1nfdump(1) nfdump(1)
2
6 nfdump - netflow display and analyze program
7
9 nfdump [options] [filter]
10
12 nfdump is the netflow display and analyzing program of the nfdump tool
13 set. It reads the netflow data from files stored by nfcapd and pro‐
14 cesses the flows according the options given. The filter syntax is com‐
15 parable to tcpdump and extended for netflow data. Nfdump can also dis‐
16 play many different top N flow and flow element statistics.
17
20 -r inputfile
21 Read input data from inputfile. Default is read from stdin.
22 -R expr
24 Read input from a sequence of files in the same directory. expr may
25 be one of:
26 /any/dir Read recursively all files in directory dir.
27 /dir/file Read all files beginning with file.
28 /dir/file1:file2 Read all files from file1 to file2.
29 When using in combination with a sub hierarchy:
31 /dir/sub1/sub2/file1:sub3/sub4/file2
32 Read all files from sub1/sub2/file1 sub3/sub4/file2 iterating over
33 all required hierarchy levels.
34 Note: files are read in alphabetical sequence.
36 -M expr
38 Read input from multiple directories. expr looks like:
39 /any/path/to/dir1:dir2:dir3 etc. and will be expanded to the direc‐
40 tories: /any/path/to/dir1, /any/path/to/dir2 and /any/path/to/dir3
41 Any number of colon separated directories may be given. The files to
42 read are specified by -r or -R and are expected to exist in all the
43 given directories. The options -r and -R must not contain any
44 directory part when used in conjunction with -M.
45 -m deprecated option. Use -O tstart instead.
47 -O order
49 Set sort order to print flows or aggregated flows. order can be:
50 flows Sort according the number of flows
51 packets Sort according to (in)packets
52 ipkg Same as packets
53 opkg Sort according to output packets
54 bytes Sort according to (in)bytes
55 ibyte Same as bytes
56 obyte Sort according to output bytes
57 pps Sort according to (in)packets per second
58 ipps Same as ipps
59 opps Sort according to out packets per second
60 bps Sort according to (in)bytes per second
61 ibps Same as bps
62 obps Sort according to output bytes per second
63 bpp Sort according to (in)bytes per packet
64 ibpp Same as bpp
65 obpp Sort according to output packets
66 tstart Sort according to start time of flow - former -m
67 tend Sort according to end time of flows
68 -w outputfile
70 If specified writes binary netflow records to outputfile ready to be
71 processed again with nfdump. The default output is ASCII on stdout.
72 In combination with options -m, -a, -b, and -B write aggregated
73 and/or sorted flow cache in binary format to disk.
74 -f filterfile
76 Reads the filter syntax from filterfile. Note: Any filter specified
77 directly on the command line takes precedence over -f.
78 -t timewin
80 Process only flows, which fall in the time window timewin, where
81 timewin is YYYY/MM/dd.hh:mm:ss[-YYYY/MM/dd.hh:mm:ss]. Any parts of
82 the time spec may be omitted e.g YYYY/MM/dd expands to
83 YYYY/MM/dd.00:00:00-infinity and processes all flow from a given day
84 onwards. The time window may also be specified as +/- n. In this
85 case it is relativ to the beginning or end of all flows. +10 means
86 the first 10 seconds of all flows, -10 means the last 10 seconds of
87 all flows.
88 -c num
90 Limit the number of records to read and process from file(es) to the
91 first num flows.
92 -a Aggregate netflow data. Aggregation is done at connection level by
94 taking the 5-tuple protocol, srcip, dstip, srcport and dstport.
95 -A aggregation
97 Similar to Flexible Netflow (FNF), netflow records can be aggregated
98 by any number of given v9 fields. aggregation is a ',' separated
99 list of recognised tags of the following list:
100 proto IP protocol
101 srcip Source IP address
102 dstip Destination IP address
103 srcip4/net IPv4 source IP address with applied netmask
104 srcip6/net IPv6 source IP address with applied netmask
105 dstip4/net IPv4 destination IP address with applied netmask
106 dstip6/net IPv6 destination IP address with applied netmask
107 srcnet Apply netmask srcmask in netflow record for source IP
108 dstnet Apply netmask dstmask in netflow record for dest IP
109 srcport Source port
110 dstport Destination port
111 srcmask Source mask
112 dstmask Destination mask
113 srcvlan Source vlan label
114 dstvlan Destination vlan label
115 srcas Source AS number
116 dstas Destination AS number
117 nextas BGP Next AS
118 prevas BGP Previous AS
119 inif SNMP input interface number
120 outif SNMP output interface number
121 next IP next hop
122 bgpnext BGP next hop
123 insrcmac In source MAC address
124 outdstmac out destination MAC address
125 indstmac In destintation MAC address
126 outsrcmac Out source MAC address
127 tos Source type of service
128 srctos Source type of Service
129 dsttos Destination type of Service
130 mpls1 MPLS label 1
131 mpls2 MPLS label 2
132 mpls3 MPLS label 3
133 mpls4 MPLS label 4
134 mpls5 MPLS label 5
135 mpls6 MPLS label 6
136 mpls7 MPLS label 7
137 mpls8 MPLS label 8
138 mpls9 MPLS label 9
139 mpls10 MPLS label 10
140 router Exporting router IP
141 xsrcip X-late source IP address, if compiled with NSEL support
142 xdstip X-late destination IP address, if compiled with NSEL
143 support
144 xsrcport X-late source port, if compiled with NSEL support
145 xdstport X-late destination port, if compiled with NSEL support
146 nfdump automatically compiles an appropriate output format for the
148 selected aggregation unless an explicit output format is given. The
149 automatic output format is identical to -o 'fmt:%ts %td <fields>
150 %pkt %byt %bps %bpp %fl' where <fields> represents the selected
151 aggregation tags.
152 Example:
154 -A proto,srcip,dstport
155 -A srcas,dstas
157 -b Aggregate netflow records as bidirectional flows. Automatically
159 implies -a. Aggregation is done on connection level by taking the
160 5-tuple protocol, srcip, dstip, srcport and dstport, or the reverse
161 order for the corresponding connection flow. Input and output pack‐
162 ets/bytes are counted and reported separate. Both flows are merged
163 into a single record. An appropriate output format is selected auto‐
164 matically, which may be overwritten by any -o format option.
165 -B Like -b but automagically swaps flows if src port is < dst port as
167 some exporters do not care sending the flows in proper order. It's
168 considered to be a convenient option. Please note - for some peer-
169 to-peer flows this my lead to errornous swapping.
170 -I Print flow statistics from file specified by -r, or timeslot speci‐
172 fied by -R/-M.
173 -D dns
175 Set dns as nameserver to lookup hostnames.
176 -s statistic[:p][/orderby]
178 Generate the Top N flow or flow element statistic. statistic can be:
179 record Statistic about arregated netflow records.
180 srcip Statistic about source IP addresses
181 dstip Statistic about destination IP addresses
182 ip Statistic about any (source or destination) IP addresses
183 nhip Statistic about next hop IP addresses
184 nhbip Statistic about BGP next hop IP addresses
185 router Statistic about exporting router IP address
186 srcport Statistic about source ports
187 dstport Statistic about destination ports
188 port Statistic about any (source or destination) ports
189 tos Statistic about type of service - default src
190 srctos Statistic about src type of service
191 dsttos Statistic about dst type of service
192 dir Statistic about flow directions ingress/egress
193 srcas Statistic about source AS numbers
194 dstas Statistic about destination AS numbers
195 as Statistic about any (source or destination) AS numbers
196 inif Statistic about input interface
197 outif Statistic about output interface
198 if Statistic about any interface
199 srcmask Statistic about src mask
200 dstmask Statistic about dst mask
201 srcvlan Statistic about src vlan label
202 dstvlan Statistic about dst vlan label
203 vlan Statistic about any vlan label
204 insrcmac Statistic about input src MAC address
205 outdstmac Statistic about output dst MAC address
206 indstmac Statistic about input dst MAC address
207 outsrcmac Statistic about output src MAC address
208 srcmac Statistic about any src MAC address
209 dstmac Statistic about any dst MAC address
210 inmac Statistic about any input MAC address
211 outmac Statistic about any output MAC address
212 mask Statistic about any mask
213 proto Statistic about IP protocols
214 mpls1 Statistic about MPLS label 1
215 mpls2 Statistic about MPLS label 2
216 mpls3 Statistic about MPLS label 3
217 mpls4 Statistic about MPLS label 4
218 mpls5 Statistic about MPLS label 5
219 mpls6 Statistic about MPLS label 6
220 mpls7 Statistic about MPLS label 7
221 mpls8 Statistic about MPLS label 8
222 mpls9 Statistic about MPLS label 9
223 mpls10 Statistic about MPLS label 10
224 sysid Internal SysID of exporter
225 NSEL/ASA stats
227 event NSEL/ASA event
228 xevent NSEL/ASA extended event
229 xsrcip NSEL/ASA translated src IP address
230 xsrcport NSEL/ASA translated src port
231 xdstip NSEL/ASA translated dst IP address
232 xdstport NSEL/ASA translated dst port
233 iacl NSEL/ASA ingress ACL
234 iace NSEL/ASA ingress ACE
235 ixace NSEL/ASA ingress xACE
236 eacl NSEL/ASA egress ACL
237 eace NSEL/ASA egress ACE
238 exace NSEL/ASA egress xACE
239 NAT stats
241 nevent NAT event
242 vrf/ivrf NAT ingress vrf
243 evrf NAT egress vrf
244 nsrcip NAT src IP address
245 nsrcport NAT src port
246 ndstip NAT dst IP address
247 ndstport NAT dst port
248 By adding :p to the statistic name, the resulting statistic is split
250 up into transport layer protocols. Default is transport protocol
251 independent statistics.
252 orderby is optional and specifies the order by which the statistics
254 is ordered and can be flows, packets, bytes, pps, bps or bpp. You
255 may specify more than one orderby which results in the same statis‐
256 tic but ordered differently. If no orderby is given, statistics are
257 ordered by flows. You can specify as many -s flow element statis‐
258 tics on the command line for the same run.
259 Example:
261 -s srcip -s ip/flows -s dstport/pps/packets/bytes -s record/bytes
262 -l [+/-]packet_num
264 Limit statistics output to those records above or below the
265 packet_num limit. packet_num accepts positive or negative numbers
266 followed by 'K' , 'M' or 'G' 10E3, 10E6 or 10E9 flows respectively.
267 See also note at -L
268 -L [+/-]byte_num
270 Limit statistics output to those records above or below the byte_num
271 limit. byte_num accepts positive or negative numbers followed by 'K'
272 , 'M' or 'G' 10E3, 10E6 or 10E9 bytes respectively. Note: These lim‐
273 its only apply to the statistics and aggregated outputs generated
274 with -a -s. To filter netflow records by packets and bytes, use the
275 filter syntax 'packets' and 'bytes' described below.
276 -n num
278 For record statistics (-s .. ): Define the number for the Top N.
279 Defaults to 10. Use -n 0 to list all records.
280 For record sorting and aggregation (-a .. -O ..): Limit the records
281 to the first top num sorted records. if not specified or -n 0 is
282 given, all records are listed.
283 -o format
285 Selects the output format to print flows or flow record statistics
286 (-s record). The following formats are available:
287 raw Print full flow record on multiple lines.
288 line Print each flow on one line. Default format.
289 long Print each flow on one line with more details
290 biline Same as line, but for bidir flows
291 bilong Same as long, but for bidir flows
292 extended Print each flow on one line with even more details.
293 nsel Print each NSEL event on one line. Default if NSEL/NAT
294 nel Print each NAT event on one line.
295 csv Comma separated output for machine readable processing.
296 json Print full record as separate json object
297 pipe Legacy machine readable format: fields '|' separated.
298 fmt:format User defined output format.
299 For each defined output format except -o fmt:<format> an IPv6 long
300 output format exists. line6, long6 and extended6. See output for‐
301 mats below for more information.
302 -q Suppress the header line and the statistics at the bottom.
304 -N Print plain numbers in output. Easier for post-parsing.
306 -i ident
308 Change ident label in file, specified by -r to ident
309 -v file
311 Verify file. Print data file version, number of blocks and compres‐
312 sion status.
313 -E file
315 Print exporter/sampler list found in file. In case of a nfcapd col‐
316 lector file, an additional statistics per exporter is printed with
317 number of flows, packets and sequence errors.
318 -x file
320 Scan and print extension maps located in file file
321 -j Compress flows. Use bz2 compression in output file. Space efficient
323 method
324 -y Compress flows. Use LZ4 compression in output file. Time efficient
326 method
327 -z Compress flows. Use fast LZO1X-1 compression in output file. Time
329 efficient method
330 -J num
332 Change compression for file(s) given by -r <file> or -R <dir> num: 0
333 uncompress, 1: LZO1X-1, 2: bz2, 3: LZ4 compression
334 -Z Check filter syntax and exit. Sets the return value accordingly.
336 -X Compiles the filer syntax and dumps the filter engine table to std‐
338 out. This is for debugging purpose only.
339 -V Print nfdump version and exit.
341 -h Print help text on stdout with all options and exit.
343
345 Returns
346 0 No error.
347 255 Initialization failed.
348 254 Error in filter syntax.
349 250 Internal error.
350
352 The output format raw prints each flow record on multiple lines,
353 including all information available in the record. This is the most
354 detailed view on a flow.
355 Other output formats print each flow on a single line. Predefined out‐
357 put formats are line, long and extended The output format line is the
358 default output format when no format is specified. It limits the
359 imformation to the connection details as well as number of packets,
360 bytes and flows.
361 The output format long is identical to the format line, and includes
363 additional information such as TCP flags and Type of Service.
364 The output format extended is identical to the format long, and
366 includes additional computed information such as pps, bps and bpp.
367 Fields:
369 Date flow start: Start time flow first seen. ISO 8601 format includ‐
371 ing milliseconds.
372 Duration: Duration of the flow in seconds and milliseconds. If
374 flows are aggregated, duration is the time span over the entire
375 periode of time from first seen to last seen.
376 Proto: Protocol used in the connection.
378 Src IP Addr:Port: Source IP address and source port.
380 Dst IP Addr:Port: Destination IP address and destination port. In
382 case of ICMP, port is decodes as type.code.
383 Flags: TCP flags ORed of the connection.
385 Tos: Type of service.
387 Packets: The number of packets in this flow. If flows are aggre‐
389 gated, the packets are summed up.
390 Bytes: The number of bytes in this flow. If flows are aggregated,
392 the bytes are summed up.
393 pps: The calculated packets per second: number of packets / dura‐
395 tion. If flows are aggregated this results in the average pps dur‐
396 ing this periode of time.
397 bps: The calculated bits per second: 8 * number of bytes / duration.
399 If flows are aggregated this results in the average bps during this
400 periode of time.
401 Bpp: The calculated bytes per packet: number of bytes / number of
403 packets. If flows are aggregated this results in the average bpp
404 during this periode of time.
405 Flows: Number of flows. If flows are listed only, this number is
407 always 1. If flows are aggregated, this shows the number of aggre‐
408 gated flows to one record.
409 Numbers larger than 1'000'000 (1000*1000), are scaled to 4 digits and
411 one decimal digit including the scaling factor M, G or T for cleaner
412 output, e.g. 923.4 M
413 To make the output more readable, IPv6 addresses are shrinked down to
415 16 characters. The seven most and seven least digits connected with two
416 dots '..' are displayed in any normal output formats. To display the
417 full IPv6 address, use the appropriate long format, which is the format
418 name followed by a 6.
419 Example: -o line displays an IPv6 address as 2001:23..80:d01e where as
421 the format -o line6 displays the IPv6 address in full length
422 2001:234:aabb::211:24ff:fe80:d01e. The combination of -o line -6 is
423 equivalent to -o line6.
424 The output format fmt:<format> allows you to define your own output
426 format. A format description format consists of a single line contain‐
427 ing arbitrary strings and format specifier as described below
428 %<format> Inserts the predefined format at this position. e.g. %line
430 %ff flow record flags in hex.
431 %ts Start Time - first seen
432 %tsr Start Time, but in fractional seconds since the epoch
433 (1970-01-01)
434 %te End Time - last seen
435 %ter End Time, in fractional seconds
436 %tr Time the flow was received by the collector
437 %trr Time the flow was received, in fractional seconds
438 %td Duration
439 %pr Protocol
440 %exp Exporter ID
441 %eng Engine Type/ID
442 %lbl Flowlabel
443 %sa Source Address
444 %da Destination Address
445 %sap Source Address:Port
446 %dap Destination Address:Port
447 %sp Source Port
448 %dp Destination Port
449 %sn Source Network, mask applied
450 %dn Destination Network, mask applied
451 %nh Next-hop IP Address
452 %nhb BGP Next-hop IP Address
453 %ra Router IP Address
454 %sas Source AS
455 %das Destination AS
456 %nas Next AS
457 %pas Previous AS
458 %in Input Interface num
459 %out Output Interface num
460 %pkt Packets - default input
461 %ipkt Input Packets
462 %opkt Output Packets
463 %byt Bytes - default input
464 %ibyt Input Bytes
465 %obyt Output Bytes
466 %fl Flows
467 %flg TCP Flags
468 %tos Tos - default src
469 %stos Src Tos
470 %dtos Dst Tos
471 %dir Direction: ingress, egress
472 %smk Src mask
473 %dmk Dst mask
474 %fwd Forwarding Status
475 %svln Src vlan label
476 %dvln Dst vlan label
477 %ismc Input Src Mac Addr
478 %odmc Output Dst Mac Addr
479 %idmc Input Dst Mac Addr
480 %osmc Output Src Mac Addr
481 %mpls1 MPLS label 1
482 %mpls2 MPLS label 2
483 %mpls3 MPLS label 3
484 %mpls4 MPLS label 4
485 %mpls5 MPLS label 5
486 %mpls6 MPLS label 6
487 %mpls7 MPLS label 7
488 %mpls8 MPLS label 8
489 %mpls9 MPLS label 9
490 %mpls10 MPLS label 10
491 %mpls MPLS labels 1-10
492 %bps bps - bits per second
493 %pps pps - packets per second
494 %bpp bps - Bytes per package
495 NSEL specific formats
497 %nfc NSEL connection ID
498 %evt NSEL event
499 %xevt NSEL extended event
500 %msec NSEL event time in msec
501 %iacl NSEL ingress ACL
502 %eacl NSEL egress ACL
503 %xsa NSEL XLATE src IP address
504 %xda NSEL XLATE dst IP address
505 %xsp NSEL XLATE src port
506 %xdp NSEL SLATE dst port
507 %xsap Xlate Source Address:Port
508 %xdap Xlate Destination Address:Port
509 %uname NSEL user name
510 NEL/NAT specific formats
512 %nevt NAT event - same as %evt
513 %ivrf NAT ingress VRF ID
514 %evrf NAT egress VRF ID
515 %nsa NAT src IP address
516 %nda NAT dst IP address
517 %nsp NAT src port
518 %ndp NAT dst port
519 %pbstart NAT pool block start
520 %pbend NAT pool block end
521 %pbstep NAT pool block step
522 %pbsize NAT pool block size
523 Nprobe formats
525 %cl Client latency
526 %sl Server latency
527 %al Application latency
528 The "flow flags" format (%ff) prints the internal record flags as a
531 single hexadecimal number, consisting of any of these flag values or-ed
532 together:
533 1 Record contains IPv6 addresses
535 2 Packet counters are 64-bit
536 4 Byte counters are 64-bit
537 8 IP next hop is an IPv6 address
538 16 BGP next hop is an IPv6 address
539 32 Exporting router is an IPv6 address
540 64 Record is an EVENT record
541 128 Record is sampled
542 Example: the standard output format long can be created as
544 -o "fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %fl"
545 You may also define your own output format and have it compiled into
547 nfdump. See nfdump.c section Output Formats for more details.
548 The csv output format is intended to be read by another program for
550 further processing. As an example, see the parse_csv.pl Perl program.
551 The cvs output format consists of one or more output blocks and one
552 summary block. Each output block starts with a cvs index line followed
553 by the cvs record lines. The index lines describes the order, how each
554 following record is composed.
555 Example:
557 Index line: ts,te,td,sa,da,sp,dp,pr,...
558 Record line: 2004-07-11 10:30:00,2004-07-11 10:30:10,10.010,...
559 All records are in ASCII readable form. Numbers are not scaled, so each
561 line can easily be parsed.
562 Indices used in nfdump 1.6:
564 ts,te,td time records: t-start, t-end, duration
566 sa,da src dst address sp,dp src, dst port
567 pr protocol PF_INET or PF_INET6
568 flg TCP Flags:
569 000001 FIN.
570 000010 SYN
571 000100 RESET
572 001000 PUSH
573 010000 ACK
574 100000 URGENT
575 e.g. 6 => SYN + RESET
576 fwd forwarding status
577 stos src tos
578 ipkt,ibyt input packets/bytes
579 opkt,obyt output packets, bytes
580 in,out input/output interface SNMP number
581 sas,das src, dst AS
582 smk,dmk src, dst mask
583 dtos dst tos
584 dir direction
585 nh,nhb nethop IP address, bgp next hop IP
586 svln,dvln src, dst vlan id
587 ismc,odmc input src, output dst MAC
588 idmc,osmc input dst, output src MAC
589 mpls1,mpls2 MPLS label 1-10
590 mpls3,mpls4
591 mpls5,mpls6
592 mpls7,mpls8
593 mpls9,mpls10
594 ra router IP
595 eng router engine type/id
596 See parse_csv.pl for more details.
598
600 The filter syntax is similar to the well known pcap library used by
601 tcpdump. The filter can be either specified on the command line after
602 all options or in a separate file. It can span several lines. Anything
603 after a '#' is treated as a comment and ignored to the end of the line.
604 There is virtually no limit in the length of the filter expression. All
605 keywords are case independent.
606 Any filter consists of one or more expressions expr. Any number of expr
608 can be linked together:
609 expr and expr, expr or expr, not expr and ( expr ).
611 Expr can be one of the following filter primitives:
613 include
615 @include <file>
616 include the content of <file> into filter.
617 ip version
619 inet or ipv4 for IPv4
620 inet6 or ipv6 for IPv6
621 protocol
623 proto <protocol>
624 proto <number>
625 where <protocol> is known protocol such as tcp, udp, icmp, icmp6,
626 gre, esp, ah, etc. or a valid protocol number: 6, 17 etc.
627 IP address
629 [src|dst] ip <ipaddr>
630 [src|dst] host <ipaddr>
631 with <ipaddr> as any valid IPv4, IPv6 address, or a full qualified
632 hostname. In case of a hostname, the IP address is looked up in
633 DNS. If more than a single IP address is found, all IP addresses
634 are chained together. (ip1 or ip2 or ip3 ... )
635 To check if an IP address is in a known IP list, use
637 [src|dst] ip in [ <iplist> ]
638 [src|dst] host in [ <iplist> ]
639 <iplist> is a space or comma separated list of individual <ipaddr>
640 or full qualified hostnames, which are looked up in DNS. If more
641 than a single IP address is found, all IP addresses are put into
642 the list.
643 [src|dst]
645 IP addresses, networks, ports, AS number etc. can be specifically
646 selected by using a direction qualifier, such as src or dst. They
647 can also be used in combination with and and or. such as src and
648 dst ip ...
649 network
651 [src|dst] net a.b.c.d m.n.r.s
652 Select the IPv4 network a.b.c.d with netmask m.n.r.s.
653 [src|dst] net <net>/<num>
655 with <net> as a valid IPv4 or IPv6 network and <num> as maskbits.
656 The number of mask bits must match the appropriate address familiy
657 in IPv4 or IPv6. Networks may be abbreviated such as 172.16/16 if
658 they are unambiguous.
659 Port
661 [src|dst] port [comp] <num>
662 with <num> as any valid port number. If comp is omitted,
663 '=' is assumed. comp is explained more detailed below.
664 [src|dst] port in [ <portlist> ]
665 A port can be compared against a know list, where <portlist> is a
666 space separated list of individual port numbers.
667 ICMP
669 icmp-type <num>
670 icmp-code <num>
671 with <num> as a valid icmp type/code. This automatically implies
672 proto icmp.
673 Router ID
675 engine-type <num>
676 engine-id <num>
677 sysid <num>
678 with <num> as a valid router engine type/id or exporter ID(0..255).
679 Interface
681 [in|out] if <num>
682 Select input or output or either interface ID, with num as the SNMP
683 interface number.
684 Example: in if 3
685 AS numbers
687 [src|dst|prev|next] as [comp] <num>
688 Selects source, dstination, previous, next or any AS number with
689 <num> as any valid as number. 32bit AS numbers are supported. If
690 comp is omitted, '=' is assumed. comp is explained more detailed
691 below.
692 [src|dst|prev|next] as in [ <ASlist> ]
694 An AS number can be compared against a know list, where <ASlist> is
695 a space or comma separated list of individual AS numbers.
696 Prefix mask bits
698 [src|dst] mask <bits>
699 with <bits> as any valid prefix mask bit value.
700 Vlan labels
702 [src|dst] vlan <num>
703 with <num> as any valid vlan label.
704 Flags
706 flags <tcpflags>
707 with <tcpflags> as a combination of:
708 A ACK.
709 S SYN.
710 F FIN.
711 R Reset.
712 P Push.
713 U Urgent.
714 X All flags on.
715 The ordering of the flags is not relevant. Flags not mentioned are
716 treated as don't care. In order to get those flows with only the SYN
717 flag set, use the syntax 'flags S and not flags AFRPU'.
718 Next hop IP
720 next ip <ipaddr>
721 with <ipaddr> as IPv4/IPv6 IP address of next hop router.
722 Next-hop router's IP in the BGP domain
724 bgpnext ip <ipaddr>
725 with <ipaddr> as IPv4/IPv6 next-hop router's IP in the BGP domain.
726 ( v9 #18 )
727 Router IP
729 router ip <ipaddr>
730 Filter the flows according the IP address of the exporting router.
731 MAC addresses
733 [InOutSrcDst] mac <addr>
734 With <addr> any valid MAC address. mac can be more specific speci‐
735 fied by using any combination of a direction specifier as defined
736 by CISCO v9. in src, in dst, out src, out dst.
737 MPLS labels
739 mpls label<n> [comp] <num>
740 With <n> as any mpls label number 1..10. Filters exactly specified
741 label<n>.
742 mpls eos [comp] <num>
743 Filters End of Stack label for a given value <num>.
744 mpls exp<n> [comp] <bits>
745 Filters experimental bits of label <n> with <bits> 0..7.
746 Packets
748 packets [comp] <num> [scale]
749 To filter for netflow records with a specific packet count.
750 Example: packets > 1k
751 Bytes
753 bytes [comp] <num> [scale]
754 To filter for netflow records with a specific byte count.
755 Example: bytes 46 filters all empty IPv4 packets
756 Aggregated flows
758 flows [comp] <num> [scale]
759 To filter for netflow records with a specific number of aggregated
760 flows.
761 Type of Service (TOS)
763 [SourceDestination] tos <num>
764 With <num> 0..255. For compatibility with nfump 1.5.x: tos <num> is
765 equivalent with src tos <num>
766 Packets per second: Calculated value.
768 pps [comp] num [scale]
769 To filter for flows with specific packets per second.
770 Duration: Calculated value
772 duration [comp] num
773 To filter for flows with specific duration in milliseconds.
774 Bits per second: Calculated value.
776 bps [comp] num [scale]
777 To filter for flows with specific bytes per second.
778 Bytes per packet: Calculated value.
780 bpp [comp] num [scale]
781 To filter for flows with specific bytes per packet.
782 scale scaling factor. Maybe k m g. Factor is 1000
784 comp The following comparators are supported:
786 =, ==, >, <, EQ, LT, GT . If comp is omitted, '=' is assumed.
787 NSEL/ASA specific filters:
789 NSEL/ASA Event
791 asa event <ignore|create|term|delete|deny>
792 asa event [comp] <number>
793 select NSEL/ASA event by name or number. If given as number it can
794 be compared with a number
795 NSEL/ASA denied reason
797 asa event denied <ingress|egress|interface|nosyn>
798 Select a NSEL/ASA denied event by type
799 NSEL/ASA extended events
801 asa xevent [comp] <num>
802 Select an extended NSELL ASA event by number, or optionally com‐
803 pared by a number.
804 X-late IP addresses and ports
806 [src|dst] xip <ip>
807 Select the translated IP address
808 [src|dst] xnet <net>/<num>
810 with <net> as a valid translated IPv4 or IPv6 network and <num> as
811 maskbits. The number of mask bits must match the appropriate
812 address familiy in IPv4 or IPv6. Networks may be abbreviated such
813 as 172.16/16 if they are unambiguous.
814 [src|dst] xport <port>
816 Select the translated port
817 NSEL/ASA ingress/egress
819 ingress <ACL|ACE|XACE> [comp] number
820 Select/compare an ingress ACL
821 egress ACL [comp] <number>
823 Select/compare an egress ACL
824 NEL specific NAT filters:
826 NAT Event
828 nat event <add|delete>
829 nat event [comp] <number>
830 select NEL NAT event by name or number. If given as number it can
831 be compared with a number
832 NEL NAT ip addresses and ports
834 [src|dst] nip <ip>
835 Select the NAT IP address
836 [src|dst] nport <port>
838 Select the NAT port
839 NEL NAT vrf
841 ingress vrf <num>
842 Select the vrf
843
846 One or more specific filter expressions can be assigned a flowlabel in
847 order to identify the flow in the output according to the label. A
848 flowlabel has the form %LabelName and is appended or prepended to a
849 filter expression in braces. It may have up to 16 characters. Example:
850 (ip 8.8.8.8) %GoogleDNS. If a filter matches, with a labeled expres‐
851 sions, and that expression is in the matching filter patch, the label
852 can be printed in the output, using the %%lbl format token. See OUTPUT
853 FORMATS. Example: Add flowlabel to end of 'line' format:
854 ./nfdump -r <file> -o 'fmt:%line %lbl" ..
855 Note: A filter may have multiple matching paths - for example proto tcp
856 or ip 8.8.8.8 The shortest path which evaluates successfully, wins.
857 Other paths are skipped, which means that flowlabels are not printed in
858 not evaluated filter paths. A filter may contain multiple flowlabels.
859 The flowlabel of the last matching expression in the winning path is
860 printed. Flowlabels are most useful in large and complex filters
861 stored in one or multiple files, to better read the flow output list.
862 Example: (ip in [172.16.1.0/24]) %ISP_1 or (ip in [172.16.16.0/24])
863 %IPS_2 or %GoogleDNS((proto udp or proto tcp) and ip 8.8.8.8)
864
866 nfdump -r /and/dir/nfcapd.201107110845 -c 100 'proto tcp and ( src ip
867 172.16.17.18 or dst ip 172.16.17.19 )' Dumps the first 100 netflow
868 records which match the given filter:
869 nfdump -r /and/dir/nfcapd.201107110845 -B Map matching flows as bin-
871 directional single flow.
872 nfdump -R /and/dir/nfcapd.201107110845:nfcapd.200407110945 'host
874 192.168.1.2' Dumps all netflow records of host 192.168.1.2 from July 11
875 08:45 - 09:45
876 nfdump -M /to/and/dir1:dir2 -R nfcapd.200407110845:nfcapd.200407110945
878 -s record -n 20 Generates the Top 20 statistics from 08:45 to 09:45
879 from 3 sources
880 nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 -o extended Gen‐
882 erates the Top 20 statistics, extended output format
883 nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 'in if 5 and bps
885 > 10k' Generates the Top 20 statistics from flows coming from interface
886 5
887 nfdump -r /and/dir/nfcapd.201107110845 'inet6 and proto tcp and ( src
889 port > 1024 and dst port 80 ) Dumps all port 80 IPv6 connections to any
890 web server.
891
893 Generating the statistics for data files of a few hundred MB is no
894 problem. However be careful if you want to create statistics of several
895 GB of data. This may consume a lot of memory and can take a while. Flow
896 anonymization has moved into nfanon.
897
899 nfcapd(1), nfanon(1), nfprofile(1), nfreplay(1)
900
902 There is still the famous last bug. Please report them - all the last
903 bugs - back to me.
904 2009-09-09 nfdump(1)