2
6 flow-xlate — Apply translations to selected fields of a flow.
7
9 flow-xlate [-hkn] [-b big|little] [-C comment] [-d debug_level] [-v
10 variable binding] [-V flow_version] [-x xlate_fname] [-X xlate_defi‐
11 nition] [-z z_level]
12
14 The flow-xlate utility is used to apply translations to flows. Trans‐
15 lations are defined in a configuration file and are composed of actions
16 and a definition to invoke action(s). The definitions are in the form
17 of terms, each term can have a filter and multiple actions.
18 Words in the configuration file of the form @VAR or @{VAR:default} will
20 be expanded at run-time by setting variable names with the -v option.
21 Translation actions begin with the xlate-action keyword followed by a
23 symbolic name. Each action has a type defined below.
24 Translation definitions begin with the xlate-definition keyword fol‐
26 lowed by a symbolic name. Each definition is composed of terms which
27 are evaluated in the order of the configuration file. A term may
28 invoke a filter to conditionally invoke an action.
29 Action type/sub-commands Description/Example
31 ------------------------------------------------------------------------
32 ip-source-address-to-network Zero host bits based on mask.
33 ip-destination-address-to-network Zero host bits based on mask.
34 (no sub-commands)
36 ip-source-address-to-class-network Zero source host bits to
38 match class.
39 ip-destination-address-to-class-network Zero dst host bits to
40 match class.
41 (no sub-commands)
43 ip-source-address-anonymize Anonymize source address.
45 ip-destination-address-anonymize Anonymize destination address.
46 ip-address-anonymize Anonymize src/dst address.
47 algorithm Algorithm. cryptopan-aes128 is
50 currently supported.
51 algorithm cryptopan-aes128
52 key Key. Key is 128 bits in hex.
54 key 0123456789ABCDEFG
55 key-file File to load key from. Key is
57 128 bits in hex.
58 key-file /mfstmp/secret-key
59 key-file-refresh How often to check the key file.
61 Interval is in minutes, the
62 optional second argument is
63 hour:min:sec to specify the
64 first refresh. This example
65 will load a new key every day
66 at 12:00:00.
67 14400 12:00:00
68 ip-address-privacy-mask Apply a mask to the source and
71 destination address to remove
72 bits.
73 ip-port-privacy-mask Apply a mask to the source and
75 destination port to remove
76 bits.
77 tag-mask Apply mask to the source and
79 destination tag.
80 mask Source and Destination mask
82 to apply.
83 mask 0xFFFF 0xFFFF
84 scale Scale packets and bytes.
86 scale Scale to apply.
88 scale 100
89 replace-source-as0 Replace source AS 0
91 replace-destination-as0 Replace destination AS 0
92 as AS replacement value.
94 as 3112
95
97 -b big|little
98 Byte order of output.
99 -C Comment
101 Add a comment.
102 -d debug_level
104 Enable debugging.
105 -h Display help.
107 -k Keep time from input.
109 -n Don't load configuration file. Useful only with -V
111 -v variable binding
113 Set a variable FOO=bar.
114 -V pdu_version
116 Use pdu_version format output.
117 1 NetFlow version 1 (No sequence numbers, AS, or mask)
119 5 NetFlow version 5
120 6 NetFlow version 6 (5+ Encapsulation size)
121 7 NetFlow version 7 (Catalyst switches)
122 8.1 NetFlow AS Aggregation
123 8.2 NetFlow Proto Port Aggregation
124 8.3 NetFlow Source Prefix Aggregation
125 8.4 NetFlow Destination Prefix Aggregation
126 8.5 NetFlow Prefix Aggregation
127 8.6 NetFlow Destination (Catalyst switches)
128 8.7 NetFlow Source Destination (Catalyst switches)
129 8.8 NetFlow Full Flow (Catalyst switches)
130 8.9 NetFlow ToS AS Aggregation
131 8.10 NetFlow ToS Proto Port Aggregation
132 8.11 NetFlow ToS Source Prefix Aggregation
133 8.12 NetFlow ToS Destination Prefix Aggregation
134 8.13 NetFlow ToS Prefix Aggregation
135 8.14 NetFlow ToS Prefix Port Aggregation
136 1005 Flow-Tools tagged version 5
137 -x xlate_fname
139 Translation config file name. Defaults to /var/flow-
140 tools/cfg/xlate.cfg
141 -X xlate_definition
143 Translation definition. Defaults to default.
144 -z z_level
146 Configure compression level to z_level. 0 is disabled (no
147 compression), 9 is highest compression.
148
150 Convert the version 7 flows in flows.v7 to version 5, storing the
151 result in flows.v5.
152 flow-xlate -V5 < flows.v7 > flows.v5
154 Set the low 11 bits in the IP addresses to zero unless the address is
156 multicast or it belongs to the 192.88.99/24 network.
157 # xlate.cfg
160 include-filter filter.cfg
161 xlate-action MULTICAST-PRIVACY
163 type ip-address-privacy-mask
164 mask 0xFFFFFFFF 0xFFFFFFFF
165 xlate-action UNICAST-PRIVACY
167 type ip-address-privacy-mask
168 mask 0xFFFFFF00 0xFFFFF800
169 xlate-definition abilene_privacy
171 term
172 filter mcast
173 action MULTICAST-PRIVACY
174 stop
175 term
176 filter ucast
177 action UNICAST-PRIVACY
178 # filter.cfg
181 filter-primitive MCAST
182 type ip-address-mask
183 permit 224.0.0.0 240.0.0.0
184 filter-primitive UCAST
186 type ip-address-mask
187 deny 224.0.0.0 240.0.0.0
188 default permit
189 filter-primitive SKIP
191 type ip-address-mask
192 deny 192.88.99.0 255.255.255.0
193 default permit
194 filter-definition mcast
196 match ip-destination-address MCAST
197 filter-definition ucast
199 match ip-destination-address UCAST
200 match ip-destination-address SKIP
201 match ip-source-address SKIP
202 flow-cat flows | flow-xlate -xxlate.cfg -Xabilene_privacy | flow-print
204
206 Configuration files:
207 Symbols - /var/flow-tools/sym/*.
208 Filter - /var/flow-tools/cfg/filter.cfg.
209 Xlate - /var/flow-tools/cfg/xlate.cfg.
210
212 The scale option can overflow the 32 bit flow counters. This could be
213 solved by detecting this condition and splitting the flow in two.
214 Translation between aggregated and non aggregated formats is not sup‐
216 ported.
217
219 Mark Fullmer maf@splintered.net
220
222 flow-tools(1)
223 flow-xlate(1)