1FLOW-FILTER(1) FLOW-FILTER(1)
2
6 flow-filter - Filter flows.
7
9 flow-filter [ -hko ] [ -a src_as_filter ] [ -A dst_as_filter ] [ -b
10 big|little ] [ -C comment ] [ -D dstaddr_filter_name ] [ -d
11 debug_level ] [ -e exaddr_filter ] [ -f acl_fname ] [ -i input_fil‐
12 ter ] [ -I output_filter ] [ -p srcport_filter ] [ -P dstport_filter
13 ] [ -r ipprot_filter ] [ -S srcaddr_filter_name ] [ -t tos_filter ]
14 [ -T tcp_flags_filter ] [ -x nexthop_filter_name ] [ -z z_level ]
15
17 The flow-filter utility will filter flows based on user selectable cri‐
18 teria. The IP address filters are defined in flow.acl or by the file‐
19 name specified by -f.
20 Other filters such as input interface and ports are defined on the com‐
22 mand line. These filters accept range and negation operators, ie -i1-15
23 for input interfaces 1 through 15 or -i1,15 for input interfaces 1 and
24 15, or !1,15 for not input interfaces 1 and 15.
25 The syntax is kludgy and needs reworked but works for most applica‐
27 tions.
28
30 -a src_as_filter
31 Source AS filter, ie -a159 to permit Autonomous System 159.
32 -A dst_as_filter
34 Destination AS filter, ie -A159,3112 to permit Autonomous Sys‐
35 tems 159 and 3112.
36 -b big|little
38 Byte order of output.
39 -C Comment
41 Add a comment.
42 -d debug_level
44 Enable debugging.
45 -D dstaddr_filter_name
47 Destination IP address filter. This is the name or number of a
48 standard access list defined in flow.acl or the file specified
49 by -f.
50 -e exaddr_filter
52 Exporter IP address filter. One exporter address can be fil‐
53 tered.
54 -f acl_fname
56 Access list filename. Defaults to flow.acl.
57 -h Display help.
59 -i input_filter
61 Input interface filter, ie -i0 to permit traffic from interface
62 0.
63 -k Keep time from input.
65 -I output_filter
67 Output interface filter, ie -I0 to permit traffic to interface
68 0.
69 -o Logical OR instead of AND filters.
71 -p srcport_filter
73 Source port filter, ie -p80 to only permit source port 80.
74 -P dstport_filter
76 Destination port filter, ie -P80,8080 to permit destination
77 ports 80 and 8080.
78 -r ipprot_filter
80 IP Protocol filter, ie -r6 to only permit TCP traffic.
81 -S srcaddr_filter_name
83 Source IP address filter. This is the name or number of a stan‐
84 dard access list defined in flow.acl or the file specified by
85 -f.
86 -t tos_filter
88 ToS bits filter. An optional mask is available which is applied
89 to the tos field before comparing to the filter list. For exam‐
90 ple to match a tos bit pattern of 101xxxxx use 0xA0/0xE0.
91 -T tcp_flags_filter
93 TCP bits filter. An optional mask is available which is applied
94 to the TCP flags field before comparing to the filter list. For
95 example to match a flows with the SYN bit set use 0x2/0x2.
96 -x nexthop_filter_name
98 NextHop IP address filter. This is the name or number of a stan‐
99 dard access list defined in flow.acl or the file specified by
100 -f.
101 -z z_level
103 Configure compression level to z_level. 0 is disabled (no com‐
104 pression), 9 is highest compression.
105
107 Print all traffic with a destination port of 80.
108 flow-cat /flows/krc4 | flow-filter -P80 | flow-print
110 Print all traffic with with source IP 10.0.0.1. Populate flow.acl with
112 ip access-list standard badguy permit host 10.0.0.1
113 flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-print
115 Report all destinations that IP 10.0.0.1 has sent traffic to. Sort by
117 octets. Populate flow.acl with ip access-list standard badguy permit
118 host 10.0.0.1
119 flow-cat /flows/krc4 | flow-filter -Sbadguy | flow-stat -f8 -S2
121
123 Extended access lists are not fully implemented. The command line fil‐
124 ter syntax is a kludge.
125
127 Use flow-nfilter.
128
130 Mark Fullmer <maf@splintered.net>
131
133 flow-tools(1)
134 11 Февраль 2009 FLOW-FILTER(1)