1FLOW-XLATE(1)                                                    FLOW-XLATE(1)
2
3
4

NAME

6       flow-xlate - Apply translations to selected fields of a flow.
7

SYNOPSIS

9       flow-xlate  [  -hkn  ]   [  -b  big|little  ]   [  -C  comment  ]  [ -d
10       debug_level ]  [ -v variable binding ]   [  -V  flow_version  ]   [  -x
11       xlate_fname ]  [ -X xlate_definition ]  [ -z z_level ]
12

DESCRIPTION

14       The flow-xlate utility is used to apply translations to flows. Transla‐
15       tions are defined in a configuration file and are composed  of  actions
16       and  a  definition to invoke action(s). The definitions are in the form
17       of terms, each term can have a filter and multiple actions.
18
19       Words in the configuration file of the form @VAR or @{VAR:default} will
20       be expanded at run-time by setting variable names with the -v option.
21
22       Translation  actions  begin with the xlate-action keyword followed by a
23       symbolic name. Each action has a type defined below.
24
25       Translation definitions begin with the  xlate-definition  keyword  fol‐
26       lowed  by  a  symbolic name. Each definition is composed of terms which
27       are evaluated in the order of the configuration file. A term may invoke
28       a filter to conditionally invoke an action.
29
30       Action type/sub-commands                Description/Example
31       ------------------------------------------------------------------------
32       ip-source-address-to-network            Zero host bits based on mask.
33       ip-destination-address-to-network       Zero host bits based on mask.
34
35         (no sub-commands)
36
37       ip-source-address-to-class-network      Zero source host bits to
38                                               match class.
39       ip-destination-address-to-class-network Zero dst host bits to
40                                               match class.
41
42         (no sub-commands)
43
44       ip-source-address-anonymize             Anonymize source address.
45       ip-destination-address-anonymize        Anonymize destination address.
46       ip-address-anonymize                    Anonymize src/dst address.
47
48
49           algorithm                           Algorithm.  cryptopan-aes128 is
50                                               currently supported.
51                                                algorithm cryptopan-aes128
52
53           key                                 Key.  Key is 128 bits in hex.
54                                                key 0123456789ABCDEFG
55
56           key-file                            File to load key from.  Key is
57                                               128 bits in hex.
58                                                key-file /mfstmp/secret-key
59
60           key-file-refresh                    How often to check the key file.
61                                               Interval is in minutes, the
62                                               optional second argument is
63                                               hour:min:sec to specify the
64                                               first refresh.  This example
65                                               will load a new key every day
66                                               at 12:00:00.
67                                                14400 12:00:00
68
69
70       ip-address-privacy-mask                 Apply a mask to the source and
71                                               destination address to remove
72                                               bits.
73
74       ip-port-privacy-mask                    Apply a mask to the source and
75                                               destination port to remove
76                                               bits.
77
78       tag-mask                                Apply mask to the source and
79                                               destination tag.
80
81           mask                                Source and Destination mask
82                                               to apply.
83                                                mask 0xFFFF 0xFFFF
84
85       scale                                   Scale packets and bytes.
86
87         scale                                 Scale to apply.
88                                                scale 100
89
90       replace-source-as0                      Replace source AS 0
91       replace-destination-as0                 Replace destination AS 0
92
93         as                                    AS replacement value.
94                                                as 3112
95
96

OPTIONS

98       -b big|little
99              Byte order of output.
100
101       -C Comment
102              Add a comment.
103
104       -d debug_level
105              Enable debugging.
106
107       -h     Display help.
108
109       -k     Keep time from input.
110
111       -n     Don't load configuration file. Useful only with -V
112
113       -v variable binding
114              Set a variable FOO=bar.
115
116       -V pdu_version
117              Use pdu_version format output.
118
119                  1    NetFlow version 1 (No sequence numbers, AS, or mask)
120                  5    NetFlow version 5
121                  6    NetFlow version 6 (5+ Encapsulation size)
122                  7    NetFlow version 7 (Catalyst switches)
123                  8.1  NetFlow AS Aggregation
124                  8.2  NetFlow Proto Port Aggregation
125                  8.3  NetFlow Source Prefix Aggregation
126                  8.4  NetFlow Destination Prefix Aggregation
127                  8.5  NetFlow Prefix Aggregation
128                  8.6  NetFlow Destination (Catalyst switches)
129                  8.7  NetFlow Source Destination (Catalyst switches)
130                  8.8  NetFlow Full Flow (Catalyst switches)
131                  8.9  NetFlow ToS AS Aggregation
132                  8.10 NetFlow ToS Proto Port Aggregation
133                  8.11 NetFlow ToS Source Prefix Aggregation
134                  8.12 NetFlow ToS Destination Prefix Aggregation
135                  8.13 NetFlow ToS Prefix Aggregation
136                  8.14 NetFlow ToS Prefix Port Aggregation
137                  1005 Flow-Tools tagged version 5
138
139
140       -x xlate_fname
141              Translation   config   file   name.   Defaults   to   /etc/flow-
142              tools/cfg/xlate.cfg
143
144       -X xlate_definition
145              Translation definition. Defaults to default.
146
147       -z z_level
148              Configure compression level to  z_level. 0 is disabled (no  com‐
149              pression), 9 is highest compression.
150

EXAMPLES

152       Convert  the  version  7  flows  in  flows.v7 to version 5, storing the
153       result in flows.v5.
154
155       flow-xlate -V5 < flows.v7 > flows.v5
156
157       Set the low 11 bits in the IP addresses to zero unless the  address  is
158       multicast or it belongs to the 192.88.99/24 network.
159
160       # xlate.cfg
161       include-filter filter.cfg
162
163       xlate-action MULTICAST-PRIVACY
164         type ip-address-privacy-mask
165         mask 0xFFFFFFFF 0xFFFFFFFF
166
167       xlate-action UNICAST-PRIVACY
168         type ip-address-privacy-mask
169         mask 0xFFFFFF00 0xFFFFF800
170
171       xlate-definition abilene_privacy
172         term
173           filter mcast
174           action MULTICAST-PRIVACY
175           stop
176         term
177           filter ucast
178           action UNICAST-PRIVACY
179
180
181       # filter.cfg
182       filter-primitive MCAST
183         type ip-address-mask
184         permit 224.0.0.0 240.0.0.0
185
186       filter-primitive UCAST
187         type ip-address-mask
188         deny 224.0.0.0 240.0.0.0
189         default permit
190
191       filter-primitive SKIP
192         type ip-address-mask
193         deny 192.88.99.0 255.255.255.0
194         default permit
195
196       filter-definition mcast
197         match ip-destination-address MCAST
198
199       filter-definition ucast
200         match ip-destination-address UCAST
201         match ip-destination-address SKIP
202         match ip-source-address SKIP
203
204       flow-cat flows | flow-xlate -xxlate.cfg -Xabilene_privacy | flow-print
205

FILES

207       Configuration   files:   Symbols  -  /etc/flow-tools/sym/*.   Filter  -
208       /etc/flow-tools/cfg/filter.cfg.  Xlate - /etc/flow-tools/cfg/xlate.cfg.
209

BUGS

211       The scale option can overflow the 32 bit flow counters. This  could  be
212       solved by detecting this condition and splitting the flow in two.
213
214       Translation  between  aggregated and non aggregated formats is not sup‐
215       ported.
216

AUTHOR

218       Mark Fullmer <maf@splintered.net>
219

SEE ALSO

221       flow-tools(1)
222
223
224
225                                26 Август 2010                   FLOW-XLATE(1)
Impressum