1nfdump(1) nfdump(1)
2
6 nfdump - netflow display and analyze program
7
9 nfdump [options] [filter]
10
12 nfdump is the netflow display and analyzing program of the nfdump tool
13 set. It reads the netflow data from files stored by nfcapd and pro‐
14 cesses the flows according to the options given. The filter syntax is
15 comparable to tcpdump and extended for netflow data. Nfdump can also
16 display many different top N flow and flow element statistics.
17
20 -r inputfile
21 Read input data from inputfile. Default is to read from stdin.
22 -R expr
24 Read input from a sequence of files in the same directory. expr may
25 be one of:
26 /any/dir Read recursively all files in directory dir.
27 /dir/file Read all files beginning with file.
28 /dir/file1:file2 Read all files from file1 to file2.
29 When using in combination with a sub hierarchy:
31 /dir/sub1/sub2/file1:sub3/sub4/file2
32 Read all files from sub1/sub2/file1 sub3/sub4/file2 iterating over
33 all required hierarchy levels.
34 Note: files are read in alphabetical order.
36 -M expr
38 Read input from multiple directories. expr looks like:
39 /any/path/to/dir1:dir2:dir3 etc. and will be expanded to the direc‐
40 tories: /any/path/to/dir1, /any/path/to/dir2 and /any/path/to/dir3
41 Any number of colon separated directories may be given. The files to
42 read are specified by -r or -R and are expected to exist in all the
43 given directories. The options -r and -R must not contain any
44 directory part when used in conjunction with -M.
45 -m deprecated option. Use -O tstart instead.
47 -O order[:direction]
49 Set sort order to print raw or aggregated flows. Optionally add an
50 order direction 'a' for ascending or 'd' for descending. order can
51 be:
52 by default descending:
53 flows Sort according to the number of flows
54 packets Sort according to (in)packets
55 ipkg Same as packets
56 opkg Sort according to output packets
57 bytes Sort according to (in)bytes
58 ibyte Same as bytes
59 obyte Sort according to output bytes
60 pps Sort according to (in)packets per second
61 ipps Same as ipps
62 opps Sort according to out packets per second
63 bps Sort according to (in)bytes per second
64 ibps Same as bps
65 obps Sort according to output bytes per second
66 bpp Sort according to (in)bytes per packet
67 ibpp Same as bpp
68 obpp Sort according to output packets
69 by default ascending:
70 tstart Sort according to start time of flow - former -m
71 tend Sort according to end time of flows
72 -w outputfile
74 If specified writes binary netflow records to outputfile ready to be
75 processed again with nfdump. The default output is ASCII on stdout.
76 In combination with options -m, -a, -b, and -B write aggregated
77 and/or sorted flow cache in binary format to disk.
78 -f filterfile
80 Reads the filter syntax from filterfile. Note: Any filter specified
81 directly on the command line takes precedence over -f.
82 -t timewin
84 Process only flows which fall in the time window timewin, where
85 timewin is YYYY/MM/dd.hh:mm:ss[-YYYY/MM/dd.hh:mm:ss]. Any parts of
86 the time spec may be omitted e.g YYYY/MM/dd expands to
87 YYYY/MM/dd.00:00:00-infinity and processes all flow from a given day
88 onwards. The time window may also be specified as +/- n. In this
89 case it is relativ to the beginning or end of all flows. +10 means
90 the first 10 seconds of all flows, -10 means the last 10 seconds of
91 all flows.
92 -c num
94 Limit the number of records to read and process from file(s) to the
95 first num flows.
96 -a Aggregate netflow data. Aggregation is done at connection level by
98 taking the 5-tuple protocol, srcip, dstip, srcport and dstport.
99 -A aggregation
101 Similar to Flexible Netflow (FNF), netflow records can be aggregated
102 by any number of given v9 fields. aggregation is a ',' separated
103 list of recognised tags from the following list:
104 proto IP protocol
105 srcip Source IP address
106 dstip Destination IP address
107 srcip4/net IPv4 source IP address with applied netmask
108 srcip6/net IPv6 source IP address with applied netmask
109 dstip4/net IPv4 destination IP address with applied netmask
110 dstip6/net IPv6 destination IP address with applied netmask
111 srcnet Apply netmask srcmask in netflow record for source IP
112 dstnet Apply netmask dstmask in netflow record for dest IP
113 srcport Source port
114 dstport Destination port
115 srcmask Source mask
116 dstmask Destination mask
117 srcvlan Source vlan label
118 dstvlan Destination vlan label
119 srcas Source AS number
120 dstas Destination AS number
121 nextas BGP Next AS
122 prevas BGP Previous AS
123 inif SNMP input interface number
124 outif SNMP output interface number
125 next IP next hop
126 bgpnext BGP next hop
127 insrcmac In source MAC address
128 outdstmac out destination MAC address
129 indstmac In destintation MAC address
130 outsrcmac Out source MAC address
131 tos Source type of service
132 srctos Source type of Service
133 dsttos Destination type of Service
134 mpls1 MPLS label 1
135 mpls2 MPLS label 2
136 mpls3 MPLS label 3
137 mpls4 MPLS label 4
138 mpls5 MPLS label 5
139 mpls6 MPLS label 6
140 mpls7 MPLS label 7
141 mpls8 MPLS label 8
142 mpls9 MPLS label 9
143 mpls10 MPLS label 10
144 router Exporting router's IP
145 xsrcip X-late source IP address, if compiled with NSEL support
146 xdstip X-late destination IP address, if compiled with NSEL
147 support
148 xsrcport X-late source port, if compiled with NSEL support
149 xdstport X-late destination port, if compiled with NSEL support
150 nfdump automatically compiles an appropriate output format for the
152 selected aggregation unless an explicit output format is given. The
153 automatic output format is identical to -o 'fmt:%ts %td <fields>
154 %pkt %byt %bps %bpp %fl' where <fields> represents the selected
155 aggregation tags.
156 Example:
158 -A proto,srcip,dstport
159 -A srcas,dstas
161 -b Aggregate netflow records as bidirectional flows. Automatically
163 implies -a. Aggregation is done on connection level by taking the
164 5-tuple protocol, srcip, dstip, srcport and dstport, or the reverse
165 order for the corresponding connection flow. Input and output pack‐
166 ets/bytes are counted and reported separately. Both flows are merged
167 into a single record. An appropriate output format is selected auto‐
168 matically, which may be overwritten by any -o format option.
169 -B Like -b but automagically swaps flows if src port is < dst port for
171 TCP and UDP flows and src port < 1024 and dst port > 1024. as some
172 exporters do not care sending the flows in proper order. Other flows
173 are not affected. It's considered to be a conveniency option.
174 -I Print flow statistics from file specified by -r, or timeslot speci‐
176 fied by -R/-M.
177 -D dns
179 Set dns as nameserver to look up hostnames.
180 -s statistic[:p][/orderby[:direction]]
182 Generate the Top N flow or flow element statistic. statistic can be:
183 record Statistic about aggregated netflow records.
184 srcip Statistic about source IP addresses
185 dstip Statistic about destination IP addresses
186 ip Statistic about any (source or destination) IP addresses
187 nhip Statistic about next hop IP addresses
188 nhbip Statistic about BGP next hop IP addresses
189 router Statistic about exporting router IP address
190 srcport Statistic about source ports
191 dstport Statistic about destination ports
192 port Statistic about any (source or destination) ports
193 tos Statistic about type of service - default src
194 srctos Statistic about src type of service
195 dsttos Statistic about dst type of service
196 dir Statistic about flow directions ingress/egress
197 srcas Statistic about source AS numbers
198 dstas Statistic about destination AS numbers
199 as Statistic about any (source or destination) AS numbers
200 inif Statistic about input interface
201 outif Statistic about output interface
202 if Statistic about any interface
203 srcmask Statistic about src mask
204 dstmask Statistic about dst mask
205 srcvlan Statistic about src vlan label
206 dstvlan Statistic about dst vlan label
207 vlan Statistic about any vlan label
208 insrcmac Statistic about input src MAC address
209 outdstmac Statistic about output dst MAC address
210 indstmac Statistic about input dst MAC address
211 outsrcmac Statistic about output src MAC address
212 srcmac Statistic about any src MAC address
213 dstmac Statistic about any dst MAC address
214 inmac Statistic about any input MAC address
215 outmac Statistic about any output MAC address
216 mask Statistic about any mask
217 proto Statistic about IP protocols
218 mpls1 Statistic about MPLS label 1
219 mpls2 Statistic about MPLS label 2
220 mpls3 Statistic about MPLS label 3
221 mpls4 Statistic about MPLS label 4
222 mpls5 Statistic about MPLS label 5
223 mpls6 Statistic about MPLS label 6
224 mpls7 Statistic about MPLS label 7
225 mpls8 Statistic about MPLS label 8
226 mpls9 Statistic about MPLS label 9
227 mpls10 Statistic about MPLS label 10
228 sysid Internal SysID of exporter
229 NSEL/ASA statistics
231 event NSEL/ASA event
232 xevent NSEL/ASA extended event
233 xsrcip NSEL/ASA translated src IP address
234 xsrcport NSEL/ASA translated src port
235 xdstip NSEL/ASA translated dst IP address
236 xdstport NSEL/ASA translated dst port
237 iacl NSEL/ASA ingress ACL
238 iace NSEL/ASA ingress ACE
239 ixace NSEL/ASA ingress xACE
240 eacl NSEL/ASA egress ACL
241 eace NSEL/ASA egress ACE
242 exace NSEL/ASA egress xACE
243 NAT statistics
245 nevent NAT event
246 vrf/ivrf NAT ingress vrf
247 evrf NAT egress vrf
248 nsrcip NAT src IP address
249 nsrcport NAT src port
250 ndstip NAT dst IP address
251 ndstport NAT dst port
252 By adding :p to the statistic name, the resulting statistic is split
254 up into transport layer protocols. Default is transport protocol
255 independent statistics.
256 orderby is optional and specifies the order by which the statistics
258 are ordered and can be flows, packets, bytes, pps, bps or bpp. You
259 may specify more than one orderby which results in the same statis‐
260 tic but ordered differently. If no orderby is given, statistics are
261 ordered by flows. Optionally to the order you add a :direction ':a'
262 for ascending or ':d' for descending. By default all -s statitics
263 are printed in descending order. You can specify as many -s flow
264 element statistics as needed on the command line for the same run.
265 Example:
267 -s srcip -s ip/flows -s dstport/pps/packets/bytes -s record/bytes
268 -l [+/-]packet_num
270 Limit statistics output to those records above or below the
271 packet_num limit. packet_num accepts positive or negative numbers
272 followed by 'K' , 'M' or 'G' 10E3, 10E6 or 10E9 flows respectively.
273 See also note at -L
274 -L [+/-]byte_num
276 Limit statistics output to those records above or below the byte_num
277 limit. byte_num accepts positive or negative numbers followed by 'K'
278 , 'M' or 'G' 10E3, 10E6 or 10E9 bytes respectively. Note: These lim‐
279 its only apply to the statistics and aggregated outputs generated
280 with -a -s. To filter netflow records by packets and bytes, use the
281 filter syntax 'packets' and 'bytes' described below.
282 -n num
284 For record statistics (-s .. ): Define the number for the Top N.
285 Defaults to 10. Use -n 0 to list all records.
286 For record sorting and aggregation (-a .. -O ..): Limit the records
287 to the first top num sorted records. if not specified or -n 0 is
288 given, all records are listed.
289 -o format
291 Selects the output format to print flows or flow record statistics
292 (-s record). The following formats are available:
293 raw Print full flow record on multiple lines.
294 line Print each flow on one line. Default format.
295 long Print each flow on one line with more details
296 biline Same as line, but for bidir flows
297 bilong Same as long, but for bidir flows
298 extended Print each flow on one line with even more details.
299 nsel Print each NSEL event on one line. Default if NSEL/NAT
300 nel Print each NAT event on one line.
301 csv Comma separated output for machine readable processing.
302 json Print full record as separate json object.
303 pipe Legacy machine readable format: fields are '|' separated.
304 fmt:format User defined output format.
305 For each defined output format except -o fmt:<format> an IPv6 long
306 output format exists. line6, long6 and extended6. See output for‐
307 mats below for more information.
308 -q Be quiet. Suppress the header line and the statistics at the bottom.
310 -N Print plain numbers in output. Easier for post-parsing.
312 -i ident
314 Change ident label in file, specified by -r to ident
315 -v file
317 Verify file. Print data file version, number of blocks and compres‐
318 sion status.
319 -E file
321 Print exporter/sampler list found in file. In case of a nfcapd col‐
322 lector file, additional statistics per exporter are printed with
323 number of flows, packets and sequence errors.
324 -x file
326 Scan and print extension maps located in file file
327 -j Compress flows. Use bz2 compression in output file. Space efficient
329 method
330 -y Compress flows. Use LZ4 compression in output file. Time efficient
332 method
333 -z Compress flows. Use fast LZO1X-1 compression in output file. Time
335 efficient method
336 -J num
338 Change compression for file(s) given by -r <file> or -R <dir> num: 0
339 uncompress, 1: LZO1X-1, 2: bz2, 3: LZ4 compression
340 -Z Check filter syntax and exit. Sets the return value accordingly.
342 -X Compiles the filer syntax and dumps the filter engine table to std‐
344 out. This is for debugging purpose only.
345 -V Print nfdump version and exit.
347 -h Print help text on stdout with all options and exit.
349
351 Returns
352 0 No error.
353 255 Initialization failed.
354 254 Error in filter syntax.
355 250 Internal error.
356
358 The output format raw prints each flow record on multiple lines,
359 including all information available in the record. This is the most
360 detailed view on a flow.
361 Other output formats print each flow on a single line. Predefined out‐
363 put formats are line, long and extended The output format line is the
364 default output format when no format is specified. It limits the
365 imformation to the connection details as well as number of packets,
366 bytes and flows.
367 The output format long is identical to the format line, and includes
369 additional information such as TCP flags and Type of Service.
370 The output format extended is identical to the format long, and
372 includes additional computed information such as pps, bps and bpp.
373 Fields:
375 Date flow start: Start time the flow was first seen. ISO 8601 format
377 including milliseconds.
378 Duration: Duration of the flow in seconds and milliseconds. If
380 flows are aggregated, duration is the time span over the entire
381 period of time from first seen to last seen.
382 Proto: Protocol used in the connection.
384 Src IP Addr:Port: Source IP address and source port.
386 Dst IP Addr:Port: Destination IP address and destination port. In
388 case of ICMP, port is decoded as type.code.
389 Flags: TCP flags OR-ed of the connection.
391 Tos: Type of service.
393 Packets: The number of packets in this flow. If flows are aggre‐
395 gated, the packets are summed up.
396 Bytes: The number of bytes in this flow. If flows are aggregated,
398 the bytes are summed up.
399 pps: The calculated packets per second: number of packets / dura‐
401 tion. If flows are aggregated this results in the average pps dur‐
402 ing this period of time.
403 bps: The calculated bits per second: 8 * number of bytes / duration.
405 If flows are aggregated this results in the average bps during this
406 period of time.
407 Bpp: The calculated bytes per packet: number of bytes / number of
409 packets. If flows are aggregated this results in the average bpp
410 during this period of time.
411 Flows: Number of flows. If flows are listed only, this number is
413 always 1. If flows are aggregated, this shows the number of flows
414 aggregated in this one record.
415 Numbers larger than 1'000'000 (1000*1000), are scaled to 4 digits and
417 one decimal digit including the scaling factor M, G or T for cleaner
418 output, e.g. 923.4 M
419 To make the output more readable, IPv6 addresses are shrinked down to
421 16 characters. The seven leftmost and seven rightmost digits connected
422 with two dots '..' are displayed in any normal output formats. To dis‐
423 play the full IPv6 address, use the appropriate long format, which is
424 the format name followed by a 6.
425 Example: -o line displays an IPv6 address as 2001:23..80:d01e where the
427 format -o line6 displays the IPv6 address in full length
428 2001:234:aabb::211:24ff:fe80:d01e. The combination of -o line -6 is
429 equivalent to -o line6.
430 The output format fmt:<format> allows you to define your own output
432 format. A format description format consists of a single line contain‐
433 ing arbitrary strings and format specifier as described below
434 %<format> Inserts the predefined format at this position. e.g. %line
436 %ff flow record flags in hex.
437 %nfv Netflow/Sflow/Event record version.
438 %ts Start Time - first seen
439 %tsr Start Time, but in fractional seconds since the epoch
440 (1970-01-01)
441 %te End Time - last seen
442 %ter End Time, in fractional seconds
443 %tr Time the flow was received by the collector
444 %trr Time the flow was received, in fractional seconds
445 %td Duration
446 %pr Protocol
447 %exp Exporter ID
448 %eng Engine Type/ID
449 %lbl Flowlabel
450 %sa Source Address
451 %da Destination Address
452 %sap Source Address:Port
453 %dap Destination Address:Port
454 %sp Source Port
455 %dp Destination Port
456 %sn Source Network, mask applied
457 %dn Destination Network, mask applied
458 %nh Next-hop IP Address
459 %nhb BGP Next-hop IP Address
460 %ra Router IP Address
461 %sas Source AS
462 %das Destination AS
463 %nas Next AS
464 %pas Previous AS
465 %in Input Interface num
466 %out Output Interface num
467 %pkt Packets - default input
468 %ipkt Input Packets
469 %opkt Output Packets
470 %byt Bytes - default input
471 %ibyt Input Bytes
472 %obyt Output Bytes
473 %fl Flows
474 %flg TCP Flags
475 %tos Tos - default src
476 %stos Src Tos
477 %dtos Dst Tos
478 %dir Direction: ingress, egress
479 %smk Src mask
480 %dmk Dst mask
481 %fwd Forwarding Status
482 %svln Src vlan label
483 %dvln Dst vlan label
484 %ismc Input Src Mac Addr
485 %odmc Output Dst Mac Addr
486 %idmc Input Dst Mac Addr
487 %osmc Output Src Mac Addr
488 %mpls1 MPLS label 1
489 %mpls2 MPLS label 2
490 %mpls3 MPLS label 3
491 %mpls4 MPLS label 4
492 %mpls5 MPLS label 5
493 %mpls6 MPLS label 6
494 %mpls7 MPLS label 7
495 %mpls8 MPLS label 8
496 %mpls9 MPLS label 9
497 %mpls10 MPLS label 10
498 %mpls MPLS labels 1-10
499 %bps bps - bits per second
500 %pps pps - packets per second
501 %bpp bps - Bytes per package
502 NSEL specific formats
504 %nfc NSEL connection ID
505 %evt NSEL event
506 %xevt NSEL extended event
507 %sgt NSEL Source security group tag
508 %msec NSEL event time in msec
509 %iacl NSEL ingress ACL
510 %eacl NSEL egress ACL
511 %xsa NSEL XLATE src IP address
512 %xda NSEL XLATE dst IP address
513 %xsp NSEL XLATE src port
514 %xdp NSEL SLATE dst port
515 %xsap Xlate Source Address:Port
516 %xdap Xlate Destination Address:Port
517 %uname NSEL user name
518 NEL/NAT specific formats
520 %nevt NAT event - same as %evt
521 %ivrf NAT ingress VRF ID
522 %evrf NAT egress VRF ID
523 %nsa NAT src IP address
524 %nda NAT dst IP address
525 %nsp NAT src port
526 %ndp NAT dst port
527 %pbstart NAT pool block start
528 %pbend NAT pool block end
529 %pbstep NAT pool block step
530 %pbsize NAT pool block size
531 Nprobe formats
533 %cl Client latency
534 %sl Server latency
535 %al Application latency
536 The "flow flags" format (%ff) prints the internal record flags as a
539 single hexadecimal number, consisting of any of these flag values OR-ed
540 together:
541 1 Record contains IPv6 addresses
543 2 Packet counters are 64-bit
544 4 Byte counters are 64-bit
545 8 IP next hop is an IPv6 address
546 16 BGP next hop is an IPv6 address
547 32 Exporting router is an IPv6 address
548 64 Record is an EVENT record
549 128 Record is sampled
550 Example: the standard output format long can be created as
552 -o "fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %fl"
553 You may also define your own output format and have it compiled into
555 nfdump. See nfdump.c section Output Formats for more details.
556 The csv output format is intended to be read by another program for
558 further processing. As an example, see the parse_csv.pl Perl program.
559 The csv output format consists of one or more output blocks and one
560 summary block. Each output block starts with a csv index line followed
561 by the csv record lines. The index lines describes the order, how each
562 following record is composed.
563 Example:
565 Index line: ts,te,td,sa,da,sp,dp,pr,...
566 Record line: 2004-07-11 10:30:00,2004-07-11 10:30:10,10.010,...
567 All records are in ASCII readable form. Numbers are not scaled, so each
569 line can be easily parsed.
570 Indices used in nfdump 1.6:
572 ts,te,td time records: t-start, t-end, duration
574 sa,da src dst address sp,dp src, dst port
575 pr protocol PF_INET or PF_INET6
576 flg TCP Flags:
577 000001 FIN.
578 000010 SYN
579 000100 RESET
580 001000 PUSH
581 010000 ACK
582 100000 URGENT
583 e.g. 6 => SYN + RESET
584 fwd forwarding status
585 stos src tos
586 ipkt,ibyt input packets/bytes
587 opkt,obyt output packets, bytes
588 in,out input/output interface SNMP index number
589 sas,das src, dst AS
590 smk,dmk src, dst mask
591 dtos dst tos
592 dir direction
593 nh,nhb next hop IP address, bgp next hop IP
594 svln,dvln src, dst vlan id
595 ismc,odmc input src, output dst MAC
596 idmc,osmc input dst, output src MAC
597 mpls1,mpls2 MPLS label 1-10
598 mpls3,mpls4
599 mpls5,mpls6
600 mpls7,mpls8
601 mpls9,mpls10
602 ra router IP
603 eng router engine type/id
604 See parse_csv.pl for more details.
606
608 The filter syntax is similar to the well known pcap library used by
609 tcpdump. The filter can be either specified on the command line after
610 all options or in a separate file. It can span several lines. Anything
611 after a '#' is treated as a comment and ignored to the end of the line.
612 There is virtually no limit in the length of the filter expression. All
613 keywords are case insensitive.
614 Any filter consists of one or more expressions expr. Any number of expr
616 can be linked together:
617 expr and expr, expr or expr, not expr and ( expr ).
619 Expr can be one of the following filter primitives:
621 include
623 @include <file>
624 include the content of <file> into filter.
625 ip version
627 inet or ipv4 for IPv4
628 inet6 or ipv6 for IPv6
629 protocol
631 proto <protocol>
632 proto <number>
633 where <protocol> is known protocol such as tcp, udp, icmp, icmp6,
634 gre, esp, ah, etc. or a valid protocol number: 6, 17 etc.
635 IP address
637 [src|dst] ip <ipaddr>
638 [src|dst] host <ipaddr>
639 with <ipaddr> as any valid IPv4, IPv6 address, or a fully qualified
640 hostname. In case of a hostname, the IP address is looked up in
641 DNS. If more than a single IP address is found, all IP addresses
642 are chained together. (ip1 or ip2 or ip3 ... )
643 To check if an IP address is in a known IP list, use
645 [src|dst] ip in [ <iplist> ]
646 [src|dst] host in [ <iplist> ]
647 <iplist> is a space or comma separated list of individual <ipaddr>
648 or fully qualified hostnames, which are looked up in DNS. If more
649 than a single IP address is found, all IP addresses are put into
650 the list.
651 [src|dst]
653 IP addresses, networks, ports, AS numbers etc. can be specifically
654 selected by using a direction qualifier, such as src or dst. They
655 can also be used in combination with and and or. such as src and
656 dst ip ...
657 network
659 [src|dst] net a.b.c.d m.n.r.s
660 Select the IPv4 network a.b.c.d with netmask m.n.r.s.
661 [src|dst] net <net>/<num>
663 with <net> as a valid IPv4 or IPv6 network and <num> as mask bits.
664 The number of mask bits must match the appropriate address family
665 in IPv4 or IPv6. Networks may be abbreviated such as 172.16/16 if
666 they are unambiguous.
667 Port
669 [src|dst] port [comp] <num>
670 with <num> as any valid port number. If comp is omitted,
671 '=' is assumed. comp is explained in more details below.
672 [src|dst] port in [ <portlist> ]
673 A port can be compared against a know list, where <portlist> is a
674 space separated list of individual port numbers.
675 ICMP
677 icmp-type <num>
678 icmp-code <num>
679 with <num> as a valid icmp type/code. This automatically implies
680 proto icmp.
681 Router ID
683 engine-type <num>
684 engine-id <num>
685 sysid <num>
686 with <num> as a valid router engine type/id or exporter ID(0..255).
687 Netflow version
689 nfversion [comp] <num>
690 netflow version exported.
691 Interface
693 [in|out] if <num>
694 Select input or output or either interface ID, with num as the SNMP
695 interface number.
696 Example: in if 3
697 AS numbers
699 [src|dst|prev|next] as [comp] <num>
700 Selects source, destination, previous, next or any AS number with
701 <num> as any valid as number. 32-bit AS numbers are supported. If
702 comp is omitted, '=' is assumed. comp is explained in more details
703 below.
704 [src|dst|prev|next] as in [ <ASlist> ]
706 An AS number can be compared against a know list, where <ASlist> is
707 a space or comma separated list of individual AS numbers.
708 Prefix mask bits
710 [src|dst] mask <bits>
711 with <bits> as any valid prefix mask bit value.
712 Vlan labels
714 [src|dst] vlan <num>
715 with <num> as any valid vlan label.
716 Flags
718 flags <tcpflags>
719 with <tcpflags> as a combination of:
720 A ACK.
721 S SYN.
722 F FIN.
723 R Reset.
724 P Push.
725 U Urgent.
726 X All flags on.
727 The ordering of the flags is not relevant. Flags not mentioned are
728 treated as don't care. In order to get those flows with only the SYN
729 flag set, use the syntax 'flags S and not flags AFRPU'.
730 Next hop IP
732 next ip <ipaddr>
733 with <ipaddr> as IPv4/IPv6 IP address of next hop router.
734 Next-hop router's IP in the BGP domain
736 bgpnext ip <ipaddr>
737 with <ipaddr> as IPv4/IPv6 next-hop router's IP in the BGP domain.
738 ( v9 #18 )
739 Router IP
741 router ip <ipaddr>
742 Filter the flows according the IP address of the exporting router.
743 MAC addresses
745 [InOutSrcDst] mac <addr>
746 With <addr> any valid MAC address. mac can be made more specific by
747 using any combination of a direction specifier as defined by CISCO
748 v9. in src, in dst, out src, out dst.
749 MPLS labels
751 mpls label<n> [comp] <num>
752 With <n> as any mpls label number 1..10. Filters exactly specified
753 label<n>.
754 mpls eos [comp] <num>
755 Filters End of Stack label for a given value <num>.
756 mpls exp<n> [comp] <bits>
757 Filters experimental bits of label <n> with <bits> 0..7.
758 Packets
760 packets [comp] <num> [scale]
761 To filter for netflow records with a specific packet count.
762 Example: packets > 1k
763 Bytes
765 bytes [comp] <num> [scale]
766 To filter for netflow records with a specific byte count.
767 Example: bytes 46 filters all empty IPv4 packets
768 Aggregated flows
770 flows [comp] <num> [scale]
771 To filter for netflow records with a specific number of aggregated
772 flows.
773 Type of Service (TOS)
775 [SourceDestination] tos <num>
776 With <num> 0..255. For compatibility with nfdump 1.5.x: tos <num>
777 is equivalent with src tos <num>
778 Packets per second: Calculated value.
780 pps [comp] num [scale]
781 To filter for flows with specific packets per second.
782 Duration: Calculated value
784 duration [comp] num
785 To filter for flows with specific duration in milliseconds.
786 Bits per second: Calculated value.
788 bps [comp] num [scale]
789 To filter for flows with specific bytes per second.
790 Bytes per packet: Calculated value.
792 bpp [comp] num [scale]
793 To filter for flows with specific bytes per packet.
794 scale scaling factor. Maybe k m g. Factor is 1000
796 comp The following comparators are supported:
798 =, ==, >, <, >=, <=, EQ, LT, GT, LE, GE . If comp is omitted, '='
799 is assumed.
800 NSEL/ASA specific filters:
802 NSEL/ASA Event
804 asa event <ignore|create|term|delete|deny>
805 asa event [comp] <number>
806 select NSEL/ASA event by name or number. If given as number it can
807 be compared with a number
808 NSEL/ASA denied reason
810 asa event denied <ingress|egress|interface|nosyn>
811 Select a NSEL/ASA denied event by type
812 NSEL/ASA extended events
814 asa xevent [comp] <num>
815 Select an extended NSEL ASA event by number, or optionally compared
816 by a number.
817 X-late IP addresses and ports
819 [src|dst] xip <ip>
820 Select the translated IP address - identical to nip
821 [src|dst] xnet <net>/<num>
823 with <net> as a valid translated IPv4 or IPv6 network and <num> as
824 mask bits. The number of mask bits must match the appropriate
825 address family in IPv4 or IPv6. Networks may be abbreviated such as
826 172.16/16 if they are unambiguous.
827 [src|dst] xport <port>
829 Select the translated port
830 NSEL/ASA ingress/egress
832 ingress <ACL|ACE|XACE> [comp] number
833 Select/compare an ingress ACL
834 egress ACL [comp] <number>
836 Select/compare an egress ACL
837 NEL specific NAT filters:
839 NAT Event
841 nat event <add|delete>
842 nat event [comp] <number>
843 select NEL NAT event by name or number. If given as number it can
844 be compared with a number
845 NEL NAT ip addresses and ports
847 [src|dst] nip <ip>
848 Match NAT IP address
849 [src|dst] nip in [ <iplist> ]
851 Match NAT IP from list <iplist> - see ip in [ <iplist> ] for syn‐
852 tax.
853 [src|dst] nport <port>
855 Match NAT port
856 NEL NAT vrf
858 ingress vrf <num>
859 Select the vrf
860
863 One or more specific filter expressions can be assigned a flowlabel in
864 order to identify the flow in the output according to the label. A
865 flowlabel has the form %LabelName and is appended or prepended to a
866 filter expression in braces. It may have up to 16 characters. Example:
867 (ip 8.8.8.8) %GoogleDNS. If a filter matches, with a labeled expres‐
868 sions, and that expression is in the matching filter path, the label
869 can be printed in the output, using the %%lbl format token. See OUTPUT
870 FORMATS. Example: Add flowlabel to end of 'line' format:
871 ./nfdump -r <file> -o 'fmt:%line %lbl" ..
872 Note: A filter may have multiple matching paths - for example proto tcp
873 or ip 8.8.8.8 The shortest path which evaluates successfully wins.
874 Other paths are skipped, which means that flowlabels are not printed in
875 not evaluated filter paths. A filter may contain multiple flowlabels.
876 The flowlabel of the last matching expression in the winning path is
877 printed. Flowlabels are most useful in large and complex filters
878 stored in one or multiple files, to better read the flow output list.
879 Example: (ip in [172.16.1.0/24]) %ISP_1 or (ip in [172.16.16.0/24])
880 %IPS_2 or %GoogleDNS((proto udp or proto tcp) and ip 8.8.8.8)
881
883 nfdump -r /and/dir/nfcapd.201107110845 -c 100 'proto tcp and ( src ip
884 172.16.17.18 or dst ip 172.16.17.19 )' Dumps the first 100 netflow
885 records which match the given filter:
886 nfdump -r /and/dir/nfcapd.201107110845 -B Map matching flows as bi-
888 directional single flow.
889 nfdump -R /and/dir/nfcapd.201107110845:nfcapd.200407110945 'host
891 192.168.1.2' Dumps all netflow records of host 192.168.1.2 from July 11
892 08:45 - 09:45
893 nfdump -M /to/and/dir1:dir2 -R nfcapd.200407110845:nfcapd.200407110945
895 -s record -n 20 Generates the Top 20 statistics from 08:45 to 09:45
896 from 3 sources
897 nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 -o extended Gen‐
899 erates the Top 20 statistics, extended output format
900 nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 'in if 5 and bps
902 > 10k' Generates the Top 20 statistics from flows coming from interface
903 with SNMP index of 5
904 nfdump -r /and/dir/nfcapd.201107110845 'inet6 and proto tcp and ( src
906 port > 1024 and dst port 80 ) Dumps all port 80 IPv6 connections to any
907 web server.
908
910 Generating the statistics for data files of a few hundred MB is no
911 problem. However, be careful if you want to create statistics of sev‐
912 eral GB of data. This may consume a lot of memory and can take a while.
913 Flow anonymization has moved into nfanon.
914
916 nfcapd(1), nfanon(1), nfprofile(1), nfreplay(1)
917
919 There is still the famous last bug. Please report them - all the last
920 bugs - back to me.
921 2009-09-09 nfdump(1)