-nfilter</application></refentrytitle><manvolnum>1</manvolnum></refmeta><refnamediv><refname><application>flow-nfilter</application></refname><refpurpose>Filter flows.</refpurpose></refnamediv><refsynopsisdiv><cmdsynopsis><command>flow-nfilter</command><arg>-hk</arg><arg>-b<replaceable> big</replaceable>|<replaceable>little</replaceable></arg><arg>-C<replaceable> comment</replaceable></arg><arg>-d<replaceable> debug_level</replaceable></arg><arg>-f<replaceable> filter_fname</replaceable></arg><arg>-F<replaceable> filter_definition</replaceable></arg><arg>-z<replaceable> z_level</replaceable></arg></cmdsynopsis></refsynopsisdiv><refsect1><title>DESCRIPTION</title><para>The <command>flow-nfilter</command> utility will filter flows based onuser selectable criteria.  Filters are composed of primitives and a definition.  Definitions contain match lines grouped to formlogical AND and OR operations on the flow using the selected primitives.A definition may contain the invert command which will invert theresult of the evaluation.</para><para>Filter primitives begin with the filter-primitive keyword followed bya symbolic name.  Each primitive has a type defined below.A list of permit and or deny keywords followedby an argument are later evaulated to determine if the flow is permitted ordenied.  The default action for a primitive is to deny which may be changed with the default keyword.  Symbolic substitutions are done whereappropriate.</para><para></para><para>The match keyword in a definition selects the criteria to match a primitive.A match type may allow more than one type of primitive, for example thesrc-ip-addr match type will accept any of {ip-address, ip-address-mask,ip-address-prefix} primitive types.</para><para><screen>Primitive type          Type       Description/Example-------------------------------------------------------------------as                      Bucket     Autonomous System Number.                                   600,159,3112ip-address-prefix-len   Numeric    Integer from 0 to 32.                                   16-31ip-protocol             Bucket     Integer from 0 to 255.                                    6,17,1ip-tos                  Bucket     Integer from 0 to 255 with mask.                                   0xA0/0xE0ip-tcp-flags            Bucket     Integer from 0 to 255 with mask.                                   0x2/0x2ifindex                 Bucket     Integer from 0 to 65535                                   0,5,10engine                  Bucket     Integer from 0 to 255.                                   0ip-port                 Bucket     Integer from 0 to 255.                                   80,8080,23,22ip-address              Hash       List of IP Addresses.                                   10.0.0.1ip-address-mask         List       List of IP address/mask pairs.                                   10.1.0.0 255.255.0.0ip-address-prefix       Trie       List of IP address/mask pairs.                                   10.1/16tag                     Hash       List of tags.                                   0xFF00tag-mask                List       List of tags.                                   0xF000/0xFF00counter                 List       List of Integers with qualifier.                                   lt 32time                    List       List of relative time specifiers.                                   gt 5:00time-date               List       List of absolute time specifiers.                                   gt December 12, 2002 5:13:21double                  List       List of doubles with qualifier.                                   lt 32.0rate                    Element    Rate is calculated as 1/rate.                                   permit 100Match type              Description             Primitives accepted-------------------------------------------------------------------source-as               Source AS               asdestination-as          Destination AS          asip-source-address       Source IP Address       ip-address,                                                ip-address-mask,                                                ip-address-prefixip-destination-address  Destination IP Address  ip-address,                                                ip-address-mask,                                                ip-address-prefixip-exporter-address     Exporter IP Address     ip-address,                                                ip-address-mask,                                                ip-address-prefixip-nexthop-address      NextHop IP Address      ip-address,                                                ip-address-mask,                                                ip-address-prefixip-shortcut-address     Shortcut IP Address     ip-address,                                                ip-address-mask,                                                ip-address-prefixip-protocol             IP Protocol             ip-protocolip-source-address-prefix-len                        Source IP address       ip-address-prefix-len                        prefix lengthip-destination-address-prefix-len                        Destination IP address  ip-address-prefix-len                        prefix length           ip-tos                  IP Type Of Service      ip-tosip-marked-tos           IP Type Of Service      ip-tosip-tcp-flags            IP/TCP Flags            ip-tcp-flagsip-source-port          Source IP Port          ip-port                        eg TCP/UDPip-destination-port     Destination IP Port     ip-port                        eg TCP/UDPinput-interface         Source ifIndex          ifindex                        eg Input Interfaceoutput-interface        Destination ifIndex     ifindex                        eg Output Interfacestart-time              Start Time of flow      time, time-dateend-time                End Time of Flow        time, time-dateflows                   Number of flows         counteroctets                  Number of octets        counterpackets                 Number of packets       counterduration                Duration of flow in ms  counterengine-id               Engine ID               engineengine-type             Engine Type             enginesource-tag              Source Tag              tag, tag-maskdestination-tag         Destination Tag         tag, tag-maskpps                     Packets Per Second      doublebps                     Bits Per Second         doublerandom-sample           Random Sample           rate</screen></para></refsect1><refsect1><title>OPTIONS</title><variablelist><varlistentry><term>-b<replaceable> big</replaceable>|<replaceable>little</replaceable</term><listitem><para>Byte order of output.</para></listitem></varlistentry><varlistentry><term>-C<replaceable> Comment</replaceable></term><listitem><para>Add a comment. </para></listitem></varlistentry><varlistentry><term>-d<replaceable> debug_level</replaceable></term><listitem><para>Enable debugging.</para></listitem></varlistentry><varlistentry><term>-f<replaceable> filter_fname</replaceable></term><listitem><para>Filter list filename.  Defaults to <filename>@localstatedir@/cfg/filter</filename>.</para></listitem></varlistentry><varlistentry><term>-F<replaceable> filter_definition</replaceable></term><listitem><para>Select the active definition.  Defaults to default.</para></listitem></varlistentry><varlistentry><term>-h</term><listitem><para>Display help.</para></listitem></varlistentry><varlistentry><term>-k</term><listitem><para>Keep time from input.</para></listitem></varlistentry><varlistentry><term>-z<replaceable> z_level</replaceable></term><listitem><para>Configure compression level to <replaceable> z_level</replaceable>.  0 isdisabled (no compression), 9 is highest compression.</para></listitem></varlistentry></variablelist></refsect1><refsect1><title>EXAMPLES</title><informalexample><para>An example of filter configuration file.<screen>filter-primitive srate  type rate  permit 100filter-primitive test-as  type as  permit 600,159filter-primitive test-prefix-len  type ip-address-prefix-len  permit 32filter-primitive test-protocol  type ip-protocol  permit tcpfilter-primitive test-tos  type ip-tos  mask 0xA0  permit 0xE0filter-primitive test-tcp-flags  type ip-tcp-flags  mask 0x2  permit 0x2filter-primitive test-ifindex  type ifindex  permit 0,5,10filter-primitive test-engine  type engine  permit 0filter-primitive test-port  type ip-port  permit https  permit 80  default denyfilter-primitive test-address  type ip-address  permit 0.0.0.1  permit 0.0.0.2  default denyfilter-primitive test-address-mask  type ip-address-mask  permit 128.146.197.1 255.255.255.255  permit 128.146.197.2 255.255.255.255filter-primitive test-prefix  type ip-address-prefix  permit 128.146.0.0/16  default denyfilter-primitive test-tag  type tag  permit 0x00  permit 0x01  permit 0xFFfilter-primitive test-tag-mask  type tag-mask    permit OSU 0xFF  permit 0xFF 0xFF  default denyfilter-primitive test-counter  type counter  permit lt 5   permit gt 10  default denyfilter-primitive test-time-date  type time-date  permit gt December 12, 2002 5:13:21filter-primitive test-time  type time-date  permit gt 12:15:00filter-definition sample-1-in-100  match random-sample sratefilter-definition t1  match engine-type test-engine  or  match destination-tag test-tag-mask</screen></para></informalexample><informalexample><para>Display all flows with a destination port of 80 or source port of 25 (smtp)starting after Dec 12, 2001.  The file <filename>test</filename> ispopulated with the following:<literallayout>filter-primitive port80  type ip-port  permit 80filter-primitive port25  type ip-port  permit smtpfilter-primitive dec12  type time-date  permit gt Dec 12, 2001filter-definition foo  match ip-source-port port80  match start-time dec12  or  match ip-destination-port port25  match start-time dec12</literallayout><command>flow-cat <filename>flows</filename> | flow-nfilter -ftest -Ffoo | flow-print</command></para></informalexample></refsect1><refsect1><title>BUGS</title><para>None known.</para></refsect1><refsect1><title>AUTHOR</title><para><author><firstname>Mark</firstname><surname>Fullmer</surname></author><email>maf@splintered.net</email></para></refsect1><refsect1><title>SEE ALSO</title><para><application>flow-tools</application>(1)</para></refsect1></refentry>