1nfdump(1) nfdump(1)
2
6 nfdump - netflow display and analyze program
7
9 nfdump [options] [filter]
10
12 nfdump is the netflow display and analyzing program of the nfdump tool
13 set. It reads the netflow data from files stored by nfcapd and pro‐
14 cesses the flows according the options given. The filter syntax is com‐
15 parable to tcpdump and extended for netflow data. Nfdump can also dis‐
16 play many different top N flow and flow element statistics.
17
20 -r inputfile
21 Read input data from inputfile. Default is read from stdin.
22 -R expr
24 Read input from a sequence of files in the same directory. expr may
25 be one of:
26 /any/dir Read recursively all files in directory dir.
27 /dir/file Read all files beginning with file.
28 /dir/file1:file2 Read all files from file1 to file2.
29 When using in combination with a sub hierarchy:
31 /dir/sub1/sub2/file1:sub3/sub4/file2
32 Read all files from sub1/sub2/file1 sub3/sub4/file2 iterating over
33 all required hierarchy levels.
34 Note: files are read in alphabetical sequence.
36 -M expr
38 Read input from multiple directories. expr looks like:
39 /any/path/to/dir1:dir2:dir3 etc. and will be expanded to the direc‐
40 tories: /any/path/to/dir1, /any/path/to/dir2 and /any/path/to/dir3
41 Any number of colon separated directories may be given. The files to
42 read are specified by -r or -R and are expected to exist in all the
43 given directories. The options -r and -R must not contain any
44 directory part when used in conjunction with -M.
45 -m deprecated option. Use -O tstart instead.
47 -O order
49 Set sort order to print flows or aggregated flows. order can be:
50 flows Sort according the number of flows
51 packets Sort according to (in)packets
52 ipkg Same as packets
53 opkg Sort according to output packets
54 bytes Sort according to (in)bytes
55 ibyte Same as bytes
56 obyte Sort according to output bytes
57 pps Sort according to (in)packets per second
58 ipps Same as ipps
59 opps Sort according to out packets per second
60 bps Sort according to (in)bytes per second
61 ibps Same as bps
62 obps Sort according to output bytes per second
63 bpp Sort according to (in)bytes per packet
64 ibpp Same as bpp
65 obpp Sort according to output packets
66 tstart Sort according to start time of flow - former -m
67 tend Sort according to end time of flows
68 -w outputfile
70 If specified writes binary netflow records to outputfile ready to be
71 processed again with nfdump. The default output is ASCII on stdout.
72 In combination with options -m, -a, -b, and -B write aggregated
73 and/or sorted flow cache in binary format to disk.
74 -f filterfile
76 Reads the filter syntax from filterfile. Note: Any filter specified
77 directly on the command line takes precedence over -f.
78 -t timewin
80 Process only flows, which fall in the time window timewin, where
81 timewin is YYYY/MM/dd.hh:mm:ss[-YYYY/MM/dd.hh:mm:ss]. Any parts of
82 the time spec may be omitted e.g YYYY/MM/dd expands to
83 YYYY/MM/dd.00:00:00-infinity and processes all flow from a given day
84 onwards. The time window may also be specified as +/- n. In this
85 case it is relativ to the beginning or end of all flows. +10 means
86 the first 10 seconds of all flows, -10 means the last 10 seconds of
87 all flows.
88 -c num
90 Limit the number of records to read and process from file(es) to the
91 first num flows.
92 -a Aggregate netflow data. Automatically implies -a. Aggregation is
94 done at connection level by taking the 5-tuple protocol, srcip,
95 dstip, srcport and dstport.
96 -A aggregation
98 Similar to Flexible Netflow (FNF), netflow records can be aggregated
99 by any number of given v9 fields. aggregation is a ',' separated
100 list of recognised tags of the following list:
101 proto IP protocol
102 srcip Source IP address
103 dstip Destination IP address
104 srcip4/net IPv4 source IP address with applied netmask
105 srcip6/net IPv6 source IP address with applied netmask
106 dstip4/net IPv4 destination IP address with applied netmask
107 dstip6/net IPv6 destination IP address with applied netmask
108 srcnet Apply netmask srcmask in netflow record for source IP
109 dstnet Apply netmask dstmask in netflow record for dest IP
110 srcport Source port
111 dstport Destination port
112 srcmask Source mask
113 dstmask Destination mask
114 srcvlan Source vlan label
115 dstvlan Destination vlan label
116 srcas Source AS number
117 dstas Destination AS number
118 nextas BGP Next AS
119 prevas BGP Previous AS
120 inif SNMP input interface number
121 outif SNMP output interface number
122 next IP next hop
123 bgpnext BGP next hop
124 insrcmac In source MAC address
125 outdstmac out destination MAC address
126 indstmac In destintation MAC address
127 outsrcmac Out source MAC address
128 tos Source type of service
129 srctos Source type of Service
130 dsttos Destination type of Service
131 mpls1 MPLS label 1
132 mpls2 MPLS label 2
133 mpls3 MPLS label 3
134 mpls4 MPLS label 4
135 mpls5 MPLS label 5
136 mpls6 MPLS label 6
137 mpls7 MPLS label 7
138 mpls8 MPLS label 8
139 mpls9 MPLS label 9
140 mpls10 MPLS label 10
141 router Exporting router IP
142 xsrcip X-late source IP address, if compiled with NSEL support
143 xdstip X-late destination IP address, if compiled with NSEL
144 support
145 xsrcport X-late source port, if compiled with NSEL support
146 xdstport X-late destination port, if compiled with NSEL support
147 nfdump automatically compiles an appropriate output format for the
149 selected aggregation unless an explicit output format is given. The
150 automatic output format is identical to -o 'fmt:%ts %td <fields>
151 %pkt %byt %bps %bpp %fl' where <fields> represents the selected
152 aggregation tags.
153 Example:
155 -A proto,srcip,dstport
156 -A srcas,dstas
158 -b Aggregate netflow records as bidirectional flows. Automatically
160 implies -a. Aggregation is done on connection level by taking the
161 5-tuple protocol, srcip, dstip, srcport and dstport, or the reverse
162 order for the corresponding connection flow. Input and output pack‐
163 ets/bytes are counted and reported separate. Both flows are merged
164 into a single record. An appropriate output format is selected auto‐
165 matically, which may be overwritten by any -o format option.
166 -B Like -b but automagically swaps flows if src port is < dst port as
168 some exporters do not care sending the flows in proper order. It's
169 considered to be a convenient option. Please note - for some peer-
170 to-peer flows this my lead to errornous swapping.
171 -I Print flow statistics from file specified by -r, or timeslot speci‐
173 fied by -R/-M.
174 -D dns
176 Set dns as nameserver to lookup hostnames.
177 -s statistic[:p][/orderby]
179 Generate the Top N flow or flow element statistic. statistic can be:
180 record Statistic about arregated netflow records.
181 srcip Statistic about source IP addresses
182 dstip Statistic about destination IP addresses
183 ip Statistic about any (source or destination) IP addresses
184 nhip Statistic about next hop IP addresses
185 nhbip Statistic about BGP next hop IP addresses
186 router Statistic about exporting router IP address
187 srcport Statistic about source ports
188 dstport Statistic about destination ports
189 port Statistic about any (source or destination) ports
190 tos Statistic about type of service - default src
191 srctos Statistic about src type of service
192 dsttos Statistic about dst type of service
193 dir Statistic about flow directions ingress/egress
194 srcas Statistic about source AS numbers
195 dstas Statistic about destination AS numbers
196 as Statistic about any (source or destination) AS numbers
197 inif Statistic about input interface
198 outif Statistic about output interface
199 if Statistic about any interface
200 srcmask Statistic about src mask
201 dstmask Statistic about dst mask
202 srcvlan Statistic about src vlan label
203 dstvlan Statistic about dst vlan label
204 vlan Statistic about any vlan label
205 insrcmac Statistic about input src MAC address
206 outdstmac Statistic about output dst MAC address
207 indstmac Statistic about input dst MAC address
208 outsrcmac Statistic about output src MAC address
209 srcmac Statistic about any src MAC address
210 dstmac Statistic about any dst MAC address
211 inmac Statistic about any input MAC address
212 outmac Statistic about any output MAC address
213 mask Statistic about any mask
214 proto Statistic about IP protocols
215 mpls1 Statistic about MPLS label 1
216 mpls2 Statistic about MPLS label 2
217 mpls3 Statistic about MPLS label 3
218 mpls4 Statistic about MPLS label 4
219 mpls5 Statistic about MPLS label 5
220 mpls6 Statistic about MPLS label 6
221 mpls7 Statistic about MPLS label 7
222 mpls8 Statistic about MPLS label 8
223 mpls9 Statistic about MPLS label 9
224 mpls10 Statistic about MPLS label 10
225 sysid Internal SysID of exporter
226 NSEL/ASA stats
228 event NSEL/ASA event
229 xevent NSEL/ASA extended event
230 xsrcip NSEL/ASA translated src IP address
231 xsrcport NSEL/ASA translated src port
232 xdstip NSEL/ASA translated dst IP address
233 xdstport NSEL/ASA translated dst port
234 iacl NSEL/ASA ingress ACL
235 iace NSEL/ASA ingress ACE
236 ixace NSEL/ASA ingress xACE
237 eacl NSEL/ASA egress ACL
238 eace NSEL/ASA egress ACE
239 exace NSEL/ASA egress xACE
240 NAT stats
242 nevent NAT event
243 vrf/ivrf NAT ingress vrf
244 evrf NAT egress vrf
245 nsrcip NAT src IP address
246 nsrcport NAT src port
247 ndstip NAT dst IP address
248 ndstport NAT dst port
249 By adding :p to the statistic name, the resulting statistic is split
251 up into transport layer protocols. Default is transport protocol
252 independent statistics.
253 orderby is optional and specifies the order by which the statistics
255 is ordered and can be flows, packets, bytes, pps, bps or bpp. You
256 may specify more than one orderby which results in the same statis‐
257 tic but ordered differently. If no orderby is given, statistics are
258 ordered by flows. You can specify as many -s flow element statis‐
259 tics on the command line for the same run.
260 Example:
262 -s srcip -s ip/flows -s dstport/pps/packets/bytes -s record/bytes
263 -l [+/-]packet_num
265 Limit statistics output to those records above or below the
266 packet_num limit. packet_num accepts positive or negative numbers
267 followed by 'K' , 'M' or 'G' 10E3, 10E6 or 10E9 flows respectively.
268 See also note at -L
269 -L [+/-]byte_num
271 Limit statistics output to those records above or below the byte_num
272 limit. byte_num accepts positive or negative numbers followed by 'K'
273 , 'M' or 'G' 10E3, 10E6 or 10E9 bytes respectively. Note: These lim‐
274 its only apply to the statistics and aggregated outputs generated
275 with -a -s. To filter netflow records by packets and bytes, use the
276 filter syntax 'packets' and 'bytes' described below.
277 -n num
279 For record statistics (-s .. ): Define the number for the Top N.
280 Defaults to 10. Use -n 0 to list all records.
281 For record sorting and aggregation (-a .. -O ..): Limit the records
282 to the first top num sorted records. if not specified or -n 0 is
283 given, all records are listed.
284 -o format
286 Selects the output format to print flows or flow record statistics
287 (-s record). The following formats are available:
288 raw Print full flow record on multiple lines.
289 line Print each flow on one line. Default format.
290 long Print each flow on one line with more details
291 biline Same as line, but for bidir flows
292 bilong Same as long, but for bidir flows
293 extended Print each flow on one line with even more details.
294 nsel Print each NSEL event on one line. Default if NSEL/NAT
295 nel Print each NAT event on one line.
296 csv Comma separated output for machine readable processing.
297 json Print full record as separate json object
298 pipe Legacy machine readable format: fields '|' separated.
299 fmt:format User defined output format.
300 For each defined output format except -o fmt:<format> an IPv6 long
301 output format exists. line6, long6 and extended6. See output for‐
302 mats below for more information.
303 -q Suppress the header line and the statistics at the bottom.
305 -N Print plain numbers in output. Easier for post-parsing.
307 -i ident
309 Change ident label in file, specified by -r to ident
310 -v file
312 Verify file. Print data file version, number of blocks and compres‐
313 sion status.
314 -E file
316 Print exporter/sampler list found in file. In case of a nfcapd col‐
317 lector file, an additional statistics per exporter is printed with
318 number of flows, packets and sequence errors.
319 -x file
321 Scan and print extension maps located in file file
322 -j Compress flows. Use bz2 compression in output file. Space efficient
324 method
325 -y Compress flows. Use LZ4 compression in output file. Time efficient
327 method
328 -z Compress flows. Use fast LZO1X-1 compression in output file. Time
330 efficient method
331 -J num
333 Change compression for file(s) given by -r <file> or -R <dir> num: 0
334 uncompress, 1: LZO1X-1, 2: bz2, 3: LZ4 compression
335 -Z Check filter syntax and exit. Sets the return value accordingly.
337 -X Compiles the filer syntax and dumps the filter engine table to std‐
339 out. This is for debugging purpose only.
340 -V Print nfdump version and exit.
342 -h Print help text on stdout with all options and exit.
344
346 Returns
347 0 No error.
348 255 Initialization failed.
349 254 Error in filter syntax.
350 250 Internal error.
351
353 The output format raw prints each flow record on multiple lines,
354 including all information available in the record. This is the most
355 detailed view on a flow.
356 Other output formats print each flow on a single line. Predefined out‐
358 put formats are line, long and extended The output format line is the
359 default output format when no format is specified. It limits the
360 imformation to the connection details as well as number of packets,
361 bytes and flows.
362 The output format long is identical to the format line, and includes
364 additional information such as TCP flags and Type of Service.
365 The output format extended is identical to the format long, and
367 includes additional computed information such as pps, bps and bpp.
368 Fields:
370 Date flow start: Start time flow first seen. ISO 8601 format includ‐
372 ing milliseconds.
373 Duration: Duration of the flow in seconds and milliseconds. If
375 flows are aggregated, duration is the time span over the entire
376 periode of time from first seen to last seen.
377 Proto: Protocol used in the connection.
379 Src IP Addr:Port: Source IP address and source port.
381 Dst IP Addr:Port: Destination IP address and destination port. In
383 case of ICMP, port is decodes as type.code.
384 Flags: TCP flags ORed of the connection.
386 Tos: Type of service.
388 Packets: The number of packets in this flow. If flows are aggre‐
390 gated, the packets are summed up.
391 Bytes: The number of bytes in this flow. If flows are aggregated,
393 the bytes are summed up.
394 pps: The calculated packets per second: number of packets / dura‐
396 tion. If flows are aggregated this results in the average pps dur‐
397 ing this periode of time.
398 bps: The calculated bits per second: 8 * number of bytes / duration.
400 If flows are aggregated this results in the average bps during this
401 periode of time.
402 Bpp: The calculated bytes per packet: number of bytes / number of
404 packets. If flows are aggregated this results in the average bpp
405 during this periode of time.
406 Flows: Number of flows. If flows are listed only, this number is
408 always 1. If flows are aggregated, this shows the number of aggre‐
409 gated flows to one record.
410 Numbers larger than 1'000'000 (1000*1000), are scaled to 4 digits and
412 one decimal digit including the scaling factor M, G or T for cleaner
413 output, e.g. 923.4 M
414 To make the output more readable, IPv6 addresses are shrinked down to
416 16 characters. The seven most and seven least digits connected with two
417 dots '..' are displayed in any normal output formats. To display the
418 full IPv6 address, use the appropriate long format, which is the format
419 name followed by a 6.
420 Example: -o line displays an IPv6 address as 2001:23..80:d01e where as
422 the format -o line6 displays the IPv6 address in full length
423 2001:234:aabb::211:24ff:fe80:d01e. The combination of -o line -6 is
424 equivalent to -o line6.
425 The output format fmt:<format> allows you to define your own output
427 format. A format description format consists of a single line contain‐
428 ing arbitrary strings and format specifier as described below
429 %<format> Inserts the predefined format at this position. e.g. %line
431 %ff flow record flags in hex.
432 %ts Start Time - first seen
433 %tsr Start Time, but in fractional seconds since the epoch
434 (1970-01-01)
435 %te End Time - last seen
436 %ter End Time, in fractional seconds
437 %tr Time the flow was received by the collector
438 %trr Time the flow was received, in fractional seconds
439 %td Duration
440 %pr Protocol
441 %exp Exporter ID
442 %eng Engine Type/ID
443 %lbl Flowlabel
444 %sa Source Address
445 %da Destination Address
446 %sap Source Address:Port
447 %dap Destination Address:Port
448 %sp Source Port
449 %dp Destination Port
450 %sn Source Network, mask applied
451 %dn Destination Network, mask applied
452 %nh Next-hop IP Address
453 %nhb BGP Next-hop IP Address
454 %ra Router IP Address
455 %sas Source AS
456 %das Destination AS
457 %nas Next AS
458 %pas Previous AS
459 %in Input Interface num
460 %out Output Interface num
461 %pkt Packets - default input
462 %ipkt Input Packets
463 %opkt Output Packets
464 %byt Bytes - default input
465 %ibyt Input Bytes
466 %obyt Output Bytes
467 %fl Flows
468 %flg TCP Flags
469 %tos Tos - default src
470 %stos Src Tos
471 %dtos Dst Tos
472 %dir Direction: ingress, egress
473 %smk Src mask
474 %dmk Dst mask
475 %fwd Forwarding Status
476 %svln Src vlan label
477 %dvln Dst vlan label
478 %ismc Input Src Mac Addr
479 %odmc Output Dst Mac Addr
480 %idmc Input Dst Mac Addr
481 %osmc Output Src Mac Addr
482 %mpls1 MPLS label 1
483 %mpls2 MPLS label 2
484 %mpls3 MPLS label 3
485 %mpls4 MPLS label 4
486 %mpls5 MPLS label 5
487 %mpls6 MPLS label 6
488 %mpls7 MPLS label 7
489 %mpls8 MPLS label 8
490 %mpls9 MPLS label 9
491 %mpls10 MPLS label 10
492 %mpls MPLS labels 1-10
493 %bps bps - bits per second
494 %pps pps - packets per second
495 %bpp bps - Bytes per package
496 NSEL specific formats
498 %nfc NSEL connection ID
499 %evt NSEL event
500 %xevt NSEL extended event
501 %msec NSEL event time in msec
502 %iacl NSEL ingress ACL
503 %eacl NSEL egress ACL
504 %xsa NSEL XLATE src IP address
505 %xda NSEL XLATE dst IP address
506 %xsp NSEL XLATE src port
507 %xdp NSEL SLATE dst port
508 %xsap Xlate Source Address:Port
509 %xdap Xlate Destination Address:Port
510 %uname NSEL user name
511 NEL/NAT specific formats
513 %nevt NAT event - same as %evt
514 %ivrf NAT ingress VRF ID
515 %evrf NAT egress VRF ID
516 %nsa NAT src IP address
517 %nda NAT dst IP address
518 %nsp NAT src port
519 %ndp NAT dst port
520 %pbstart NAT pool block start
521 %pbend NAT pool block end
522 %pbstep NAT pool block step
523 %pbsize NAT pool block size
524 Nprobe formats
526 %cl Client latency
527 %sl Server latency
528 %al Application latency
529 The "flow flags" format (%ff) prints the internal record flags as a
532 single hexadecimal number, consisting of any of these flag values or-ed
533 together:
534 1 Record contains IPv6 addresses
536 2 Packet counters are 64-bit
537 4 Byte counters are 64-bit
538 8 IP next hop is an IPv6 address
539 16 BGP next hop is an IPv6 address
540 32 Exporting router is an IPv6 address
541 64 Record is an EVENT record
542 128 Record is sampled
543 Example: the standard output format long can be created as
545 -o "fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %fl"
546 You may also define your own output format and have it compiled into
548 nfdump. See nfdump.c section Output Formats for more details.
549 The csv output format is intended to be read by another program for
551 further processing. As an example, see the parse_csv.pl Perl program.
552 The cvs output format consists of one or more output blocks and one
553 summary block. Each output block starts with a cvs index line followed
554 by the cvs record lines. The index lines describes the order, how each
555 following record is composed.
556 Example:
558 Index line: ts,te,td,sa,da,sp,dp,pr,...
559 Record line: 2004-07-11 10:30:00,2004-07-11 10:30:10,10.010,...
560 All records are in ASCII readable form. Numbers are not scaled, so each
562 line can easily be parsed.
563 Indices used in nfdump 1.6:
565 ts,te,td time records: t-start, t-end, duration
567 sa,da src dst address sp,dp src, dst port
568 pr protocol PF_INET or PF_INET6
569 flg TCP Flags:
570 000001 FIN.
571 000010 SYN
572 000100 RESET
573 001000 PUSH
574 010000 ACK
575 100000 URGENT
576 e.g. 6 => SYN + RESET
577 fwd forwarding status
578 stos src tos
579 ipkt,ibyt input packets/bytes
580 opkt,obyt output packets, bytes
581 in,out input/output interface SNMP number
582 sas,das src, dst AS
583 smk,dmk src, dst mask
584 dtos dst tos
585 dir direction
586 nh,nhb nethop IP address, bgp next hop IP
587 svln,dvln src, dst vlan id
588 ismc,odmc input src, output dst MAC
589 idmc,osmc input dst, output src MAC
590 mpls1,mpls2 MPLS label 1-10
591 mpls3,mpls4
592 mpls5,mpls6
593 mpls7,mpls8
594 mpls9,mpls10
595 ra router IP
596 eng router engine type/id
597 See parse_csv.pl for more details.
599
601 The filter syntax is similar to the well known pcap library used by
602 tcpdump. The filter can be either specified on the command line after
603 all options or in a separate file. It can span several lines. Anything
604 after a '#' is treated as a comment and ignored to the end of the line.
605 There is virtually no limit in the length of the filter expression. All
606 keywords are case independent.
607 Any filter consists of one or more expressions expr. Any number of expr
609 can be linked together:
610 expr and expr, expr or expr, not expr and ( expr ).
612 Expr can be one of the following filter primitives:
614 include
616 @include <file>
617 include the content of <file> into filter.
618 ip version
620 inet or ipv4 for IPv4
621 inet6 or ipv6 for IPv6
622 protocol
624 proto <protocol>
625 proto <number>
626 where <protocol> is known protocol such as tcp, udp, icmp, icmp6,
627 gre, esp, ah, etc. or a valid protocol number: 6, 17 etc.
628 IP address
630 [src|dst] ip <ipaddr>
631 [src|dst] host <ipaddr>
632 with <ipaddr> as any valid IPv4, IPv6 address, or a full qualified
633 hostname. In case of a hostname, the IP address is looked up in
634 DNS. If more than a single IP address is found, all IP addresses
635 are chained together. (ip1 or ip2 or ip3 ... )
636 To check if an IP address is in a known IP list, use
638 [src|dst] ip in [ <iplist> ]
639 [src|dst] host in [ <iplist> ]
640 <iplist> is a space or comma separated list of individual <ipaddr>
641 or full qualified hostnames, which are looked up in DNS. If more
642 than a single IP address is found, all IP addresses are put into
643 the list.
644 [src|dst]
646 IP addresses, networks, ports, AS number etc. can be specifically
647 selected by using a direction qualifier, such as src or dst. They
648 can also be used in combination with and and or. such as src and
649 dst ip ...
650 network
652 [src|dst] net a.b.c.d m.n.r.s
653 Select the IPv4 network a.b.c.d with netmask m.n.r.s.
654 [src|dst] net <net>/<num>
656 with <net> as a valid IPv4 or IPv6 network and <num> as maskbits.
657 The number of mask bits must match the appropriate address familiy
658 in IPv4 or IPv6. Networks may be abbreviated such as 172.16/16 if
659 they are unambiguous.
660 Port
662 [src|dst] port [comp] <num>
663 with <num> as any valid port number. If comp is omitted,
664 '=' is assumed. comp is explained more detailed below.
665 [src|dst] port in [ <portlist> ]
666 A port can be compared against a know list, where <portlist> is a
667 space separated list of individual port numbers.
668 ICMP
670 icmp-type <num>
671 icmp-code <num>
672 with <num> as a valid icmp type/code. This automatically implies
673 proto icmp.
674 Router ID
676 engine-type <num>
677 engine-id <num>
678 sysid <num>
679 with <num> as a valid router engine type/id or exporter ID(0..255).
680 Interface
682 [in|out] if <num>
683 Select input or output or either interface ID, with num as the SNMP
684 interface number.
685 Example: in if 3
686 AS numbers
688 [src|dst|prev|next] as [comp] <num>
689 Selects source, dstination, previous, next or any AS number with
690 <num> as any valid as number. 32bit AS numbers are supported. If
691 comp is omitted, '=' is assumed. comp is explained more detailed
692 below.
693 [src|dst|prev|next] as in [ <ASlist> ]
695 An AS number can be compared against a know list, where <ASlist> is
696 a space or comma separated list of individual AS numbers.
697 Prefix mask bits
699 [src|dst] mask <bits>
700 with <bits> as any valid prefix mask bit value.
701 Vlan labels
703 [src|dst] vlan <num>
704 with <num> as any valid vlan label.
705 Flags
707 flags <tcpflags>
708 with <tcpflags> as a combination of:
709 A ACK.
710 S SYN.
711 F FIN.
712 R Reset.
713 P Push.
714 U Urgent.
715 X All flags on.
716 The ordering of the flags is not relevant. Flags not mentioned are
717 treated as don't care. In order to get those flows with only the SYN
718 flag set, use the syntax 'flags S and not flags AFRPU'.
719 Next hop IP
721 next ip <ipaddr>
722 with <ipaddr> as IPv4/IPv6 IP address of next hop router.
723 Next-hop router's IP in the BGP domain
725 bgpnext ip <ipaddr>
726 with <ipaddr> as IPv4/IPv6 next-hop router's IP in the BGP domain.
727 ( v9 #18 )
728 Router IP
730 router ip <ipaddr>
731 Filter the flows according the IP address of the exporting router.
732 MAC addresses
734 [InOutSrcDst] mac <addr>
735 With <addr> any valid MAC address. mac can be more specific speci‐
736 fied by using any combination of a direction specifier as defined
737 by CISCO v9. in src, in dst, out src, out dst.
738 MPLS labels
740 mpls label<n> [comp] <num>
741 With <n> as any mpls label number 1..10. Filters exactly specified
742 label<n>.
743 mpls eos [comp] <num>
744 Filters End of Stack label for a given value <num>.
745 mpls exp<n> [comp] <bits>
746 Filters experimental bits of label <n> with <bits> 0..7.
747 Packets
749 packets [comp] <num> [scale]
750 To filter for netflow records with a specific packet count.
751 Example: packets > 1k
752 Bytes
754 bytes [comp] <num> [scale]
755 To filter for netflow records with a specific byte count.
756 Example: bytes 46 filters all empty IPv4 packets
757 Aggregated flows
759 flows [comp] <num> [scale]
760 To filter for netflow records with a specific number of aggregated
761 flows.
762 Type of Service (TOS)
764 [SourceDestination] tos <num>
765 With <num> 0..255. For compatibility with nfump 1.5.x: tos <num> is
766 equivalent with src tos <num>
767 Packets per second: Calculated value.
769 pps [comp] num [scale]
770 To filter for flows with specific packets per second.
771 Duration: Calculated value
773 duration [comp] num
774 To filter for flows with specific duration in milliseconds.
775 Bits per second: Calculated value.
777 bps [comp] num [scale]
778 To filter for flows with specific bytes per second.
779 Bytes per packet: Calculated value.
781 bpp [comp] num [scale]
782 To filter for flows with specific bytes per packet.
783 scale scaling factor. Maybe k m g. Factor is 1000
785 comp The following comparators are supported:
787 =, ==, >, <, EQ, LT, GT . If comp is omitted, '=' is assumed.
788 NSEL/ASA specific filters:
790 NSEL/ASA Event
792 asa event <ignore|create|term|delete|deny>
793 asa event [comp] <number>
794 select NSEL/ASA event by name or number. If given as number it can
795 be compared with a number
796 NSEL/ASA denied reason
798 asa event denied <ingress|egress|interface|nosyn>
799 Select a NSEL/ASA denied event by type
800 NSEL/ASA extended events
802 asa xevent [comp] <num>
803 Select an extended NSELL ASA event by number, or optionally com‐
804 pared by a number.
805 X-late IP addresses and ports
807 [src|dst] xip <ip>
808 Select the translated IP address
809 [src|dst] xnet <net>/<num>
811 with <net> as a valid translated IPv4 or IPv6 network and <num> as
812 maskbits. The number of mask bits must match the appropriate
813 address familiy in IPv4 or IPv6. Networks may be abbreviated such
814 as 172.16/16 if they are unambiguous.
815 [src|dst] xport <port>
817 Select the translated port
818 NSEL/ASA ingress/egress
820 ingress <ACL|ACE|XACE> [comp] number
821 Select/compare an ingress ACL
822 egress ACL [comp] <number>
824 Select/compare an egress ACL
825 NEL specific NAT filters:
827 NAT Event
829 nat event <add|delete>
830 nat event [comp] <number>
831 select NEL NAT event by name or number. If given as number it can
832 be compared with a number
833 NEL NAT ip addresses and ports
835 [src|dst] nip <ip>
836 Select the NAT IP address
837 [src|dst] nport <port>
839 Select the NAT port
840 NEL NAT vrf
842 ingress vrf <num>
843 Select the vrf
844
847 One or more specific filter expressions can be assigned a flowlabel in
848 order to identify the flow in the output according to the label. A
849 flowlabel has the form %LabelName and is appended or prepended to a
850 filter expression in braces. It may have up to 16 characters. Example:
851 (ip 8.8.8.8) %GoogleDNS. If a filter matches, with a labeled expres‐
852 sions, and that expression is in the matching filter patch, the label
853 can be printed in the output, using the %%lbl format token. See OUTPUT
854 FORMATS. Example: Add flowlabel to end of 'line' format:
855 ./nfdump -r <file> -o 'fmt:%line %lbl" ..
856 Note: A filter may have multiple matching paths - for example proto tcp
857 or ip 8.8.8.8 The shortest path which evaluates successfully, wins.
858 Other paths are skipped, which means that flowlabels are not printed in
859 not evaluated filter paths. A filter may contain multiple flowlabels.
860 The flowlabel of the last matching expression in the winning path is
861 printed. Flowlabels are most useful in large and complex filters
862 stored in one or multiple files, to better read the flow output list.
863 Example: (ip in [172.16.1.0/24]) %ISP_1 or (ip in [172.16.16.0/24])
864 %IPS_2 or %GoogleDNS((proto udp or proto tcp) and ip 8.8.8.8)
865
867 nfdump -r /and/dir/nfcapd.201107110845 -c 100 'proto tcp and ( src ip
868 172.16.17.18 or dst ip 172.16.17.19 )' Dumps the first 100 netflow
869 records which match the given filter:
870 nfdump -r /and/dir/nfcapd.201107110845 -B Map matching flows as bin-
872 directional single flow.
873 nfdump -R /and/dir/nfcapd.201107110845:nfcapd.200407110945 'host
875 192.168.1.2' Dumps all netflow records of host 192.168.1.2 from July 11
876 08:45 - 09:45
877 nfdump -M /to/and/dir1:dir2 -R nfcapd.200407110845:nfcapd.200407110945
879 -s record -n 20 Generates the Top 20 statistics from 08:45 to 09:45
880 from 3 sources
881 nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 -o extended Gen‐
883 erates the Top 20 statistics, extended output format
884 nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 'in if 5 and bps
886 > 10k' Generates the Top 20 statistics from flows coming from interface
887 5
888 nfdump -r /and/dir/nfcapd.201107110845 'inet6 and proto tcp and ( src
890 port > 1024 and dst port 80 ) Dumps all port 80 IPv6 connections to any
891 web server.
892
894 Generating the statistics for data files of a few hundred MB is no
895 problem. However be careful if you want to create statistics of several
896 GB of data. This may consume a lot of memory and can take a while. Flow
897 anonymization has moved into nfanon.
898
900 nfcapd(1), nfanon(1), nfprofile(1), nfreplay(1)
901
903 There is still the famous last bug. Please report them - all the last
904 bugs - back to me.
905 2009-09-09 nfdump(1)