2
6 flow-tag — Apply tags to flow files.
7
9 flow-tag [-hk] [-b big|little] [-C comment] [-d debug_level] [-t
10 tag_fname] [-T tag_definition] [-v variable binding]
11
13 The flow-tag utility is used to add or modify source and destination
14 tags in flow records. Tags are 32 bit identifiers derived from rules
15 and fields in a flow record. Tags can be used to group flows with com‐
16 mon prefixes, autonomous systems, next hops, exporter id and/or
17 input/output interface. flow-stat can be used with tagged flows to
18 produce group based reports. For example, all outbound traffic for a
19 customer where the customer is defined by a list of IP prefixes.
20
22 -b big|little
23 Byte order of output.
24 -C Comment
26 Add a comment.
27 -d debug_level
29 Enable debugging.
30 -h Display help.
32 -k Keep time from input.
34 -t tag_fname
36 Load tags from tag_name. Defaults to /var/flow-tools/cfg/tag
37 -T active_def|
39 Use active_def as the active tag definition(s).
40 -v variable binding
42 Set a variable FOO=bar.
43 The configuration file is a collection of actions and definitions. An
45 action is triggered by a definition and a definition is invoked only if
46 listed with the -T flag. Lines begining with # are treated as comments
47 and ignored.
48 Words in the configuration file of the form @VAR or @{VAR:default} will
50 be expanded at run-time by setting variable names with the -v option.
51 tag-action command Description/Example
53 ----------------------------------------------------------------------
54 tag-action Begin tag-action section
55 tag-action foo
56 type Configure the type of action, one of
58 source-prefix, destination-prefix, prefix,
59 source-as, destination-as, as, next-hop,
60 tcp-source-port, tcp-destination-port,
61 tcp-port, udp-source-port,
62 udp-destination-port, udp-port,
63 tos, exporter, source-ip-address,
64 destination-ip-address, ip-address,
65 input-interface, output-interface,
66 interface, any.
67 type src-prefix
68 match Match criteria. The match condition
70 depends on the type. Following the
71 match condition is one of
72 set-destination, set-source,
73 or-destination, or-source to
74 set or logically or a value to the
75 source or destination tag.
76 match 128.146/16 set-destination 0x010001
77 Multiple actions may match and set tags on the same flow. Note that
79 listing many actions will cause tags to be applied in O(actions) time.
80 The actions try to run in O(1) time. For example if 10 prefixes are
81 listed in a single action it will take about the same CPU as if 100
82 prefixes are used. Listing 100 actions will require 100 times the
83 CPU as 1 action.
84 tag-action types Description
87 ----------------------------------------------------------------------
88 source-prefix Source Prefix
90 destination-prefix Destination Prefix
92 prefix Source or Destination Prefix
94 source-as Source AS
96 destination-as Destination AS
98 as Source or Destination AS
100 next-hop IP Next Hop
102 tcp-source-port TCP Source Port
104 tcp-destination-port TCP Destination Port
106 tcp-port TCP Source or Destination Port
108 udp-source-port UDP Source Port
110 udp-destination-port UDP Destination Port
112 udp-port UDP Source or Destination Port
114 tos Type of Service
116 exporter Exporter IP Address
118 source-ip-address Source IP Address
120 destination-ip-address Destination IP Address
122 ip-address Source or Destination IP Address
124 input-interface Input Interface
126 output-interface Output Interface
128 interface Input or Output Interface
130 any Match any flows
132 tag-action matches Description
135 ----------------------------------------------------------------------
136 set-destination Set the destination tag, replacing
138 any previous tag.
139 set-source Set the source tag, replacing any
141 previous tag.
142 or-destination Logically or this value to the
144 existing destination tag
145 or-source Logically or this value to the
147 existing source tag
148 A definition lists a set of actions which are evaluated if the filter
151 criteria is met. Each definition is built with terms. A term has its
152 action(s) evaluated if the filter is passed.
153 definition command Description/Example
155 -----------------------------------------------------------------------
156 tag-definition Begin tag-defintion secrion
157 tag-definition bar
158 term Begin a list of actions to be
160 evaluated that match the filter
161 rule.
162 term
163 input-filter List of input ifIndexes the flow
165 must match.
166 input-filter 1,2,3,4
167 output-filter List of output ifIndexes the flow
169 must match.
170 output-filter 1,2,3,4
171 exporter IP address of exporter the flow must
173 match.
174 exporter 1.2.3.4
175 action Name of action to evaluate. Actions
177 are evaluated in the order they
178 appear in a definition.
179 action foo
180
182 The meaning of a tag is user defined. The following example uses 16
183 bits of a tag as a customer ID and 4 bits as a customer type. flow-
184 xlate can be used to apply a mask to these fields.
185 # file: gigapop-tags
187 # tag format
188 #
189 # 0 7 15 23 31
190 # 0000 0000 0000 0000 0000 0000 0000 0000 (32 bits)
191 # RRRRRRRRRRRRRR TTTT NNNNNNNNNNNNNNNNNNN
192 # | | | Site name
193 # | | Site type
194 # | Reserved
195 #
196 #
197 # SITE_NAME_MASK = 0x0000FFFF
198 # SITE_TYPE_MASK = 0x00FF0000
199 #
200 # ID Name
201 #---------------------------------
202 # 0x0001 OSU
203 # 0x0002 CWRU
204 # 0x0003 BGSU
205 # ... etc
206 # 0x0019 MULTICAST
207 #
208 # ID Type
209 #------------------------
210 # 0x01 Participant
211 # 0x02 SEGP
212 # 0x03 Sponsored-Participant
213 # 0x04 Gigapop
214 # 0x05 MULTICAST
215 tag-action OHIO-GIGAPOP_DST
217 type destination-prefix
218 # OSU
219 match 128.146/16 set-destination 0x010001
220 match 164.107/16 set-destination 0x010001
221 match 140.254/16 set-destination 0x010001
222 match 192.153.26/24 set-destination 0x010001
223 # CWRU
224 match 129.22/16 set-destination 0x010002
225 match 192.5.110/24 set-destination 0x010002
226 # BGSU
227 match 129.1/16 set-destination 0x010003
228 # ...etc
229 # MULTICAST
230 match 224/4 set-destination 0x050019
231 tag-action OHIO-GIGAPOP_SRC
233 type source-prefix
234 # OSU
235 match 128.146/16 set-source 0x010001
236 match 164.107/16 set-source 0x010001
237 match 140.254/16 set-source 0x010001
238 match 192.153.26/24 set-source 0x010001
239 # CWRU
240 match 129.22/16 set-source 0x010002
241 match 192.5.110/24 set-source 0x010002
242 # BGSU
243 match 129.1/16 set-source 0x010003
244 # ...etc
245 tag-action OTHER_DST
247 type destination-prefix
248 match 0/0 set-destination 0x0
249 tag-action OTHER_SRC
251 type source-prefix
252 match 0/0 set-source 0x0
253 tag-definition OHIO-GIGAPOP
255 term
256 # Abilene interface
257 input-filter 25
258 # clear tag first -- it defaults to 0, so this may not be necessary.
259 action OTHER_DST
260 action OHIO-GIGAPOP_DST
261 term
262 # Abilene interface
263 output-filter 25
264 # clear tag first -- it defaults to 0, so this may not be necessary.
265 action OTHER_SRC
266 action OHIO-GIGAPOP_SRC
267 First populate /var/flow-tools/sym/tag for flow-stat to use as symbols.
269 0x0001 OSU
271 0x0002 CWRU
272 0x0003 BGSU
273 0x0019 MULTICAST
274 0x010000 PART
275 0x020000 SEGP
276 0x030000 SPART
277 0x040000 GIGAPOP
278 0x050000 MULTICAST
279 To generate a report for outgoing traffic to Abilene based on customer
281 ID:
282 flow-cat flows | flow-filter -I25 | flow-tag -t gigapop-tags -TOHIO-GIGAPOP | flow-xlate -t0x0000FFFF | flow-stat -n -f30 -S2
284 # --- ---- ---- Report Information --- --- ---
286 #
287 # Fields: Total
288 # Symbols: Enabled
289 # Sorting: Descending Field 2
290 # Name: Source Tag
291 #
292 # Args: ../flow-stat -n -f30 -S2
293 #
294 #
295 # Src Tag flows octets packets
296 #
297 OSU 4942230 181326237007 302476793
298 CWRU 874883 54358312807 70589318
299 BGSU 1008797 7600209852 22060870
300 To generate a report for inbound traffic from Abilene based on customer
302 type:
303 flow-cat flows | flow-filter -i25 | flow-tag -t gigapop-tags -TOHIO-GIGAPOP | flow-xlate -T0xFF0000 | flow-stat -n -f31 -S2
305 # --- ---- ---- Report Information --- --- ---
307 #
308 # Fields: Total
309 # Symbols: Enabled
310 # Sorting: Descending Field 2
311 # Name: Destination Tag
312 #
313 # Args: ../flow-stat -n -f31 -S2
314 #
315 #
316 # Dst Tag flows octets packets
317 #
318 PART 15923156 663289954569 981163979
319 SEGP 4995795 135525076170 196534917
320 MULTICAST 45171 49866825003 137798118
321 GIGAPOP 942209 26422533266 23199961
322 SPART 73998 5170323905 7597985
323
325 Configuration files:
326 Symbols - /var/flow-tools/sym/*.
327 Tag - /var/flow-tools/cfg/tag.cfg.
328
330 None known.
331
333 Mark Fullmer maf@splintered.net
334
336 flow-tools(1)
337 flow-tag(1)