1FLOW-TAG(1) FLOW-TAG(1)
2
6 flow-tag - Apply tags to flow files.
7
9 flow-tag [ -hk ] [ -b big|little ] [ -C comment ] [ -d debug_level ]
10 [ -t tag_fname ] [ -T tag_definition ] [ -v variable binding ]
11
13 The flow-tag utility is used to add or modify source and destination
14 tags in flow records. Tags are 32 bit identifiers derived from rules
15 and fields in a flow record. Tags can be used to group flows with com‐
16 mon prefixes, autonomous systems, next hops, exporter id and/or
17 input/output interface. flow-stat can be used with tagged flows to
18 produce group based reports. For example, all outbound traffic for a
19 customer where the customer is defined by a list of IP prefixes.
20
22 -b big|little
23 Byte order of output.
24 -C Comment
26 Add a comment.
27 -d debug_level
29 Enable debugging.
30 -h Display help.
32 -k Keep time from input.
34 -t tag_fname
36 Load tags from tag_name. Defaults to /etc/flow-tools/cfg/tag
37 -T active_def|
39 Use active_def as the active tag definition(s).
40 -v variable binding
42 Set a variable FOO=bar.
43 The configuration file is a collection of actions and definitions. An
45 action is triggered by a definition and a definition is invoked only if
46 listed with the -T flag. Lines begining with # are treated as comments
47 and ignored.
48 Words in the configuration file of the form @VAR or @{VAR:default} will
50 be expanded at run-time by setting variable names with the -v option.
51 tag-action command Description/Example
53 ----------------------------------------------------------------------
54 tag-action Begin tag-action section
55 tag-action foo
56 type Configure the type of action, one of
58 source-prefix, destination-prefix, prefix,
59 source-as, destination-as, as, next-hop,
60 tcp-source-port, tcp-destination-port,
61 tcp-port, udp-source-port,
62 udp-destination-port, udp-port,
63 tos, exporter, source-ip-address,
64 destination-ip-address, ip-address,
65 input-interface, output-interface,
66 interface, any.
67 type src-prefix
68 match Match criteria. The match condition
70 depends on the type. Following the
71 match condition is one of
72 set-destination, set-source,
73 or-destination, or-source to
74 set or logically or a value to the
75 source or destination tag.
76 match 128.146/16 set-destination 0x010001
77 Multiple actions may match and set tags on the same flow. Note that
79 listing many actions will cause tags to be applied in O(actions) time.
80 The actions try to run in O(1) time. For example if 10 prefixes are
81 listed in a single action it will take about the same CPU as if 100
82 prefixes are used. Listing 100 actions will require 100 times the
83 CPU as 1 action.
84 tag-action types Description
87 ----------------------------------------------------------------------
88 source-prefix Source Prefix
90 destination-prefix Destination Prefix
92 prefix Source or Destination Prefix
94 source-as Source AS
96 destination-as Destination AS
98 as Source or Destination AS
100 next-hop IP Next Hop
102 tcp-source-port TCP Source Port
104 tcp-destination-port TCP Destination Port
106 tcp-port TCP Source or Destination Port
108 udp-source-port UDP Source Port
110 udp-destination-port UDP Destination Port
112 udp-port UDP Source or Destination Port
114 tos Type of Service
116 exporter Exporter IP Address
118 source-ip-address Source IP Address
120 destination-ip-address Destination IP Address
122 ip-address Source or Destination IP Address
124 input-interface Input Interface
126 output-interface Output Interface
128 interface Input or Output Interface
130 any Match any flows
132 tag-action matches Description
135 ----------------------------------------------------------------------
136 set-destination Set the destination tag, replacing
138 any previous tag.
139 set-source Set the source tag, replacing any
141 previous tag.
142 or-destination Logically or this value to the
144 existing destination tag
145 or-source Logically or this value to the
147 existing source tag
148 A definition lists a set of actions which are evaluated if the filter
152 criteria is met. Each definition is built with terms. A term has its
153 action(s) evaluated if the filter is passed.
154 definition command Description/Example
156 -----------------------------------------------------------------------
157 tag-definition Begin tag-defintion secrion
158 tag-definition bar
159 term Begin a list of actions to be
161 evaluated that match the filter
162 rule.
163 term
164 input-filter List of input ifIndexes the flow
166 must match.
167 input-filter 1,2,3,4
168 output-filter List of output ifIndexes the flow
170 must match.
171 output-filter 1,2,3,4
172 exporter IP address of exporter the flow must
174 match.
175 exporter 1.2.3.4
176 action Name of action to evaluate. Actions
178 are evaluated in the order they
179 appear in a definition.
180 action foo
181
184 The meaning of a tag is user defined. The following example uses 16
185 bits of a tag as a customer ID and 4 bits as a customer type. flow-
186 xlate can be used to apply a mask to these fields.
187 # file: gigapop-tags
189 # tag format
190 #
191 # 0 7 15 23 31
192 # 0000 0000 0000 0000 0000 0000 0000 0000 (32 bits)
193 # RRRRRRRRRRRRRR TTTT NNNNNNNNNNNNNNNNNNN
194 # | | | Site name
195 # | | Site type
196 # | Reserved
197 #
198 #
199 # SITE_NAME_MASK = 0x0000FFFF
200 # SITE_TYPE_MASK = 0x00FF0000
201 #
202 # ID Name
203 #---------------------------------
204 # 0x0001 OSU
205 # 0x0002 CWRU
206 # 0x0003 BGSU
207 # ... etc
208 # 0x0019 MULTICAST
209 #
210 # ID Type
211 #------------------------
212 # 0x01 Participant
213 # 0x02 SEGP
214 # 0x03 Sponsored-Participant
215 # 0x04 Gigapop
216 # 0x05 MULTICAST
217 tag-action OHIO-GIGAPOP_DST
219 type destination-prefix
220 # OSU
221 match 128.146/16 set-destination 0x010001
222 match 164.107/16 set-destination 0x010001
223 match 140.254/16 set-destination 0x010001
224 match 192.153.26/24 set-destination 0x010001
225 # CWRU
226 match 129.22/16 set-destination 0x010002
227 match 192.5.110/24 set-destination 0x010002
228 # BGSU
229 match 129.1/16 set-destination 0x010003
230 # ...etc
231 # MULTICAST
232 match 224/4 set-destination 0x050019
233 tag-action OHIO-GIGAPOP_SRC
235 type source-prefix
236 # OSU
237 match 128.146/16 set-source 0x010001
238 match 164.107/16 set-source 0x010001
239 match 140.254/16 set-source 0x010001
240 match 192.153.26/24 set-source 0x010001
241 # CWRU
242 match 129.22/16 set-source 0x010002
243 match 192.5.110/24 set-source 0x010002
244 # BGSU
245 match 129.1/16 set-source 0x010003
246 # ...etc
247 tag-action OTHER_DST
249 type destination-prefix
250 match 0/0 set-destination 0x0
251 tag-action OTHER_SRC
253 type source-prefix
254 match 0/0 set-source 0x0
255 tag-definition OHIO-GIGAPOP
257 term
258 # Abilene interface
259 input-filter 25
260 # clear tag first -- it defaults to 0, so this may not be necessary.
261 action OTHER_DST
262 action OHIO-GIGAPOP_DST
263 term
264 # Abilene interface
265 output-filter 25
266 # clear tag first -- it defaults to 0, so this may not be necessary.
267 action OTHER_SRC
268 action OHIO-GIGAPOP_SRC
269 First populate /etc/flow-tools/sym/tag for flow-stat to use as symbols.
272 0x0001 OSU
274 0x0002 CWRU
275 0x0003 BGSU
276 0x0019 MULTICAST
277 0x010000 PART
278 0x020000 SEGP
279 0x030000 SPART
280 0x040000 GIGAPOP
281 0x050000 MULTICAST
282 To generate a report for outgoing traffic to Abilene based on customer
285 ID:
286 flow-cat flows | flow-filter -I25 | flow-tag -t gigapop-tags -TOHIO-GIGAPOP | flow-xlate -t0x0000FFFF | flow-stat -n -f30 -S2
288 # --- ---- ---- Report Information --- --- ---
291 #
292 # Fields: Total
293 # Symbols: Enabled
294 # Sorting: Descending Field 2
295 # Name: Source Tag
296 #
297 # Args: ../flow-stat -n -f30 -S2
298 #
299 #
300 # Src Tag flows octets packets
301 #
302 OSU 4942230 181326237007 302476793
303 CWRU 874883 54358312807 70589318
304 BGSU 1008797 7600209852 22060870
305 To generate a report for inbound traffic from Abilene based on customer
308 type:
309 flow-cat flows | flow-filter -i25 | flow-tag -t gigapop-tags -TOHIO-GIGAPOP | flow-xlate -T0xFF0000 | flow-stat -n -f31 -S2
311 # --- ---- ---- Report Information --- --- ---
314 #
315 # Fields: Total
316 # Symbols: Enabled
317 # Sorting: Descending Field 2
318 # Name: Destination Tag
319 #
320 # Args: ../flow-stat -n -f31 -S2
321 #
322 #
323 # Dst Tag flows octets packets
324 #
325 PART 15923156 663289954569 981163979
326 SEGP 4995795 135525076170 196534917
327 MULTICAST 45171 49866825003 137798118
328 GIGAPOP 942209 26422533266 23199961
329 SPART 73998 5170323905 7597985
330
333 Configuration files: Symbols - /etc/flow-tools/sym/*. Tag - /etc/flow-
334 tools/cfg/tag.cfg.
335
337 None known.
338
340 Mark Fullmer <maf@splintered.net>
341
343 flow-tools(1)
344 26 Август 2010 FLOW-TAG(1)