1FLOW-TAG(1)                                                        FLOW-TAG(1)
2
3
4

NAME

6       flow-tag - Apply tags to flow files.
7

SYNOPSIS

9       flow-tag [ -hk ]  [ -b big|little ]  [ -C comment ]  [ -d debug_level ]
10       [ -t tag_fname ]  [ -T tag_definition ]  [ -v variable binding ]
11

DESCRIPTION

13       The flow-tag utility is used to add or modify  source  and  destination
14       tags  in  flow  records. Tags are 32 bit identifiers derived from rules
15       and fields in a flow record. Tags can be used to group flows with  com‐
16       mon  prefixes,  autonomous  systems,  next  hops,  exporter  id  and/or
17       input/output interface.  flow-stat can be used  with  tagged  flows  to
18       produce  group  based  reports. For example, all outbound traffic for a
19       customer where the customer is defined by a list of IP prefixes.
20

OPTIONS

22       -b big|little
23              Byte order of output.
24
25       -C Comment
26              Add a comment.
27
28       -d debug_level
29              Enable debugging.
30
31       -h     Display help.
32
33       -k     Keep time from input.
34
35       -t tag_fname
36              Load tags from tag_name. Defaults to /etc/flow-tools/cfg/tag
37
38       -T active_def|
39              Use active_def as the active tag definition(s).
40
41       -v variable binding
42              Set a variable FOO=bar.
43
44       The configuration file is a collection of actions and  definitions.  An
45       action is triggered by a definition and a definition is invoked only if
46       listed with the -T flag. Lines begining with # are treated as  comments
47       and ignored.
48
49       Words in the configuration file of the form @VAR or @{VAR:default} will
50       be expanded at run-time by setting variable names with the -v option.
51
52       tag-action command            Description/Example
53       ----------------------------------------------------------------------
54       tag-action                    Begin tag-action section
55                                     tag-action foo
56
57       type                          Configure the type of action, one of
58                                     source-prefix, destination-prefix, prefix,
59                                     source-as, destination-as, as, next-hop,
60                                     tcp-source-port, tcp-destination-port,
61                                     tcp-port, udp-source-port,
62                                     udp-destination-port, udp-port,
63                                     tos, exporter, source-ip-address,
64                                     destination-ip-address, ip-address,
65                                     input-interface, output-interface,
66                                     interface, any.
67                                     type src-prefix
68
69       match                         Match criteria.  The match condition
70                                     depends on the type.  Following the
71                                     match condition is one of
72                                     set-destination, set-source,
73                                     or-destination, or-source to
74                                     set or logically or a value to the
75                                     source or destination tag.
76                                     match 128.146/16 set-destination 0x010001
77
78       Multiple actions may match and set tags on the same flow.  Note that
79       listing many actions will cause tags to be applied in O(actions) time.
80       The actions try to run in O(1) time.  For example if 10 prefixes are
81       listed in a single action it will take about the same CPU as if 100
82       prefixes are used.  Listing 100 actions will require 100 times the
83       CPU as 1 action.
84
85
86       tag-action types                    Description
87       ----------------------------------------------------------------------
88
89       source-prefix                       Source Prefix
90
91       destination-prefix                  Destination Prefix
92
93       prefix                              Source or Destination Prefix
94
95       source-as                           Source AS
96
97       destination-as                      Destination AS
98
99       as                                  Source or Destination AS
100
101       next-hop                            IP Next Hop
102
103       tcp-source-port                     TCP Source Port
104
105       tcp-destination-port                TCP Destination Port
106
107       tcp-port                            TCP Source or Destination Port
108
109       udp-source-port                     UDP Source Port
110
111       udp-destination-port                UDP Destination Port
112
113       udp-port                            UDP Source or Destination Port
114
115       tos                                 Type of Service
116
117       exporter                            Exporter IP Address
118
119       source-ip-address                   Source IP Address
120
121       destination-ip-address              Destination IP Address
122
123       ip-address                          Source or Destination IP Address
124
125       input-interface                     Input Interface
126
127       output-interface                    Output Interface
128
129       interface                           Input or Output Interface
130
131       any                                 Match any flows
132
133
134       tag-action matches                  Description
135       ----------------------------------------------------------------------
136
137       set-destination                     Set the destination tag, replacing
138                                           any previous tag.
139
140       set-source                          Set the source tag, replacing any
141                                           previous tag.
142
143       or-destination                      Logically or this value to the
144                                           existing destination tag
145
146       or-source                           Logically or this value to the
147                                           existing source tag
148
149
150
151       A definition lists a set of actions which are evaluated if  the  filter
152       criteria  is  met.  Each definition is built with terms. A term has its
153       action(s) evaluated if the filter is passed.
154
155       definition command                  Description/Example
156       -----------------------------------------------------------------------
157       tag-definition                      Begin tag-defintion secrion
158                                           tag-definition bar
159
160       term                                Begin a list of actions to be
161                                           evaluated that match the filter
162                                           rule.
163                                           term
164
165       input-filter                        List of input ifIndexes the flow
166                                           must match.
167                                           input-filter 1,2,3,4
168
169       output-filter                       List of output ifIndexes the flow
170                                           must match.
171                                           output-filter 1,2,3,4
172
173       exporter                            IP address of exporter the flow must
174                                           match.
175                                           exporter 1.2.3.4
176
177       action                              Name of action to evaluate.  Actions
178                                           are evaluated in the order they
179                                           appear in a definition.
180                                           action foo
181
182

EXAMPLES

184       The meaning of a tag is user defined. The  following  example  uses  16
185       bits  of  a  tag as a customer ID and 4 bits as a customer type.  flow-
186       xlate can be used to apply a mask to these fields.
187
188       # file: gigapop-tags
189       # tag format
190       #
191       # 0       7         15        23        31
192       # 0000 0000 0000 0000 0000 0000 0000 0000 (32 bits)
193       # RRRRRRRRRRRRRR TTTT NNNNNNNNNNNNNNNNNNN
194       #              |    |                   | Site name
195       #              |    | Site type
196       #              | Reserved
197       #
198       #
199       # SITE_NAME_MASK = 0x0000FFFF
200       # SITE_TYPE_MASK = 0x00FF0000
201       #
202       # ID             Name
203       #---------------------------------
204       # 0x0001         OSU
205       # 0x0002         CWRU
206       # 0x0003         BGSU
207       # ... etc
208       # 0x0019         MULTICAST
209       #
210       # ID             Type
211       #------------------------
212       # 0x01         Participant
213       # 0x02         SEGP
214       # 0x03         Sponsored-Participant
215       # 0x04         Gigapop
216       # 0x05         MULTICAST
217
218       tag-action OHIO-GIGAPOP_DST
219        type destination-prefix
220       # OSU
221        match 128.146/16 set-destination     0x010001
222        match 164.107/16 set-destination     0x010001
223        match 140.254/16 set-destination     0x010001
224        match 192.153.26/24 set-destination  0x010001
225       # CWRU
226        match 129.22/16 set-destination      0x010002
227        match 192.5.110/24 set-destination   0x010002
228       # BGSU
229        match 129.1/16 set-destination       0x010003
230       # ...etc
231       # MULTICAST
232        match 224/4 set-destination 0x050019
233
234       tag-action OHIO-GIGAPOP_SRC
235        type source-prefix
236       # OSU
237        match 128.146/16 set-source     0x010001
238        match 164.107/16 set-source     0x010001
239        match 140.254/16 set-source     0x010001
240        match 192.153.26/24 set-source  0x010001
241       # CWRU
242        match 129.22/16 set-source      0x010002
243        match 192.5.110/24 set-source   0x010002
244       # BGSU
245        match 129.1/16 set-source       0x010003
246       # ...etc
247
248       tag-action OTHER_DST
249        type destination-prefix
250        match 0/0 set-destination 0x0
251
252       tag-action OTHER_SRC
253        type source-prefix
254        match 0/0 set-source 0x0
255
256       tag-definition OHIO-GIGAPOP
257        term
258       # Abilene interface
259        input-filter 25
260       # clear tag first -- it defaults to 0, so this may not be necessary.
261        action OTHER_DST
262        action OHIO-GIGAPOP_DST
263        term
264       # Abilene interface
265        output-filter 25
266       # clear tag first -- it defaults to 0, so this may not be necessary.
267        action OTHER_SRC
268        action OHIO-GIGAPOP_SRC
269
270
271       First populate /etc/flow-tools/sym/tag for flow-stat to use as symbols.
272
273       0x0001 OSU
274       0x0002 CWRU
275       0x0003 BGSU
276       0x0019 MULTICAST
277       0x010000 PART
278       0x020000 SEGP
279       0x030000 SPART
280       0x040000 GIGAPOP
281       0x050000 MULTICAST
282
283
284       To generate a report for outgoing traffic to Abilene based on  customer
285       ID:
286
287       flow-cat flows | flow-filter -I25 | flow-tag -t gigapop-tags -TOHIO-GIGAPOP | flow-xlate -t0x0000FFFF | flow-stat -n -f30 -S2
288
289
290       #  --- ---- ---- Report Information --- --- ---
291       #
292       # Fields:    Total
293       # Symbols:   Enabled
294       # Sorting:   Descending Field 2
295       # Name:      Source Tag
296       #
297       # Args:      ../flow-stat -n -f30 -S2
298       #
299       #
300       # Src Tag   flows                 octets                packets
301       #
302       OSU         4942230               181326237007          302476793
303       CWRU        874883                54358312807           70589318
304       BGSU        1008797               7600209852            22060870
305
306
307       To generate a report for inbound traffic from Abilene based on customer
308       type:
309
310       flow-cat flows | flow-filter -i25 | flow-tag -t gigapop-tags -TOHIO-GIGAPOP | flow-xlate -T0xFF0000 | flow-stat -n -f31 -S2
311
312
313       #  --- ---- ---- Report Information --- --- ---
314       #
315       # Fields:    Total
316       # Symbols:   Enabled
317       # Sorting:   Descending Field 2
318       # Name:      Destination Tag
319       #
320       # Args:      ../flow-stat -n -f31 -S2
321       #
322       #
323       # Dst Tag   flows                 octets                packets
324       #
325       PART        15923156              663289954569          981163979
326       SEGP        4995795               135525076170          196534917
327       MULTICAST   45171                 49866825003           137798118
328       GIGAPOP     942209                26422533266           23199961
329       SPART       73998                 5170323905            7597985
330
331

FILES

333       Configuration files: Symbols - /etc/flow-tools/sym/*.  Tag - /etc/flow-
334       tools/cfg/tag.cfg.
335

BUGS

337       None known.
338

AUTHOR

340       Mark Fullmer <maf@splintered.net>
341

SEE ALSO

343       flow-tools(1)
344
345
346
347                                26 Август 2010                     FLOW-TAG(1)
Impressum