1nfdump(1) nfdump(1)
2
6 nfdump - netflow display and analyze program
7
9 nfdump [options] [filter]
10
12 nfdump is the netflow display and analyzing program of the nfdump tool
13 set. It reads the netflow data from files stored by nfcapd and pro‐
14 cesses the flows according the options given. The filter syntax is com‐
15 parable to tcpdump and extended for netflow data. Nfdump can also dis‐
16 play many different top N flow and flow element statistics.
17
20 -r inputfile
21 Read input data from inputfile. Default is read from stdin.
22 -R expr
24 Read input from a sequence of files in the same directory. expr may
25 be one of:
26 /any/dir Read recursively all files in directory dir.
27 /dir/file Read all files beginning with file.
28 /dir/file1:file2 Read all files from file1 to file2.
29 When using in combination with a sub hierarchy:
31 /dir/sub1/sub2/file1:sub3/sub4/file2
32 Read all files from sub1/sub2/file1 sub3/sub4/file2 iterating over
33 all required hierarchy levels.
34 Note: files are read in alphabetical sequence.
36 -M expr
38 Read input from multiple directories. expr looks like:
39 /any/path/to/dir1:dir2:dir3 etc. and will be expanded to the direc‐
40 tories: /any/path/to/dir1, /any/path/to/dir2 and /any/path/to/dir3
41 Any number of colon separated directories may be given. The files to
42 read are specified by -r or -R and are expected to exist in all the
43 given directories. The options -r and -R must not contain any
44 directory part when used in conjunction with -M.
45 -m deprecated option. Use -O tstart instead.
47 -O order
49 Set sort order to print flows or aggregated flows. order can be:
50 flows Sort according the number of flows
51 packets Sort according to (in)packets
52 ipkg Same as packets
53 opkg Sort according to output packets
54 bytes Sort according to (in)bytes
55 ibyte Same as bytes
56 obyte Sort according to output bytes
57 pps Sort according to (in)packets per second
58 ipps Same as ipps
59 opps Sort according to out packets per second
60 bps Sort according to (in)bytes per second
61 ibps Same as bps
62 obps Sort according to output bytes per second
63 bpp Sort according to (in)bytes per packet
64 ibpp Same as bpp
65 obpp Sort according to output packets
66 tstart Sort according to start time of flow - former -m
67 tend Sort according to end time of flows
68 -w outputfile
70 If specified writes binary netflow records to outputfile ready to be
71 processed again with nfdump. The default output is ASCII on stdout.
72 In combination with options -m, -a, -b, and -B write aggregated
73 and/or sorted flow cache in binary format to disk.
74 -f filterfile
76 Reads the filter syntax from filterfile. Note: Any filter specified
77 directly on the command line takes precedence over -f.
78 -t timewin
80 Process only flows, which fall in the time window timewin, where
81 timewin is YYYY/MM/dd.hh:mm:ss[-YYYY/MM/dd.hh:mm:ss]. Any parts of
82 the time spec may be omitted e.g YYYY/MM/dd expands to
83 YYYY/MM/dd.00:00:00-infinity and processes all flow from a given day
84 onwards. The time window may also be specified as +/- n. In this
85 case it is relativ to the beginning or end of all flows. +10 means
86 the first 10 seconds of all flows, -10 means the last 10 seconds of
87 all flows.
88 -c num
90 Limit the number of records to read and process from file(es) to the
91 first num flows.
92 -a Aggregate netflow data. Aggregation is done at connection level by
94 taking the 5-tuple protocol, srcip, dstip, srcport and dstport.
95 -A aggregation
97 Similar to Flexible Netflow (FNF), netflow records can be aggregated
98 by any number of given v9 fields. aggregation is a ',' separated
99 list of recognised tags of the following list:
100 proto IP protocol
101 srcip Source IP address
102 dstip Destination IP address
103 srcip4/net IPv4 source IP address with applied netmask
104 srcip6/net IPv6 source IP address with applied netmask
105 dstip4/net IPv4 destination IP address with applied netmask
106 dstip6/net IPv6 destination IP address with applied netmask
107 srcnet Apply netmask srcmask in netflow record for source IP
108 dstnet Apply netmask dstmask in netflow record for dest IP
109 srcport Source port
110 dstport Destination port
111 srcmask Source mask
112 dstmask Destination mask
113 srcvlan Source vlan label
114 dstvlan Destination vlan label
115 srcas Source AS number
116 dstas Destination AS number
117 nextas BGP Next AS
118 prevas BGP Previous AS
119 inif SNMP input interface number
120 outif SNMP output interface number
121 next IP next hop
122 bgpnext BGP next hop
123 insrcmac In source MAC address
124 outdstmac out destination MAC address
125 indstmac In destintation MAC address
126 outsrcmac Out source MAC address
127 tos Source type of service
128 srctos Source type of Service
129 dsttos Destination type of Service
130 mpls1 MPLS label 1
131 mpls2 MPLS label 2
132 mpls3 MPLS label 3
133 mpls4 MPLS label 4
134 mpls5 MPLS label 5
135 mpls6 MPLS label 6
136 mpls7 MPLS label 7
137 mpls8 MPLS label 8
138 mpls9 MPLS label 9
139 mpls10 MPLS label 10
140 router Exporting router IP
141 xsrcip X-late source IP address, if compiled with NSEL support
142 xdstip X-late destination IP address, if compiled with NSEL
143 support
144 xsrcport X-late source port, if compiled with NSEL support
145 xdstport X-late destination port, if compiled with NSEL support
146 nfdump automatically compiles an appropriate output format for the
148 selected aggregation unless an explicit output format is given. The
149 automatic output format is identical to -o 'fmt:%ts %td <fields>
150 %pkt %byt %bps %bpp %fl' where <fields> represents the selected
151 aggregation tags.
152 Example:
154 -A proto,srcip,dstport
155 -A srcas,dstas
157 -b Aggregate netflow records as bidirectional flows. Automatically
159 implies -a. Aggregation is done on connection level by taking the
160 5-tuple protocol, srcip, dstip, srcport and dstport, or the reverse
161 order for the corresponding connection flow. Input and output pack‐
162 ets/bytes are counted and reported separate. Both flows are merged
163 into a single record. An appropriate output format is selected auto‐
164 matically, which may be overwritten by any -o format option.
165 -B Like -b but automagically swaps flows if src port is < dst port for
167 TCP and UDP flows and src port < 1024 and dst port > 1024. as some
168 exporters do not care sending the flows in proper order. Other flows
169 are not affected. It's considered to be a convenient option.
170 -I Print flow statistics from file specified by -r, or timeslot speci‐
172 fied by -R/-M.
173 -D dns
175 Set dns as nameserver to lookup hostnames.
176 -s statistic[:p][/orderby]
178 Generate the Top N flow or flow element statistic. statistic can be:
179 record Statistic about arregated netflow records.
180 srcip Statistic about source IP addresses
181 dstip Statistic about destination IP addresses
182 ip Statistic about any (source or destination) IP addresses
183 nhip Statistic about next hop IP addresses
184 nhbip Statistic about BGP next hop IP addresses
185 router Statistic about exporting router IP address
186 srcport Statistic about source ports
187 dstport Statistic about destination ports
188 port Statistic about any (source or destination) ports
189 tos Statistic about type of service - default src
190 srctos Statistic about src type of service
191 dsttos Statistic about dst type of service
192 dir Statistic about flow directions ingress/egress
193 srcas Statistic about source AS numbers
194 dstas Statistic about destination AS numbers
195 as Statistic about any (source or destination) AS numbers
196 inif Statistic about input interface
197 outif Statistic about output interface
198 if Statistic about any interface
199 srcmask Statistic about src mask
200 dstmask Statistic about dst mask
201 srcvlan Statistic about src vlan label
202 dstvlan Statistic about dst vlan label
203 vlan Statistic about any vlan label
204 insrcmac Statistic about input src MAC address
205 outdstmac Statistic about output dst MAC address
206 indstmac Statistic about input dst MAC address
207 outsrcmac Statistic about output src MAC address
208 srcmac Statistic about any src MAC address
209 dstmac Statistic about any dst MAC address
210 inmac Statistic about any input MAC address
211 outmac Statistic about any output MAC address
212 mask Statistic about any mask
213 proto Statistic about IP protocols
214 mpls1 Statistic about MPLS label 1
215 mpls2 Statistic about MPLS label 2
216 mpls3 Statistic about MPLS label 3
217 mpls4 Statistic about MPLS label 4
218 mpls5 Statistic about MPLS label 5
219 mpls6 Statistic about MPLS label 6
220 mpls7 Statistic about MPLS label 7
221 mpls8 Statistic about MPLS label 8
222 mpls9 Statistic about MPLS label 9
223 mpls10 Statistic about MPLS label 10
224 sysid Internal SysID of exporter
225 NSEL/ASA stats
227 event NSEL/ASA event
228 xevent NSEL/ASA extended event
229 xsrcip NSEL/ASA translated src IP address
230 xsrcport NSEL/ASA translated src port
231 xdstip NSEL/ASA translated dst IP address
232 xdstport NSEL/ASA translated dst port
233 iacl NSEL/ASA ingress ACL
234 iace NSEL/ASA ingress ACE
235 ixace NSEL/ASA ingress xACE
236 eacl NSEL/ASA egress ACL
237 eace NSEL/ASA egress ACE
238 exace NSEL/ASA egress xACE
239 NAT stats
241 nevent NAT event
242 vrf/ivrf NAT ingress vrf
243 evrf NAT egress vrf
244 nsrcip NAT src IP address
245 nsrcport NAT src port
246 ndstip NAT dst IP address
247 ndstport NAT dst port
248 By adding :p to the statistic name, the resulting statistic is split
250 up into transport layer protocols. Default is transport protocol
251 independent statistics.
252 orderby is optional and specifies the order by which the statistics
254 is ordered and can be flows, packets, bytes, pps, bps or bpp. You
255 may specify more than one orderby which results in the same statis‐
256 tic but ordered differently. If no orderby is given, statistics are
257 ordered by flows. You can specify as many -s flow element statis‐
258 tics on the command line for the same run.
259 Example:
261 -s srcip -s ip/flows -s dstport/pps/packets/bytes -s record/bytes
262 -l [+/-]packet_num
264 Limit statistics output to those records above or below the
265 packet_num limit. packet_num accepts positive or negative numbers
266 followed by 'K' , 'M' or 'G' 10E3, 10E6 or 10E9 flows respectively.
267 See also note at -L
268 -L [+/-]byte_num
270 Limit statistics output to those records above or below the byte_num
271 limit. byte_num accepts positive or negative numbers followed by 'K'
272 , 'M' or 'G' 10E3, 10E6 or 10E9 bytes respectively. Note: These lim‐
273 its only apply to the statistics and aggregated outputs generated
274 with -a -s. To filter netflow records by packets and bytes, use the
275 filter syntax 'packets' and 'bytes' described below.
276 -n num
278 For record statistics (-s .. ): Define the number for the Top N.
279 Defaults to 10. Use -n 0 to list all records.
280 For record sorting and aggregation (-a .. -O ..): Limit the records
281 to the first top num sorted records. if not specified or -n 0 is
282 given, all records are listed.
283 -o format
285 Selects the output format to print flows or flow record statistics
286 (-s record). The following formats are available:
287 raw Print full flow record on multiple lines.
288 line Print each flow on one line. Default format.
289 long Print each flow on one line with more details
290 biline Same as line, but for bidir flows
291 bilong Same as long, but for bidir flows
292 extended Print each flow on one line with even more details.
293 nsel Print each NSEL event on one line. Default if NSEL/NAT
294 nel Print each NAT event on one line.
295 csv Comma separated output for machine readable processing.
296 json Print full record as separate json object
297 pipe Legacy machine readable format: fields '|' separated.
298 fmt:format User defined output format.
299 For each defined output format except -o fmt:<format> an IPv6 long
300 output format exists. line6, long6 and extended6. See output for‐
301 mats below for more information.
302 -q Suppress the header line and the statistics at the bottom.
304 -N Print plain numbers in output. Easier for post-parsing.
306 -i ident
308 Change ident label in file, specified by -r to ident
309 -v file
311 Verify file. Print data file version, number of blocks and compres‐
312 sion status.
313 -E file
315 Print exporter/sampler list found in file. In case of a nfcapd col‐
316 lector file, an additional statistics per exporter is printed with
317 number of flows, packets and sequence errors.
318 -x file
320 Scan and print extension maps located in file file
321 -j Compress flows. Use bz2 compression in output file. Space efficient
323 method
324 -y Compress flows. Use LZ4 compression in output file. Time efficient
326 method
327 -z Compress flows. Use fast LZO1X-1 compression in output file. Time
329 efficient method
330 -J num
332 Change compression for file(s) given by -r <file> or -R <dir> num: 0
333 uncompress, 1: LZO1X-1, 2: bz2, 3: LZ4 compression
334 -Z Check filter syntax and exit. Sets the return value accordingly.
336 -X Compiles the filer syntax and dumps the filter engine table to std‐
338 out. This is for debugging purpose only.
339 -V Print nfdump version and exit.
341 -h Print help text on stdout with all options and exit.
343
345 Returns
346 0 No error.
347 255 Initialization failed.
348 254 Error in filter syntax.
349 250 Internal error.
350
352 The output format raw prints each flow record on multiple lines,
353 including all information available in the record. This is the most
354 detailed view on a flow.
355 Other output formats print each flow on a single line. Predefined out‐
357 put formats are line, long and extended The output format line is the
358 default output format when no format is specified. It limits the
359 imformation to the connection details as well as number of packets,
360 bytes and flows.
361 The output format long is identical to the format line, and includes
363 additional information such as TCP flags and Type of Service.
364 The output format extended is identical to the format long, and
366 includes additional computed information such as pps, bps and bpp.
367 Fields:
369 Date flow start: Start time flow first seen. ISO 8601 format includ‐
371 ing milliseconds.
372 Duration: Duration of the flow in seconds and milliseconds. If
374 flows are aggregated, duration is the time span over the entire
375 periode of time from first seen to last seen.
376 Proto: Protocol used in the connection.
378 Src IP Addr:Port: Source IP address and source port.
380 Dst IP Addr:Port: Destination IP address and destination port. In
382 case of ICMP, port is decodes as type.code.
383 Flags: TCP flags ORed of the connection.
385 Tos: Type of service.
387 Packets: The number of packets in this flow. If flows are aggre‐
389 gated, the packets are summed up.
390 Bytes: The number of bytes in this flow. If flows are aggregated,
392 the bytes are summed up.
393 pps: The calculated packets per second: number of packets / dura‐
395 tion. If flows are aggregated this results in the average pps dur‐
396 ing this periode of time.
397 bps: The calculated bits per second: 8 * number of bytes / duration.
399 If flows are aggregated this results in the average bps during this
400 periode of time.
401 Bpp: The calculated bytes per packet: number of bytes / number of
403 packets. If flows are aggregated this results in the average bpp
404 during this periode of time.
405 Flows: Number of flows. If flows are listed only, this number is
407 always 1. If flows are aggregated, this shows the number of aggre‐
408 gated flows to one record.
409 Numbers larger than 1'000'000 (1000*1000), are scaled to 4 digits and
411 one decimal digit including the scaling factor M, G or T for cleaner
412 output, e.g. 923.4 M
413 To make the output more readable, IPv6 addresses are shrinked down to
415 16 characters. The seven most and seven least digits connected with two
416 dots '..' are displayed in any normal output formats. To display the
417 full IPv6 address, use the appropriate long format, which is the format
418 name followed by a 6.
419 Example: -o line displays an IPv6 address as 2001:23..80:d01e where as
421 the format -o line6 displays the IPv6 address in full length
422 2001:234:aabb::211:24ff:fe80:d01e. The combination of -o line -6 is
423 equivalent to -o line6.
424 The output format fmt:<format> allows you to define your own output
426 format. A format description format consists of a single line contain‐
427 ing arbitrary strings and format specifier as described below
428 %<format> Inserts the predefined format at this position. e.g. %line
430 %ff flow record flags in hex.
431 %ts Start Time - first seen
432 %tsr Start Time, but in fractional seconds since the epoch
433 (1970-01-01)
434 %te End Time - last seen
435 %ter End Time, in fractional seconds
436 %tr Time the flow was received by the collector
437 %trr Time the flow was received, in fractional seconds
438 %td Duration
439 %pr Protocol
440 %exp Exporter ID
441 %eng Engine Type/ID
442 %lbl Flowlabel
443 %sa Source Address
444 %da Destination Address
445 %sap Source Address:Port
446 %dap Destination Address:Port
447 %sp Source Port
448 %dp Destination Port
449 %sn Source Network, mask applied
450 %dn Destination Network, mask applied
451 %nh Next-hop IP Address
452 %nhb BGP Next-hop IP Address
453 %ra Router IP Address
454 %sas Source AS
455 %das Destination AS
456 %nas Next AS
457 %pas Previous AS
458 %in Input Interface num
459 %out Output Interface num
460 %pkt Packets - default input
461 %ipkt Input Packets
462 %opkt Output Packets
463 %byt Bytes - default input
464 %ibyt Input Bytes
465 %obyt Output Bytes
466 %fl Flows
467 %flg TCP Flags
468 %tos Tos - default src
469 %stos Src Tos
470 %dtos Dst Tos
471 %dir Direction: ingress, egress
472 %smk Src mask
473 %dmk Dst mask
474 %fwd Forwarding Status
475 %svln Src vlan label
476 %dvln Dst vlan label
477 %ismc Input Src Mac Addr
478 %odmc Output Dst Mac Addr
479 %idmc Input Dst Mac Addr
480 %osmc Output Src Mac Addr
481 %mpls1 MPLS label 1
482 %mpls2 MPLS label 2
483 %mpls3 MPLS label 3
484 %mpls4 MPLS label 4
485 %mpls5 MPLS label 5
486 %mpls6 MPLS label 6
487 %mpls7 MPLS label 7
488 %mpls8 MPLS label 8
489 %mpls9 MPLS label 9
490 %mpls10 MPLS label 10
491 %mpls MPLS labels 1-10
492 %bps bps - bits per second
493 %pps pps - packets per second
494 %bpp bps - Bytes per package
495 NSEL specific formats
497 %nfc NSEL connection ID
498 %evt NSEL event
499 %xevt NSEL extended event
500 %sgt NSEL Source security group tag
501 %msec NSEL event time in msec
502 %iacl NSEL ingress ACL
503 %eacl NSEL egress ACL
504 %xsa NSEL XLATE src IP address
505 %xda NSEL XLATE dst IP address
506 %xsp NSEL XLATE src port
507 %xdp NSEL SLATE dst port
508 %xsap Xlate Source Address:Port
509 %xdap Xlate Destination Address:Port
510 %uname NSEL user name
511 NEL/NAT specific formats
513 %nevt NAT event - same as %evt
514 %ivrf NAT ingress VRF ID
515 %evrf NAT egress VRF ID
516 %nsa NAT src IP address
517 %nda NAT dst IP address
518 %nsp NAT src port
519 %ndp NAT dst port
520 %pbstart NAT pool block start
521 %pbend NAT pool block end
522 %pbstep NAT pool block step
523 %pbsize NAT pool block size
524 Nprobe formats
526 %cl Client latency
527 %sl Server latency
528 %al Application latency
529 The "flow flags" format (%ff) prints the internal record flags as a
532 single hexadecimal number, consisting of any of these flag values or-ed
533 together:
534 1 Record contains IPv6 addresses
536 2 Packet counters are 64-bit
537 4 Byte counters are 64-bit
538 8 IP next hop is an IPv6 address
539 16 BGP next hop is an IPv6 address
540 32 Exporting router is an IPv6 address
541 64 Record is an EVENT record
542 128 Record is sampled
543 Example: the standard output format long can be created as
545 -o "fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %fl"
546 You may also define your own output format and have it compiled into
548 nfdump. See nfdump.c section Output Formats for more details.
549 The csv output format is intended to be read by another program for
551 further processing. As an example, see the parse_csv.pl Perl program.
552 The cvs output format consists of one or more output blocks and one
553 summary block. Each output block starts with a cvs index line followed
554 by the cvs record lines. The index lines describes the order, how each
555 following record is composed.
556 Example:
558 Index line: ts,te,td,sa,da,sp,dp,pr,...
559 Record line: 2004-07-11 10:30:00,2004-07-11 10:30:10,10.010,...
560 All records are in ASCII readable form. Numbers are not scaled, so each
562 line can easily be parsed.
563 Indices used in nfdump 1.6:
565 ts,te,td time records: t-start, t-end, duration
567 sa,da src dst address sp,dp src, dst port
568 pr protocol PF_INET or PF_INET6
569 flg TCP Flags:
570 000001 FIN.
571 000010 SYN
572 000100 RESET
573 001000 PUSH
574 010000 ACK
575 100000 URGENT
576 e.g. 6 => SYN + RESET
577 fwd forwarding status
578 stos src tos
579 ipkt,ibyt input packets/bytes
580 opkt,obyt output packets, bytes
581 in,out input/output interface SNMP number
582 sas,das src, dst AS
583 smk,dmk src, dst mask
584 dtos dst tos
585 dir direction
586 nh,nhb nethop IP address, bgp next hop IP
587 svln,dvln src, dst vlan id
588 ismc,odmc input src, output dst MAC
589 idmc,osmc input dst, output src MAC
590 mpls1,mpls2 MPLS label 1-10
591 mpls3,mpls4
592 mpls5,mpls6
593 mpls7,mpls8
594 mpls9,mpls10
595 ra router IP
596 eng router engine type/id
597 See parse_csv.pl for more details.
599
601 The filter syntax is similar to the well known pcap library used by
602 tcpdump. The filter can be either specified on the command line after
603 all options or in a separate file. It can span several lines. Anything
604 after a '#' is treated as a comment and ignored to the end of the line.
605 There is virtually no limit in the length of the filter expression. All
606 keywords are case independent.
607 Any filter consists of one or more expressions expr. Any number of expr
609 can be linked together:
610 expr and expr, expr or expr, not expr and ( expr ).
612 Expr can be one of the following filter primitives:
614 include
616 @include <file>
617 include the content of <file> into filter.
618 ip version
620 inet or ipv4 for IPv4
621 inet6 or ipv6 for IPv6
622 protocol
624 proto <protocol>
625 proto <number>
626 where <protocol> is known protocol such as tcp, udp, icmp, icmp6,
627 gre, esp, ah, etc. or a valid protocol number: 6, 17 etc.
628 IP address
630 [src|dst] ip <ipaddr>
631 [src|dst] host <ipaddr>
632 with <ipaddr> as any valid IPv4, IPv6 address, or a full qualified
633 hostname. In case of a hostname, the IP address is looked up in
634 DNS. If more than a single IP address is found, all IP addresses
635 are chained together. (ip1 or ip2 or ip3 ... )
636 To check if an IP address is in a known IP list, use
638 [src|dst] ip in [ <iplist> ]
639 [src|dst] host in [ <iplist> ]
640 <iplist> is a space or comma separated list of individual <ipaddr>
641 or full qualified hostnames, which are looked up in DNS. If more
642 than a single IP address is found, all IP addresses are put into
643 the list.
644 [src|dst]
646 IP addresses, networks, ports, AS number etc. can be specifically
647 selected by using a direction qualifier, such as src or dst. They
648 can also be used in combination with and and or. such as src and
649 dst ip ...
650 network
652 [src|dst] net a.b.c.d m.n.r.s
653 Select the IPv4 network a.b.c.d with netmask m.n.r.s.
654 [src|dst] net <net>/<num>
656 with <net> as a valid IPv4 or IPv6 network and <num> as maskbits.
657 The number of mask bits must match the appropriate address familiy
658 in IPv4 or IPv6. Networks may be abbreviated such as 172.16/16 if
659 they are unambiguous.
660 Port
662 [src|dst] port [comp] <num>
663 with <num> as any valid port number. If comp is omitted,
664 '=' is assumed. comp is explained more detailed below.
665 [src|dst] port in [ <portlist> ]
666 A port can be compared against a know list, where <portlist> is a
667 space separated list of individual port numbers.
668 ICMP
670 icmp-type <num>
671 icmp-code <num>
672 with <num> as a valid icmp type/code. This automatically implies
673 proto icmp.
674 Router ID
676 engine-type <num>
677 engine-id <num>
678 sysid <num>
679 with <num> as a valid router engine type/id or exporter ID(0..255).
680 Interface
682 [in|out] if <num>
683 Select input or output or either interface ID, with num as the SNMP
684 interface number.
685 Example: in if 3
686 AS numbers
688 [src|dst|prev|next] as [comp] <num>
689 Selects source, dstination, previous, next or any AS number with
690 <num> as any valid as number. 32bit AS numbers are supported. If
691 comp is omitted, '=' is assumed. comp is explained more detailed
692 below.
693 [src|dst|prev|next] as in [ <ASlist> ]
695 An AS number can be compared against a know list, where <ASlist> is
696 a space or comma separated list of individual AS numbers.
697 Prefix mask bits
699 [src|dst] mask <bits>
700 with <bits> as any valid prefix mask bit value.
701 Vlan labels
703 [src|dst] vlan <num>
704 with <num> as any valid vlan label.
705 Flags
707 flags <tcpflags>
708 with <tcpflags> as a combination of:
709 A ACK.
710 S SYN.
711 F FIN.
712 R Reset.
713 P Push.
714 U Urgent.
715 X All flags on.
716 The ordering of the flags is not relevant. Flags not mentioned are
717 treated as don't care. In order to get those flows with only the SYN
718 flag set, use the syntax 'flags S and not flags AFRPU'.
719 Next hop IP
721 next ip <ipaddr>
722 with <ipaddr> as IPv4/IPv6 IP address of next hop router.
723 Next-hop router's IP in the BGP domain
725 bgpnext ip <ipaddr>
726 with <ipaddr> as IPv4/IPv6 next-hop router's IP in the BGP domain.
727 ( v9 #18 )
728 Router IP
730 router ip <ipaddr>
731 Filter the flows according the IP address of the exporting router.
732 MAC addresses
734 [InOutSrcDst] mac <addr>
735 With <addr> any valid MAC address. mac can be more specific speci‐
736 fied by using any combination of a direction specifier as defined
737 by CISCO v9. in src, in dst, out src, out dst.
738 MPLS labels
740 mpls label<n> [comp] <num>
741 With <n> as any mpls label number 1..10. Filters exactly specified
742 label<n>.
743 mpls eos [comp] <num>
744 Filters End of Stack label for a given value <num>.
745 mpls exp<n> [comp] <bits>
746 Filters experimental bits of label <n> with <bits> 0..7.
747 Packets
749 packets [comp] <num> [scale]
750 To filter for netflow records with a specific packet count.
751 Example: packets > 1k
752 Bytes
754 bytes [comp] <num> [scale]
755 To filter for netflow records with a specific byte count.
756 Example: bytes 46 filters all empty IPv4 packets
757 Aggregated flows
759 flows [comp] <num> [scale]
760 To filter for netflow records with a specific number of aggregated
761 flows.
762 Type of Service (TOS)
764 [SourceDestination] tos <num>
765 With <num> 0..255. For compatibility with nfdump 1.5.x: tos <num>
766 is equivalent with src tos <num>
767 Packets per second: Calculated value.
769 pps [comp] num [scale]
770 To filter for flows with specific packets per second.
771 Duration: Calculated value
773 duration [comp] num
774 To filter for flows with specific duration in milliseconds.
775 Bits per second: Calculated value.
777 bps [comp] num [scale]
778 To filter for flows with specific bytes per second.
779 Bytes per packet: Calculated value.
781 bpp [comp] num [scale]
782 To filter for flows with specific bytes per packet.
783 scale scaling factor. Maybe k m g. Factor is 1000
785 comp The following comparators are supported:
787 =, ==, >, <, EQ, LT, GT . If comp is omitted, '=' is assumed.
788 NSEL/ASA specific filters:
790 NSEL/ASA Event
792 asa event <ignore|create|term|delete|deny>
793 asa event [comp] <number>
794 select NSEL/ASA event by name or number. If given as number it can
795 be compared with a number
796 NSEL/ASA denied reason
798 asa event denied <ingress|egress|interface|nosyn>
799 Select a NSEL/ASA denied event by type
800 NSEL/ASA extended events
802 asa xevent [comp] <num>
803 Select an extended NSELL ASA event by number, or optionally com‐
804 pared by a number.
805 X-late IP addresses and ports
807 [src|dst] xip <ip>
808 Select the translated IP address
809 [src|dst] xnet <net>/<num>
811 with <net> as a valid translated IPv4 or IPv6 network and <num> as
812 maskbits. The number of mask bits must match the appropriate
813 address familiy in IPv4 or IPv6. Networks may be abbreviated such
814 as 172.16/16 if they are unambiguous.
815 [src|dst] xport <port>
817 Select the translated port
818 NSEL/ASA ingress/egress
820 ingress <ACL|ACE|XACE> [comp] number
821 Select/compare an ingress ACL
822 egress ACL [comp] <number>
824 Select/compare an egress ACL
825 NEL specific NAT filters:
827 NAT Event
829 nat event <add|delete>
830 nat event [comp] <number>
831 select NEL NAT event by name or number. If given as number it can
832 be compared with a number
833 NEL NAT ip addresses and ports
835 [src|dst] nip <ip>
836 Select the NAT IP address
837 [src|dst] nport <port>
839 Select the NAT port
840 NEL NAT vrf
842 ingress vrf <num>
843 Select the vrf
844
847 One or more specific filter expressions can be assigned a flowlabel in
848 order to identify the flow in the output according to the label. A
849 flowlabel has the form %LabelName and is appended or prepended to a
850 filter expression in braces. It may have up to 16 characters. Example:
851 (ip 8.8.8.8) %GoogleDNS. If a filter matches, with a labeled expres‐
852 sions, and that expression is in the matching filter patch, the label
853 can be printed in the output, using the %%lbl format token. See OUTPUT
854 FORMATS. Example: Add flowlabel to end of 'line' format:
855 ./nfdump -r <file> -o 'fmt:%line %lbl" ..
856 Note: A filter may have multiple matching paths - for example proto tcp
857 or ip 8.8.8.8 The shortest path which evaluates successfully, wins.
858 Other paths are skipped, which means that flowlabels are not printed in
859 not evaluated filter paths. A filter may contain multiple flowlabels.
860 The flowlabel of the last matching expression in the winning path is
861 printed. Flowlabels are most useful in large and complex filters
862 stored in one or multiple files, to better read the flow output list.
863 Example: (ip in [172.16.1.0/24]) %ISP_1 or (ip in [172.16.16.0/24])
864 %IPS_2 or %GoogleDNS((proto udp or proto tcp) and ip 8.8.8.8)
865
867 nfdump -r /and/dir/nfcapd.201107110845 -c 100 'proto tcp and ( src ip
868 172.16.17.18 or dst ip 172.16.17.19 )' Dumps the first 100 netflow
869 records which match the given filter:
870 nfdump -r /and/dir/nfcapd.201107110845 -B Map matching flows as bin-
872 directional single flow.
873 nfdump -R /and/dir/nfcapd.201107110845:nfcapd.200407110945 'host
875 192.168.1.2' Dumps all netflow records of host 192.168.1.2 from July 11
876 08:45 - 09:45
877 nfdump -M /to/and/dir1:dir2 -R nfcapd.200407110845:nfcapd.200407110945
879 -s record -n 20 Generates the Top 20 statistics from 08:45 to 09:45
880 from 3 sources
881 nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 -o extended Gen‐
883 erates the Top 20 statistics, extended output format
884 nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 'in if 5 and bps
886 > 10k' Generates the Top 20 statistics from flows coming from interface
887 5
888 nfdump -r /and/dir/nfcapd.201107110845 'inet6 and proto tcp and ( src
890 port > 1024 and dst port 80 ) Dumps all port 80 IPv6 connections to any
891 web server.
892
894 Generating the statistics for data files of a few hundred MB is no
895 problem. However be careful if you want to create statistics of several
896 GB of data. This may consume a lot of memory and can take a while. Flow
897 anonymization has moved into nfanon.
898
900 nfcapd(1), nfanon(1), nfprofile(1), nfreplay(1)
901
903 There is still the famous last bug. Please report them - all the last
904 bugs - back to me.
905 2009-09-09 nfdump(1)