flow-stat(1) [debian man page]

flow-stat(1)						      General Commands Manual						      flow-stat(1)

NAME

       flow-stat -- Generate reports with flow data.

SYNOPSIS

       flow-stat [-hnpPw]  [-d debug_level]  [-f format]  [-S sort_field]  [-s sort_field]  [-t tally_lines]  [-T title]

DESCRIPTION

       The  flow-stat  utility generates usage reports for flow data sets by IP address, IP address pairs, ports, packets, bytes, interfaces, next
       hops, autonomous systems, ToS bits, exporters, and tags.

OPTIONS

       -d debug_level
		 Enable debugging.

       -f format

       Report format.  Choose from the following:

	   0  Overall Summary
	   1  Average packet size distribution
	   2  Packets per flow distribution
	   3  Octets per flow distribution
	   4  Bandwidth per flow distribution
	   5  UDP/TCP destination port
	   6  UDP/TCP source port
	   7  UDP/TCP port
	   8  Destination IP
	   9  Source IP
	   10 Source/Destination IP
	   11 Source or Destination IP
	   12 IP protocol
	   13 octets for flow duration plot data
	   14 packets for flow duration plot data
	   15 short summary
	   16 IP Next Hop
	   17 Input interface
	   18 Output interface
	   19 Source AS
	   20 Destination AS
	   21 Source/Destination AS
	   22 IP ToS
	   23 Input/Output Interface
	   24 Source Prefix
	   25 Destination Prefix
	   26 Source/Destination Prefix
	   27 Exporter IP
	   28 Engine Id
	   29 Engine Type
	   30 Source Tag
	   31 Destination Tag
	   32 Source/Destination Tag

       -h	 Display help.

       -n	 Use symbolic names where appropriate.

       -p	 Display header information.

       -P	 Report as percent total.

       -s sort_field
		 Sort ascending on field sort_field.

       -S sort_field
		 Sort descending on field sort_field.

       -t tally_lines
		 Tally totals every tally_lineslines.

       -T title  Set report title to title.

       -w	 Wide output.

EXAMPLES

       Provide a report on top source/destination IP pairs sorted by octets, report in percent total form for the flows in /flows/krc4.   Use  the
       preload option to flow-cat to preserve meta information and display it with flow-stat.

	 flow-cat -p /flows/krc4 | flow-stat -f10 -P -p -S4

EXAMPLES

       Many  times  a  campus  network	will have a single border router which has one interface pointing to the internal side and many interfaces
       pointing to other providers.  These interfaces each have a unique numerical id known in SNMP terms as an ifIndex.  The ifIndex to interface
       name  mappings  can be determined by using a tool such as snmpwalk or using show commands in recent versions of IOS with the 'show snmp mib
       ifmib ifindex' or JunOS 'show interfaces'.  Once the ifIndex for each interface is known flow-filter can be combined with flow-stat to pro-
       vide reports such as inbound vs outbound top src/destination IP addresses.

       Provide a top source IP address report by outbound traffic, ie the top senders of traffic on the campus network.  Assume the ifIndex of the
       campus interface is 5.

	 flow-cat -p /flows/krc4 | flow-filter -i5 | flow-stat -f9 -P -p -S3

EXAMPLES

       Provide a top destination IP address report by outbound traffic, ie the top sinks of traffic on the campus network.  Assume the ifIndex	of
       the campus interface is 5.

	 flow-cat -p /flows/krc4 | flow-filter -I5 | flow-stat -f8 -P -p -S3

EXAMPLES

       Provide a top source/destination AS report.  Use symbolic names.

	 flow-cat -p /flows/krc4 | flow-stat -f20 -n -P -p -S4

BUGS

       None known.

AUTHOR

       Mark Fullmer maf@splintered.net

SEE ALSO

       flow-tools(1)

																      flow-stat(1)

flow-filter(1)						      General Commands Manual						    flow-filter(1)

NAME

       flow-filter -- Filter flows.

SYNOPSIS

       flow-filter  [-hko]  [-a src_as_filter]	[-A dst_as_filter]  [-b big|little]  [-C comment]  [-D dstaddr_filter_name]  [-d debug_level]  [-e
       exaddr_filter]  [-f acl_fname]  [-i input_filter]  [-I output_filter]  [-p srcport_filter]  [-P dstport_filter]	 [-r  ipprot_filter]   [-S
       srcaddr_filter_name]  [-t tos_filter]  [-T tcp_flags_filter]  [-x nexthop_filter_name]  [-z z_level]

DESCRIPTION

       The  flow-filter  utility  will	filter	flows based on user selectable criteria.  The IP address filters are defined in flow.acl or by the
       filename specified by -f.

       Other filters such as input interface and ports are defined on the command line.  These filters accept range  and  negation  operators,	ie
       -i1-15 for input interfaces 1 through 15 or -i1,15 for input interfaces 1 and 15, or !1,15 for not input interfaces 1 and 15.

       The syntax is kludgy and needs reworked but works for most applications.

OPTIONS

       -a src_as_filter
		 Source AS filter, ie -a159 to permit Autonomous System 159.

       -A dst_as_filter
		 Destination AS filter, ie -A159,3112 to permit Autonomous Systems 159 and 3112.

       -b big|little
		 Byte order of output.

       -C Comment
		 Add a comment.

       -d debug_level
		 Enable debugging.

       -D dstaddr_filter_name
		 Destination IP address filter.  This is the name or number of a standard access list defined in flow.acl or the file specified by
		 -f.

       -e exaddr_filter
		 Exporter IP address filter.  One exporter address can be filtered.

       -f acl_fname
		 Access list filename.	Defaults to flow.acl.

       -h	 Display help.

       -i input_filter
		 Input interface filter, ie -i0 to permit traffic from interface 0.

       -k	 Keep time from input.

       -I output_filter
		 Output interface filter, ie -I0 to permit traffic to interface 0.

       -o	 Logical OR instead of AND filters.

       -p srcport_filter
		 Source port filter, ie -p80 to only permit source port 80.

       -P dstport_filter
		 Destination port filter, ie -P80,8080 to permit destination ports 80 and 8080.

       -r ipprot_filter
		 IP Protocol filter, ie -r6 to only permit TCP traffic.

       -S srcaddr_filter_name
		 Source IP address filter.  This is the name or number of a standard access list defined in flow.acl or the file specified by -f.

       -t tos_filter
		 ToS bits filter.  An optional mask is available which is applied to the tos field before comparing to the filter list.  For exam-
		 ple to match a tos bit pattern of 101xxxxx use 0xA0/0xE0.

       -T tcp_flags_filter
		 TCP bits filter.  An optional mask is available which is applied to the TCP flags field before comparing to the filter list.  For
		 example to match a flows with the SYN bit set use 0x2/0x2.

       -x nexthop_filter_name
		 NextHop IP address filter.  This is the name or number of a standard access list defined in flow.acl or the file specified by -f.

       -z z_level
		 Configure compression level to  z_level.  0 is disabled (no compression), 9 is highest compression.

EXAMPLES

       Print all traffic with a destination port of 80.

	 flow-cat /flows/krc4 | flow-filter -P80 | flow-print

       Print all traffic with with source IP 10.0.0.1.	Populate flow.acl with
	 ip access-list standard badguy permit host 10.0.0.1

	 flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-print

       Report all destinations that IP 10.0.0.1 has sent traffic to.  Sort by octets.  Populate flow.acl with
	 ip access-list standard badguy permit host 10.0.0.1

	 flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-stat -f8 -S2

BUGS

       Extended access lists are not fully implemented.  The command line filter syntax is a kludge.

NOTES

       Use flow-nfilter.

AUTHOR

       Mark Fullmer maf@splintered.net

SEE ALSO

       flow-tools(1)

																    flow-filter(1)