1nfdump(1)                                                            nfdump(1)
2
3
4

NAME

6       nfdump - netflow display and analyze program
7

SYNOPSIS

9       nfdump [options] [filter]
10

DESCRIPTION

12       nfdump  is the netflow display and analyzing program of the nfdump tool
13       set.  It reads the netflow data from files stored by  nfcapd  and  pro‐
14       cesses the flows according the options given. The filter syntax is com‐
15       parable to tcpdump and extended for netflow data. Nfdump can also  dis‐
16       play many different top N flow and flow element statistics.
17
18

OPTIONS

20       -r inputfile
21          Read input data from inputfile. Default is read from stdin.
22
23       -R expr
24          Read  input from a sequence of files in the same directory. expr may
25          be one of:
26           /any/dir          Read recursively all files in directory dir.
27           /dir/file         Read all files beginning with file.
28           /dir/file1:file2  Read all files from file1 to file2.
29
30           When using in combination with a sub hierarchy:
31           /dir/sub1/sub2/file1:sub3/sub4/file2
32           Read all files from sub1/sub2/file1 sub3/sub4/file2 iterating  over
33           all required hierarchy levels.
34
35           Note: files are read in alphabetical sequence.
36
37       -M expr
38          Read   input   from   multiple   directories.   expr   looks   like:
39          /any/path/to/dir1:dir2:dir3 etc. and will be expanded to the  direc‐
40          tories:  /any/path/to/dir1,  /any/path/to/dir2 and /any/path/to/dir3
41          Any number of colon separated directories may be given. The files to
42          read  are specified by -r or -R and are expected to exist in all the
43          given directories.  The options -r  and  -R  must  not  contain  any
44          directory part when used in conjunction with -M.
45
46       -m deprecated option. Use -O tstart instead.
47
48       -O order
49          Set sort order to print flows or aggregated flows. order can be:
50            flows    Sort according the number of flows
51            packets  Sort according to (in)packets
52            ipkg     Same as packets
53            opkg     Sort according to output packets
54            bytes    Sort according to (in)bytes
55            ibyte    Same as bytes
56            obyte    Sort according to output bytes
57            pps      Sort according to (in)packets per second
58            ipps     Same as ipps
59            opps     Sort according to out packets per second
60            bps      Sort according to (in)bytes per second
61            ibps     Same as bps
62            obps     Sort according to output bytes per second
63            bpp      Sort according to (in)bytes per packet
64            ibpp     Same as bpp
65            obpp     Sort according to output packets
66            tstart   Sort according to start time of flow - former -m
67            tend     Sort according to end time of flows
68
69       -w outputfile
70          If specified writes binary netflow records to outputfile ready to be
71          processed again with nfdump. The default output is ASCII on  stdout.
72          In  combination  with  options  -m,  -a, -b, and -B write aggregated
73          and/or sorted flow cache in binary format to disk.
74
75       -f filterfile
76          Reads the filter syntax from filterfile. Note: Any filter  specified
77          directly on the command line takes precedence over -f.
78
79       -t timewin
80          Process  only  flows,  which  fall in the time window timewin, where
81          timewin is YYYY/MM/dd.hh:mm:ss[-YYYY/MM/dd.hh:mm:ss]. Any  parts  of
82          the   time   spec   may   be   omitted  e.g  YYYY/MM/dd  expands  to
83          YYYY/MM/dd.00:00:00-infinity and processes all flow from a given day
84          onwards.  The  time  window  may also be specified as +/- n. In this
85          case it is relativ to the beginning or end of all flows.  +10  means
86          the  first 10 seconds of all flows, -10 means the last 10 seconds of
87          all flows.
88
89       -c num
90          Limit the number of records to read and process from file(es) to the
91          first num flows.
92
93       -a Aggregate  netflow  data. Aggregation is done at connection level by
94          taking the 5-tuple protocol, srcip, dstip, srcport and dstport.
95
96       -A aggregation
97          Similar to Flexible Netflow (FNF), netflow records can be aggregated
98          by  any  number  of  given v9 fields. aggregation is a ',' separated
99          list of recognised tags of the following list:
100            proto      IP protocol
101            srcip      Source IP address
102            dstip      Destination IP address
103            srcip4/net IPv4 source IP address with applied netmask
104            srcip6/net IPv6 source IP address with applied netmask
105            dstip4/net IPv4 destination IP address with applied netmask
106            dstip6/net IPv6 destination IP address with applied netmask
107            srcnet     Apply netmask srcmask in netflow record for source IP
108            dstnet     Apply netmask dstmask in netflow record for dest IP
109            srcport    Source port
110            dstport    Destination port
111            srcmask    Source mask
112            dstmask    Destination mask
113            srcvlan    Source vlan label
114            dstvlan    Destination vlan label
115            srcas      Source AS number
116            dstas      Destination AS number
117            nextas     BGP Next AS
118            prevas     BGP Previous AS
119            inif       SNMP input interface number
120            outif      SNMP output interface number
121            next       IP next hop
122            bgpnext    BGP next hop
123            insrcmac   In source MAC address
124            outdstmac  out destination MAC address
125            indstmac   In destintation MAC address
126            outsrcmac  Out source MAC address
127            tos        Source type of service
128            srctos     Source type of Service
129            dsttos     Destination type of Service
130            mpls1      MPLS label 1
131            mpls2      MPLS label 2
132            mpls3      MPLS label 3
133            mpls4      MPLS label 4
134            mpls5      MPLS label 5
135            mpls6      MPLS label 6
136            mpls7      MPLS label 7
137            mpls8      MPLS label 8
138            mpls9      MPLS label 9
139            mpls10     MPLS label 10
140            router     Exporting router IP
141            xsrcip     X-late source IP address, if compiled with NSEL support
142            xdstip     X-late destination IP address, if  compiled  with  NSEL
143            support
144            xsrcport   X-late source port, if compiled with NSEL support
145            xdstport   X-late destination port, if compiled with NSEL support
146
147          nfdump  automatically  compiles an appropriate output format for the
148          selected aggregation unless an explicit output format is given.  The
149          automatic  output  format  is  identical to -o 'fmt:%ts %td <fields>
150          %pkt %byt %bps %bpp %fl'  where  <fields>  represents  the  selected
151          aggregation tags.
152
153          Example:
154              -A proto,srcip,dstport
155
156              -A srcas,dstas
157
158       -b Aggregate  netflow  records  as  bidirectional  flows. Automatically
159          implies -a.  Aggregation is done on connection level by  taking  the
160          5-tuple  protocol, srcip, dstip, srcport and dstport, or the reverse
161          order for the corresponding connection flow. Input and output  pack‐
162          ets/bytes  are  counted and reported separate. Both flows are merged
163          into a single record. An appropriate output format is selected auto‐
164          matically, which may be overwritten by any -o format option.
165
166       -B Like  -b  but automagically swaps flows if src port is < dst port as
167          some exporters do not care sending the flows in proper  order.  It's
168          considered  to  be a convenient option. Please note - for some peer-
169          to-peer flows this my lead to errornous swapping.
170
171       -I Print flow statistics from file specified by -r, or timeslot  speci‐
172          fied by -R/-M.
173
174       -D dns
175          Set dns as nameserver to lookup hostnames.
176
177       -s statistic[:p][/orderby]
178          Generate the Top N flow or flow element statistic. statistic can be:
179            record    Statistic about arregated netflow records.
180            srcip     Statistic about source IP addresses
181            dstip     Statistic about destination IP addresses
182            ip        Statistic about any (source or destination) IP addresses
183            nhip      Statistic about next hop IP addresses
184            nhbip     Statistic about BGP next hop IP addresses
185            router    Statistic about exporting router IP address
186            srcport   Statistic about source ports
187            dstport   Statistic about destination ports
188            port      Statistic about any (source or destination) ports
189            tos       Statistic about type of service - default src
190            srctos    Statistic about src type of service
191            dsttos    Statistic about dst type of service
192            dir       Statistic about flow directions ingress/egress
193            srcas     Statistic about source AS numbers
194            dstas     Statistic about destination AS numbers
195            as        Statistic about any (source or destination) AS numbers
196            inif      Statistic about input interface
197            outif     Statistic about output interface
198            if        Statistic about any interface
199            srcmask   Statistic about src mask
200            dstmask   Statistic about dst mask
201            srcvlan   Statistic about src vlan label
202            dstvlan   Statistic about dst vlan label
203            vlan      Statistic about any vlan label
204            insrcmac  Statistic about input src MAC address
205            outdstmac Statistic about output dst MAC address
206            indstmac  Statistic about input dst MAC address
207            outsrcmac Statistic about output src MAC address
208            srcmac    Statistic about any src MAC address
209            dstmac    Statistic about any dst MAC address
210            inmac     Statistic about any input MAC address
211            outmac    Statistic about any output MAC address
212            mask      Statistic about any mask
213            proto     Statistic about IP protocols
214            mpls1     Statistic about MPLS label 1
215            mpls2     Statistic about MPLS label 2
216            mpls3     Statistic about MPLS label 3
217            mpls4     Statistic about MPLS label 4
218            mpls5     Statistic about MPLS label 5
219            mpls6     Statistic about MPLS label 6
220            mpls7     Statistic about MPLS label 7
221            mpls8     Statistic about MPLS label 8
222            mpls9     Statistic about MPLS label 9
223            mpls10    Statistic about MPLS label 10
224            sysid     Internal SysID of exporter
225
226            NSEL/ASA stats
227            event     NSEL/ASA event
228            xevent    NSEL/ASA extended event
229            xsrcip    NSEL/ASA translated src IP address
230            xsrcport  NSEL/ASA translated src port
231            xdstip    NSEL/ASA translated dst IP address
232            xdstport  NSEL/ASA translated dst port
233            iacl      NSEL/ASA ingress ACL
234            iace      NSEL/ASA ingress ACE
235            ixace     NSEL/ASA ingress xACE
236            eacl      NSEL/ASA egress ACL
237            eace      NSEL/ASA egress ACE
238            exace     NSEL/ASA egress xACE
239
240            NAT stats
241            nevent    NAT event
242            vrf/ivrf  NAT ingress vrf
243            evrf      NAT egress vrf
244            nsrcip    NAT src IP address
245            nsrcport  NAT src port
246            ndstip    NAT dst IP address
247            ndstport  NAT dst port
248
249          By adding :p to the statistic name, the resulting statistic is split
250          up into transport layer protocols.  Default  is  transport  protocol
251          independent statistics.
252
253          orderby  is optional and specifies the order by which the statistics
254          is ordered and can be flows, packets, bytes, pps, bps  or  bpp.  You
255          may  specify more than one orderby which results in the same statis‐
256          tic but ordered differently. If no orderby is given, statistics  are
257          ordered  by  flows.  You can specify as many -s flow element statis‐
258          tics on the command line for the same run.
259
260          Example:
261             -s srcip -s ip/flows -s dstport/pps/packets/bytes -s record/bytes
262
263       -l [+/-]packet_num
264          Limit  statistics  output  to  those  records  above  or  below  the
265          packet_num  limit.  packet_num  accepts positive or negative numbers
266          followed by 'K' , 'M' or 'G' 10E3, 10E6 or 10E9 flows  respectively.
267          See also note at -L
268
269       -L [+/-]byte_num
270          Limit statistics output to those records above or below the byte_num
271          limit. byte_num accepts positive or negative numbers followed by 'K'
272          , 'M' or 'G' 10E3, 10E6 or 10E9 bytes respectively. Note: These lim‐
273          its only apply to the statistics and  aggregated  outputs  generated
274          with -a -s.  To filter netflow records by packets and bytes, use the
275          filter syntax 'packets' and 'bytes' described below.
276
277       -n num
278          For record statistics (-s .. ): Define the number  for  the  Top  N.
279          Defaults to 10.  Use -n 0 to list all records.
280          For  record sorting and aggregation (-a .. -O ..): Limit the records
281          to the first top num sorted records.  if not specified or  -n  0  is
282          given, all records are listed.
283
284       -o format
285          Selects  the  output format to print flows or flow record statistics
286          (-s record). The following formats are available:
287            raw      Print full flow record on multiple lines.
288            line     Print each flow on one line. Default format.
289            long     Print each flow on one line with more details
290            biline   Same as line, but for bidir flows
291            bilong   Same as long, but for bidir flows
292            extended Print each flow on one line with even more details.
293            nsel     Print each NSEL event on one line. Default if NSEL/NAT
294            nel      Print each NAT event on one line.
295            csv      Comma separated output for machine readable processing.
296            json     Print full record as separate json object
297            pipe     Legacy machine readable format: fields '|' separated.
298            fmt:format User defined output format.
299          For each defined output format except -o fmt:<format> an  IPv6  long
300          output  format  exists.  line6, long6 and extended6. See output for‐
301          mats below for more information.
302
303       -q Suppress the header line and the statistics at the bottom.
304
305       -N Print plain numbers in output. Easier for post-parsing.
306
307       -i ident
308          Change ident label in file, specified by -r to ident
309
310       -v file
311          Verify file. Print data file version, number of blocks and  compres‐
312          sion status.
313
314       -E file
315          Print  exporter/sampler list found in file. In case of a nfcapd col‐
316          lector file, an additional statistics per exporter is  printed  with
317          number of flows, packets and sequence errors.
318
319       -x file
320          Scan and print extension maps located in file file
321
322       -j Compress  flows. Use bz2 compression in output file. Space efficient
323          method
324
325       -y Compress flows. Use LZ4 compression in output file.  Time  efficient
326          method
327
328       -z Compress  flows.  Use  fast LZO1X-1 compression in output file. Time
329          efficient method
330
331       -J num
332          Change compression for file(s) given by -r <file> or -R <dir> num: 0
333          uncompress, 1: LZO1X-1, 2: bz2, 3: LZ4 compression
334
335       -Z Check filter syntax and exit. Sets the return value accordingly.
336
337       -X Compiles  the filer syntax and dumps the filter engine table to std‐
338          out.  This is for debugging purpose only.
339
340       -V Print nfdump version and exit.
341
342       -h Print help text on stdout with all options and exit.
343

RETURN VALUE

345       Returns
346           0   No error.
347           255 Initialization failed.
348           254 Error in filter syntax.
349           250 Internal error.
350

OUTPUT FORMATS

352       The output format raw  prints  each  flow  record  on  multiple  lines,
353       including  all  information  available  in the record. This is the most
354       detailed view on a flow.
355
356       Other output formats print each flow on a single line. Predefined  out‐
357       put  formats  are line, long and extended The output format line is the
358       default output format when no  format  is  specified.   It  limits  the
359       imformation  to  the  connection  details as well as number of packets,
360       bytes and flows.
361
362       The output format long is identical to the format  line,  and  includes
363       additional information such as TCP flags and Type of Service.
364
365       The  output  format  extended  is  identical  to  the  format long, and
366       includes additional computed information such as pps, bps and bpp.
367
368       Fields:
369
370          Date flow start: Start time flow first seen. ISO 8601 format includ‐
371          ing milliseconds.
372
373          Duration:  Duration  of  the  flow  in seconds and milliseconds.  If
374          flows are aggregated, duration is the  time  span  over  the  entire
375          periode of time from first seen to last seen.
376
377          Proto: Protocol used in the connection.
378
379          Src IP Addr:Port: Source IP address and source port.
380
381          Dst  IP  Addr:Port: Destination IP address and destination port.  In
382          case of ICMP, port is decodes as type.code.
383
384          Flags: TCP flags ORed of the connection.
385
386          Tos: Type of service.
387
388          Packets: The number of packets in this flow.  If  flows  are  aggre‐
389          gated, the packets are summed up.
390
391          Bytes:  The  number  of bytes in this flow. If flows are aggregated,
392          the bytes are summed up.
393
394          pps: The calculated packets per second: number of  packets  /  dura‐
395          tion.   If flows are aggregated this results in the average pps dur‐
396          ing this periode of time.
397
398          bps: The calculated bits per second: 8 * number of bytes / duration.
399          If  flows are aggregated this results in the average bps during this
400          periode of time.
401
402          Bpp: The calculated bytes per packet: number of bytes  /  number  of
403          packets.  If  flows  are  aggregated this results in the average bpp
404          during this periode of time.
405
406          Flows: Number of flows. If flows are listed  only,  this  number  is
407          always  1.  If flows are aggregated, this shows the number of aggre‐
408          gated flows to one record.
409
410       Numbers larger than 1'000'000 (1000*1000), are scaled to 4  digits  and
411       one  decimal  digit  including the scaling factor M, G or T for cleaner
412       output, e.g. 923.4 M
413
414       To make the output more readable, IPv6 addresses are shrinked  down  to
415       16 characters. The seven most and seven least digits connected with two
416       dots '..' are displayed in any normal output formats.  To  display  the
417       full IPv6 address, use the appropriate long format, which is the format
418       name followed by a 6.
419
420       Example: -o line displays an IPv6 address as 2001:23..80:d01e where  as
421       the   format  -o  line6  displays  the  IPv6  address  in  full  length
422       2001:234:aabb::211:24ff:fe80:d01e.  The combination of -o  line  -6  is
423       equivalent to -o line6.
424
425       The  output  format  fmt:<format>  allows you to define your own output
426       format.  A format description format consists of a single line contain‐
427       ing arbitrary strings and format specifier as described below
428
429          %<format> Inserts the predefined format at this position. e.g. %line
430          %ff       flow record flags in hex.
431          %ts       Start Time - first seen
432          %tsr       Start  Time,  but  in  fractional seconds since the epoch
433          (1970-01-01)
434          %te       End Time - last seen
435          %ter      End Time, in fractional seconds
436          %tr       Time the flow was received by the collector
437          %trr      Time the flow was received, in fractional seconds
438          %td       Duration
439          %pr       Protocol
440          %exp      Exporter ID
441          %eng      Engine Type/ID
442          %lbl      Flowlabel
443          %sa       Source Address
444          %da       Destination Address
445          %sap      Source Address:Port
446          %dap      Destination Address:Port
447          %sp       Source Port
448          %dp       Destination Port
449          %sn       Source Network, mask applied
450          %dn       Destination Network, mask applied
451          %nh       Next-hop IP Address
452          %nhb      BGP Next-hop IP Address
453          %ra       Router IP Address
454          %sas      Source AS
455          %das      Destination AS
456          %nas      Next AS
457          %pas      Previous AS
458          %in       Input Interface num
459          %out      Output Interface num
460          %pkt      Packets - default input
461          %ipkt     Input Packets
462          %opkt     Output Packets
463          %byt      Bytes - default input
464          %ibyt     Input Bytes
465          %obyt     Output Bytes
466          %fl       Flows
467          %flg      TCP Flags
468          %tos      Tos - default src
469          %stos     Src Tos
470          %dtos     Dst Tos
471          %dir      Direction: ingress, egress
472          %smk      Src mask
473          %dmk      Dst mask
474          %fwd      Forwarding Status
475          %svln     Src vlan label
476          %dvln     Dst vlan label
477          %ismc     Input Src Mac Addr
478          %odmc     Output Dst Mac Addr
479          %idmc     Input Dst Mac Addr
480          %osmc     Output Src Mac Addr
481          %mpls1    MPLS label 1
482          %mpls2    MPLS label 2
483          %mpls3    MPLS label 3
484          %mpls4    MPLS label 4
485          %mpls5    MPLS label 5
486          %mpls6    MPLS label 6
487          %mpls7    MPLS label 7
488          %mpls8    MPLS label 8
489          %mpls9    MPLS label 9
490          %mpls10   MPLS label 10
491          %mpls     MPLS labels 1-10
492          %bps      bps - bits per second
493          %pps      pps - packets per second
494          %bpp      bps - Bytes per package
495
496          NSEL specific formats
497          %nfc      NSEL connection ID
498          %evt      NSEL event
499          %xevt     NSEL extended event
500          %msec     NSEL event time in msec
501          %iacl     NSEL ingress ACL
502          %eacl     NSEL egress ACL
503          %xsa      NSEL XLATE src IP address
504          %xda      NSEL XLATE dst IP address
505          %xsp      NSEL XLATE src port
506          %xdp      NSEL SLATE dst port
507          %xsap     Xlate Source Address:Port
508          %xdap     Xlate Destination Address:Port
509          %uname    NSEL user name
510
511          NEL/NAT specific formats
512          %nevt     NAT event - same as %evt
513          %ivrf     NAT ingress VRF ID
514          %evrf     NAT egress VRF ID
515          %nsa      NAT src IP address
516          %nda      NAT dst IP address
517          %nsp      NAT src port
518          %ndp      NAT dst port
519          %pbstart  NAT pool block start
520          %pbend    NAT pool block end
521          %pbstep   NAT pool block step
522          %pbsize   NAT pool block size
523
524          Nprobe formats
525          %cl       Client latency
526          %sl       Server latency
527          %al       Application latency
528
529
530       The "flow flags" format (%ff) prints the internal  record  flags  as  a
531       single hexadecimal number, consisting of any of these flag values or-ed
532       together:
533
534          1    Record contains IPv6 addresses
535          2    Packet counters are 64-bit
536          4    Byte counters are 64-bit
537          8    IP next hop is an IPv6 address
538          16   BGP next hop is an IPv6 address
539          32   Exporting router is an IPv6 address
540          64   Record is an EVENT record
541          128  Record is sampled
542
543       Example: the standard output format long can be created as
544          -o "fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %fl"
545
546       You may also define your own output format and have  it  compiled  into
547       nfdump.  See nfdump.c section Output Formats for more details.
548
549       The  csv  output  format  is intended to be read by another program for
550       further processing. As an example, see the parse_csv.pl  Perl  program.
551       The  cvs  output  format  consists of one or more output blocks and one
552       summary block. Each output block starts with a cvs index line  followed
553       by  the cvs record lines. The index lines describes the order, how each
554       following record is composed.
555
556       Example:
557          Index line:   ts,te,td,sa,da,sp,dp,pr,...
558          Record line:  2004-07-11 10:30:00,2004-07-11 10:30:10,10.010,...
559
560       All records are in ASCII readable form. Numbers are not scaled, so each
561       line can easily be parsed.
562
563       Indices used in nfdump 1.6:
564
565          ts,te,td    time records: t-start, t-end, duration
566          sa,da       src dst address sp,dp       src, dst port
567          pr          protocol PF_INET or PF_INET6
568          flg         TCP Flags:
569                         000001 FIN.
570                         000010 SYN
571                         000100 RESET
572                         001000 PUSH
573                         010000 ACK
574                         100000 URGENT
575                         e.g. 6 => SYN + RESET
576          fwd         forwarding status
577          stos        src tos
578          ipkt,ibyt   input packets/bytes
579          opkt,obyt   output packets, bytes
580          in,out      input/output interface SNMP number
581          sas,das     src, dst AS
582          smk,dmk     src, dst mask
583          dtos        dst tos
584          dir         direction
585          nh,nhb      nethop IP address, bgp next hop IP
586          svln,dvln   src, dst vlan id
587          ismc,odmc   input src, output dst MAC
588          idmc,osmc   input dst, output src MAC
589          mpls1,mpls2 MPLS label 1-10
590          mpls3,mpls4
591          mpls5,mpls6
592          mpls7,mpls8
593          mpls9,mpls10
594          ra          router IP
595          eng         router engine type/id
596
597       See parse_csv.pl for more details.
598

FILTER

600       The  filter  syntax  is  similar to the well known pcap library used by
601       tcpdump.  The filter can be either specified on the command line  after
602       all  options or in a separate file. It can span several lines. Anything
603       after a '#' is treated as a comment and ignored to the end of the line.
604       There is virtually no limit in the length of the filter expression. All
605       keywords are case independent.
606
607       Any filter consists of one or more expressions expr. Any number of expr
608       can be linked together:
609
610       expr and expr, expr or expr, not expr and ( expr ).
611
612       Expr can be one of the following filter primitives:
613
614       include
615           @include <file>
616           include the content of <file> into filter.
617
618       ip version
619           inet  or ipv4 for IPv4
620           inet6 or ipv6 for IPv6
621
622       protocol
623           proto <protocol>
624           proto <number>
625           where  <protocol>  is known protocol such as tcp, udp, icmp, icmp6,
626           gre, esp, ah, etc. or a valid protocol number: 6, 17 etc.
627
628       IP address
629           [src|dst] ip <ipaddr>
630           [src|dst] host <ipaddr>
631           with <ipaddr> as any valid IPv4, IPv6 address, or a full  qualified
632           hostname.   In  case  of a hostname, the IP address is looked up in
633           DNS.  If more than a single IP address is found, all  IP  addresses
634           are chained together. (ip1 or ip2 or ip3 ... )
635
636           To check if an IP address is in a known IP list, use
637           [src|dst] ip in [ <iplist> ]
638           [src|dst] host in [ <iplist> ]
639           <iplist>  is a space or comma separated list of individual <ipaddr>
640           or full qualified hostnames, which are looked up in  DNS.  If  more
641           than  a  single  IP address is found, all IP addresses are put into
642           the list.
643
644       [src|dst]
645           IP addresses, networks, ports, AS number etc. can  be  specifically
646           selected  by using a direction qualifier, such as src or dst.  They
647           can also be used in combination with and and or.  such as  src  and
648           dst ip ...
649
650       network
651           [src|dst] net a.b.c.d m.n.r.s
652           Select the IPv4 network a.b.c.d with netmask m.n.r.s.
653
654           [src|dst] net <net>/<num>
655           with  <net>  as a valid IPv4 or IPv6 network and <num> as maskbits.
656           The number of mask bits must match the appropriate address  familiy
657           in  IPv4  or IPv6. Networks may be abbreviated such as 172.16/16 if
658           they are unambiguous.
659
660       Port
661           [src|dst] port [comp] <num>
662           with <num> as any valid port number.  If comp is omitted,
663            '=' is assumed. comp is explained more detailed below.
664           [src|dst] port in [ <portlist> ]
665           A port can be compared against a know list, where <portlist>  is  a
666           space separated list of individual port numbers.
667
668       ICMP
669           icmp-type <num>
670           icmp-code <num>
671           with  <num>  as  a valid icmp type/code. This automatically implies
672           proto icmp.
673
674       Router ID
675           engine-type <num>
676           engine-id <num>
677           sysid <num>
678           with <num> as a valid router engine type/id or exporter ID(0..255).
679
680       Interface
681           [in|out] if <num>
682           Select input or output or either interface ID, with num as the SNMP
683           interface number.
684           Example: in if 3
685
686       AS numbers
687           [src|dst|prev|next] as [comp] <num>
688           Selects  source,  dstination,  previous, next or any AS number with
689           <num> as any valid as number. 32bit AS numbers  are  supported.  If
690           comp  is  omitted,  '=' is assumed. comp is explained more detailed
691           below.
692
693           [src|dst|prev|next] as in [ <ASlist> ]
694           An AS number can be compared against a know list, where <ASlist> is
695           a space or comma separated list of individual AS numbers.
696
697       Prefix mask bits
698           [src|dst] mask <bits>
699           with <bits> as any valid prefix mask bit value.
700
701       Vlan labels
702           [src|dst] vlan <num>
703           with <num> as any valid vlan label.
704
705       Flags
706           flags <tcpflags>
707           with <tcpflags> as a combination of:
708              A    ACK.
709              S    SYN.
710              F    FIN.
711              R    Reset.
712              P    Push.
713              U    Urgent.
714              X    All flags on.
715       The  ordering  of  the  flags  is not relevant. Flags not mentioned are
716       treated as don't care.  In order to get those flows with only  the  SYN
717       flag set, use the syntax 'flags S and not flags AFRPU'.
718
719       Next hop IP
720           next ip <ipaddr>
721           with <ipaddr> as IPv4/IPv6 IP address of next hop router.
722
723       Next-hop router's IP in the BGP domain
724           bgpnext ip <ipaddr>
725           with  <ipaddr> as IPv4/IPv6 next-hop router's IP in the BGP domain.
726           ( v9 #18 )
727
728       Router IP
729           router ip <ipaddr>
730           Filter the flows according the IP address of the exporting router.
731
732       MAC addresses
733           [InOutSrcDst] mac <addr>
734           With <addr> any valid MAC address. mac can be more specific  speci‐
735           fied  by  using any combination of a direction specifier as defined
736           by CISCO v9.  in src, in dst, out src, out dst.
737
738       MPLS labels
739           mpls label<n> [comp] <num>
740           With <n> as any mpls label number 1..10. Filters exactly  specified
741           label<n>.
742           mpls eos [comp] <num>
743           Filters End of Stack label for a given value <num>.
744           mpls exp<n> [comp] <bits>
745           Filters experimental bits of label <n> with <bits> 0..7.
746
747       Packets
748           packets [comp] <num> [scale]
749           To filter for netflow records with a specific packet count.
750           Example: packets > 1k
751
752       Bytes
753           bytes [comp] <num> [scale]
754           To filter for netflow records with a specific byte count.
755           Example: bytes 46 filters all empty IPv4 packets
756
757       Aggregated flows
758           flows [comp] <num> [scale]
759           To  filter for netflow records with a specific number of aggregated
760           flows.
761
762       Type of Service (TOS)
763           [SourceDestination] tos <num>
764           With <num> 0..255. For compatibility with nfump 1.5.x: tos <num> is
765           equivalent with src tos <num>
766
767       Packets per second: Calculated value.
768           pps [comp] num [scale]
769           To filter for flows with specific packets per second.
770
771       Duration: Calculated value
772           duration [comp] num
773           To filter for flows with specific duration in milliseconds.
774
775       Bits per second: Calculated value.
776           bps [comp] num [scale]
777           To filter for flows with specific bytes per second.
778
779       Bytes per packet: Calculated value.
780           bpp [comp] num [scale]
781           To filter for flows with specific bytes per packet.
782
783       scale scaling factor. Maybe k m g. Factor is 1000
784
785       comp The following comparators are supported:
786           =, ==, >, <, EQ, LT, GT .  If comp is omitted, '=' is assumed.
787
788       NSEL/ASA specific filters:
789
790       NSEL/ASA Event
791           asa event <ignore|create|term|delete|deny>
792           asa event [comp] <number>
793           select  NSEL/ASA event by name or number. If given as number it can
794           be compared with a number
795
796       NSEL/ASA denied reason
797           asa event denied <ingress|egress|interface|nosyn>
798           Select a NSEL/ASA denied event by type
799
800       NSEL/ASA extended events
801           asa xevent [comp] <num>
802           Select an extended NSELL ASA event by number,  or  optionally  com‐
803           pared by a number.
804
805       X-late IP addresses and ports
806           [src|dst] xip <ip>
807           Select the translated IP address
808
809           [src|dst] xnet <net>/<num>
810           with  <net> as a valid translated IPv4 or IPv6 network and <num> as
811           maskbits.  The number of  mask  bits  must  match  the  appropriate
812           address  familiy  in IPv4 or IPv6. Networks may be abbreviated such
813           as 172.16/16 if they are unambiguous.
814
815           [src|dst] xport <port>
816           Select the translated port
817
818       NSEL/ASA ingress/egress
819           ingress <ACL|ACE|XACE> [comp] number
820           Select/compare an ingress ACL
821
822           egress ACL [comp] <number>
823           Select/compare an egress ACL
824
825       NEL specific NAT filters:
826
827       NAT Event
828           nat event <add|delete>
829           nat event [comp] <number>
830           select NEL NAT event by name or number. If given as number  it  can
831           be compared with a number
832
833       NEL NAT ip addresses and ports
834           [src|dst] nip <ip>
835           Select the NAT IP address
836
837           [src|dst] nport <port>
838           Select the NAT port
839
840       NEL NAT vrf
841           ingress vrf <num>
842           Select the vrf
843
844

Flowlabel

846       One  or more specific filter expressions can be assigned a flowlabel in
847       order to identify the flow in the output  according  to  the  label.  A
848       flowlabel  has  the  form  %LabelName and is appended or prepended to a
849       filter expression in braces. It may have up to 16 characters.  Example:
850       (ip  8.8.8.8)  %GoogleDNS.  If a filter matches, with a labeled expres‐
851       sions, and that expression is in the matching filter patch,  the  label
852       can  be printed in the output, using the %%lbl format token. See OUTPUT
853       FORMATS.  Example: Add flowlabel to end of 'line' format:
854       ./nfdump -r <file> -o 'fmt:%line %lbl" ..
855       Note: A filter may have multiple matching paths - for example proto tcp
856       or  ip  8.8.8.8  The  shortest path which evaluates successfully, wins.
857       Other paths are skipped, which means that flowlabels are not printed in
858       not  evaluated  filter paths. A filter may contain multiple flowlabels.
859       The flowlabel of the last matching expression in the  winning  path  is
860       printed.   Flowlabels  are  most  useful  in  large and complex filters
861       stored in one or multiple files, to better read the flow output list.
862       Example: (ip in [172.16.1.0/24]) %ISP_1  or  (ip  in  [172.16.16.0/24])
863       %IPS_2 or %GoogleDNS((proto udp or proto tcp) and ip 8.8.8.8)
864

EXAMPLES

866       nfdump  -r  /and/dir/nfcapd.201107110845 -c 100 'proto tcp and ( src ip
867       172.16.17.18 or dst ip 172.16.17.19 )'  Dumps  the  first  100  netflow
868       records which match the given filter:
869
870       nfdump  -r  /and/dir/nfcapd.201107110845  -B Map matching flows as bin-
871       directional single flow.
872
873       nfdump   -R   /and/dir/nfcapd.201107110845:nfcapd.200407110945    'host
874       192.168.1.2' Dumps all netflow records of host 192.168.1.2 from July 11
875       08:45 - 09:45
876
877       nfdump -M /to/and/dir1:dir2 -R  nfcapd.200407110845:nfcapd.200407110945
878       -s  record  -n  20  Generates the Top 20 statistics from 08:45 to 09:45
879       from 3 sources
880
881       nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 -o extended Gen‐
882       erates the Top 20 statistics, extended output format
883
884       nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 'in if 5 and bps
885       > 10k' Generates the Top 20 statistics from flows coming from interface
886       5
887
888       nfdump  -r  /and/dir/nfcapd.201107110845 'inet6 and proto tcp and ( src
889       port > 1024 and dst port 80 ) Dumps all port 80 IPv6 connections to any
890       web server.
891

NOTES

893       Generating  the  statistics  for  data  files of a few hundred MB is no
894       problem. However be careful if you want to create statistics of several
895       GB of data. This may consume a lot of memory and can take a while. Flow
896       anonymization has moved into nfanon.
897

SEE ALSO

899       nfcapd(1), nfanon(1), nfprofile(1), nfreplay(1)
900

BUGS

902       There is still the famous last bug. Please report them - all  the  last
903       bugs - back to me.
904
905
906
907
908                                  2009-09-09                         nfdump(1)
Impressum