2
6 flow-fanout — Fanout (replicate) flow exports to many destinations.
7
9 flow-fanout [-h] [-A AS0_substitution] [-d debug_level] [-f fil‐
10 ter_fname] [-F filter_definition] [-m privacy_mask] [-p pidfile]
11 [-s] [-S stat_interval] [-V pdu_version] [-x xmit_delay]
12 localip/remoteip/port localip/remoteip/port ...
13
15 The flow-fanout utility will replicate flows arriving on
16 localip/remoteip/port to destination(s) specified by
17 localip/remoteip/port.
18 Flows processed by multiple exporters will be mixed into a single out‐
20 put stream. This functionality appeared to support Cisco Catalyst
21 exports and may have other uses.
22 A SIGQUIT or SIGTERM signal will cause flow-fanout to exit.
24
26 -A AS0_substitution
27 Cisco's NetFlow exports represent the local autonomous system
28 as 0 instead of the real value. This option can be used to
29 replace the 0 in the export with the a configured value.
30 Unfortunately under certain configurations AS 0 can also rep‐
31 resent a cache miss or non forwarded traffic so use with cau‐
32 tion.
33 -d debug_level
35 Enable debugging.
36 -f filter_fname
38 Filter list filename. Defaults to /var/flow-tools/cfg/fil‐
39 ter.
40 -F filter_definition
42 Select the active definition. Defaults to default.
43 -h Display help.
45 -m privacy_mask
47 Apply privacy_mask to the source and destination IP address
48 of flows. For example a privacy_mask of 255.255.255.0 would
49 convert flows with source/destination IP addresses 10.1.1.1
50 and 10.2.2.2 to 10.1.1.0 and 10.2.2.0 respectively.
51 -p pidfile
53 Configure the process ID file. Use - to disable pid file
54 creation.
55 -s Spoof the source IP address. If the IP address is 0 then it
57 is replaced with the exporter source IP.
58 -S stat_interval
60 When configured flow-fanout will emit a timestamped message
61 on stderr every stat_interval minutes indicating counters
62 such as the number of flows received, packets processed, and
63 lost flows.
64 -V pdu_version
66 Use pdu_version format output.
67 1 NetFlow version 1 (No sequence numbers, AS, or mask)
69 5 NetFlow version 5
70 6 NetFlow version 6 (5+ Encapsulation size)
71 7 NetFlow version 7 (Catalyst switches)
72 8.1 NetFlow AS Aggregation
73 8.2 NetFlow Proto Port Aggregation
74 8.3 NetFlow Source Prefix Aggregation
75 8.4 NetFlow Destination Prefix Aggregation
76 8.5 NetFlow Prefix Aggregation
77 8.6 NetFlow Destination (Catalyst switches)
78 8.7 NetFlow Source Destination (Catalyst switches)
79 8.8 NetFlow Full Flow (Catalyst switches)
80 8.9 NetFlow ToS AS Aggregation
81 8.10 NetFlow ToS Proto Port Aggregation
82 8.11 NetFlow ToS Source Prefix Aggregation
83 8.12 NetFlow ToS Destination Prefix Aggregation
84 8.13 NetFlow ToS Prefix Aggregation
85 8.14 NetFlow ToS Prefix Port Aggregation
86 1005 Flow-Tools tagged version 5
87 -x xmit_delay
89 Configure a microsecond transmit delay between packets. This
90 may be necessary in some configurations to prevent a transmit
91 buffer overrun.
92
94 Replicate flows arriving to local IP address 10.0.0.1 from the router
95 exporting with IP address 10.1.1.1 on port 9500 to localhost port 9500
96 and 10.5.5.5 port 9200. The exports sent to 10.5.5.5 will be sent with
97 a source IP address of 10.0.0.5 which must be a valid local IP address.
98 flow-fanout 10.0.0.1/10.1.1.1/9500 0/0/9500 10.0.0.5/10.5.5.5/9200
100
102 NetFlow exports do not contain the exporter IP address inside the pay‐
103 load so the original exporter IP address (typically a router) will be
104 lost when using flow-fanout. A work around for this protocol limita‐
105 tion is to use local IP aliases and the localip option.
106 When the spoofing option is used multiple exporters with different IP
108 addresses will share the same sequence number but will have the origi‐
109 nal source IP. Fixing this requires per source : destination sequence
110 number mapping. It is much easier to just use multiple instances of
111 flow-fanout running on different ports.
112
114 Mark Fullmer maf@splintered.net
115
117 flow-tools(1)
118 flow-fanout(1)