1nfdump(1) nfdump(1)
2
6 nfdump - netflow display and analyze program
7
9 nfdump [options] [filter]
10
12 nfdump is the netflow display and analyzing program of the nfdump tool
13 set. It reads the netflow data from files stored by nfcapd and pro‐
14 cesses the flows according to the options given. The filter syntax is
15 comparable to tcpdump and extended for netflow data. Nfdump can also
16 display many different top N flow and flow element statistics.
17
20 -r inputfile
21 Read input data from inputfile. Default is to read from stdin.
22 -R expr
24 Read input from a sequence of files in the same directory. expr may
25 be one of:
26 /any/dir Read recursively all files in directory dir.
27 /dir/file Read all files beginning with file.
28 /dir/file1:file2 Read all files from file1 to file2.
29 When using in combination with a sub hierarchy:
31 /dir/sub1/sub2/file1:sub3/sub4/file2
32 Read all files from sub1/sub2/file1 sub3/sub4/file2 iterating over
33 all required hierarchy levels.
34 Note: files are read in alphabetical order.
36 -M expr
38 Read input from multiple directories. expr looks like:
39 /any/path/to/dir1:dir2:dir3 etc. and will be expanded to the direc‐
40 tories: /any/path/to/dir1, /any/path/to/dir2 and /any/path/to/dir3
41 Any number of colon separated directories may be given. The files to
42 read are specified by -r or -R and are expected to exist in all the
43 given directories. The options -r and -R must not contain any di‐
44 rectory part when used in conjunction with -M.
45 -m deprecated option. Use -O tstart instead.
47 -O order[:direction]
49 Set sort order to print raw or aggregated flows. Optionally add an
50 order direction 'a' for ascending or 'd' for descending. order can
51 be:
52 by default descending:
53 flows Sort according to the number of flows
54 packets Sort according to (in)packets
55 ipkg Same as packets
56 opkg Sort according to output packets
57 bytes Sort according to (in)bytes
58 ibyte Same as bytes
59 obyte Sort according to output bytes
60 pps Sort according to (in)packets per second
61 ipps Same as ipps
62 opps Sort according to out packets per second
63 bps Sort according to (in)bytes per second
64 ibps Same as bps
65 obps Sort according to output bytes per second
66 bpp Sort according to (in)bytes per packet
67 ibpp Same as bpp
68 obpp Sort according to output packets
69 by default ascending:
70 tstart Sort according to start time of flow - former -m
71 tend Sort according to end time of flows
72 -w outputfile
74 If specified writes binary netflow records to outputfile ready to be
75 processed again with nfdump. The default output is ASCII on stdout.
76 In combination with options -m, -a, -b, and -B write aggregated
77 and/or sorted flow cache in binary format to disk.
78 -f filterfile
80 Reads the filter syntax from filterfile. Note: Any filter specified
81 directly on the command line takes precedence over -f.
82 -t timewin
84 Process only flows which fall in the time window timewin, where
85 timewin is YYYY/MM/dd.hh:mm:ss[-YYYY/MM/dd.hh:mm:ss]. Any parts of
86 the time spec may be omitted e.g YYYY/MM/dd expands to
87 YYYY/MM/dd.00:00:00-infinity and processes all flow from a given day
88 onwards. The time window may also be specified as +/- n. In this
89 case it is relativ to the beginning or end of all flows. +10 means
90 the first 10 seconds of all flows, -10 means the last 10 seconds of
91 all flows.
92 -c num
94 Limit the number of records to read and process from file(s) to the
95 first num flows.
96 -a Aggregate netflow data. Aggregation is done at connection level by
98 taking the 5-tuple protocol, srcip, dstip, srcport and dstport.
99 -A aggregation
101 Similar to Flexible Netflow (FNF), netflow records can be aggregated
102 by any number of given v9 fields. aggregation is a ',' separated
103 list of recognised tags from the following list:
104 proto IP protocol
105 srcip Source IP address
106 dstip Destination IP address
107 srcip4/net IPv4 source IP address with applied netmask
108 srcip6/net IPv6 source IP address with applied netmask
109 dstip4/net IPv4 destination IP address with applied netmask
110 dstip6/net IPv6 destination IP address with applied netmask
111 srcnet Apply netmask srcmask in netflow record for source IP
112 dstnet Apply netmask dstmask in netflow record for dest IP
113 srcport Source port
114 dstport Destination port
115 srcmask Source mask
116 dstmask Destination mask
117 srcvlan Source vlan label
118 dstvlan Destination vlan label
119 srcas Source AS number
120 dstas Destination AS number
121 nextas BGP Next AS
122 prevas BGP Previous AS
123 inif SNMP input interface number
124 outif SNMP output interface number
125 next IP next hop
126 bgpnext BGP next hop
127 insrcmac In source MAC address
128 outdstmac out destination MAC address
129 indstmac In destintation MAC address
130 outsrcmac Out source MAC address
131 tos Source type of service
132 srctos Source type of Service
133 dsttos Destination type of Service
134 mpls1 MPLS label 1
135 mpls2 MPLS label 2
136 mpls3 MPLS label 3
137 mpls4 MPLS label 4
138 mpls5 MPLS label 5
139 mpls6 MPLS label 6
140 mpls7 MPLS label 7
141 mpls8 MPLS label 8
142 mpls9 MPLS label 9
143 mpls10 MPLS label 10
144 router Exporting router's IP
145 xsrcip X-late source IP address, if compiled with NSEL support
146 xdstip X-late destination IP address, if compiled with NSEL
147 support
148 xsrcport X-late source port, if compiled with NSEL support
149 xdstport X-late destination port, if compiled with NSEL support
150 nfdump automatically compiles an appropriate output format for the
152 selected aggregation unless an explicit output format is given. The
153 automatic output format is identical to -o 'fmt:%ts %td <fields>
154 %pkt %byt %bps %bpp %fl' where <fields> represents the selected ag‐
155 gregation tags.
156 Example:
158 -A proto,srcip,dstport
159 -A srcas,dstas
161 -b Aggregate netflow records as bidirectional flows. Automatically im‐
163 plies -a. Aggregation is done on connection level by taking the
164 5-tuple protocol, srcip, dstip, srcport and dstport, or the reverse
165 order for the corresponding connection flow. Input and output pack‐
166 ets/bytes are counted and reported separately. Both flows are merged
167 into a single record. An appropriate output format is selected auto‐
168 matically, which may be overwritten by any -o format option.
169 -B Like -b but automagically swaps flows if src port is < dst port for
171 TCP and UDP flows and src port < 1024 and dst port > 1024. as some
172 exporters do not care sending the flows in proper order. Other flows
173 are not affected. It's considered to be a conveniency option.
174 -I Print flow statistics from file specified by -r, or timeslot speci‐
176 fied by -R/-M.
177 -D dns
179 Set dns as nameserver to look up hostnames.
180 -s statistic[:p][/orderby[:direction]]
182 Generate the Top N flow or flow element statistic. statistic can be:
183 record Statistic about aggregated netflow records.
184 srcip Statistic about source IP addresses
185 dstip Statistic about destination IP addresses
186 ip Statistic about any (source or destination) IP addresses
187 nhip Statistic about next hop IP addresses
188 nhbip Statistic about BGP next hop IP addresses
189 router Statistic about exporting router IP address
190 srcport Statistic about source ports
191 dstport Statistic about destination ports
192 port Statistic about any (source or destination) ports
193 tos Statistic about type of service - default src
194 srctos Statistic about src type of service
195 dsttos Statistic about dst type of service
196 dir Statistic about flow directions ingress/egress
197 srcas Statistic about source AS numbers
198 dstas Statistic about destination AS numbers
199 as Statistic about any (source or destination) AS numbers
200 inif Statistic about input interface
201 outif Statistic about output interface
202 if Statistic about any interface
203 srcmask Statistic about src mask
204 dstmask Statistic about dst mask
205 srcvlan Statistic about src vlan label
206 dstvlan Statistic about dst vlan label
207 vlan Statistic about any vlan label
208 insrcmac Statistic about input src MAC address
209 outdstmac Statistic about output dst MAC address
210 indstmac Statistic about input dst MAC address
211 outsrcmac Statistic about output src MAC address
212 srcmac Statistic about any src MAC address
213 dstmac Statistic about any dst MAC address
214 inmac Statistic about any input MAC address
215 outmac Statistic about any output MAC address
216 mask Statistic about any mask
217 proto Statistic about IP protocols
218 mpls1 Statistic about MPLS label 1
219 mpls2 Statistic about MPLS label 2
220 mpls3 Statistic about MPLS label 3
221 mpls4 Statistic about MPLS label 4
222 mpls5 Statistic about MPLS label 5
223 mpls6 Statistic about MPLS label 6
224 mpls7 Statistic about MPLS label 7
225 mpls8 Statistic about MPLS label 8
226 mpls9 Statistic about MPLS label 9
227 mpls10 Statistic about MPLS label 10
228 sysid Internal SysID of exporter
229 NSEL/ASA statistics
231 event NSEL/ASA event
232 xevent NSEL/ASA extended event
233 xsrcip NSEL/ASA translated src IP address
234 xsrcport NSEL/ASA translated src port
235 xdstip NSEL/ASA translated dst IP address
236 xdstport NSEL/ASA translated dst port
237 iacl NSEL/ASA ingress ACL
238 iace NSEL/ASA ingress ACE
239 ixace NSEL/ASA ingress xACE
240 eacl NSEL/ASA egress ACL
241 eace NSEL/ASA egress ACE
242 exace NSEL/ASA egress xACE
243 NAT statistics
245 nevent NAT event
246 vrf/ivrf NAT ingress vrf
247 evrf NAT egress vrf
248 nsrcip NAT src IP address
249 nsrcport NAT src port
250 ndstip NAT dst IP address
251 ndstport NAT dst port
252 By adding :p to the statistic name, the resulting statistic is split
254 up into transport layer protocols. Default is transport protocol in‐
255 dependent statistics.
256 orderby is optional and specifies the order by which the statistics
258 are ordered and can be flows, packets, bytes, pps, bps or bpp. You
259 may specify more than one orderby which results in the same statis‐
260 tic but ordered differently. If no orderby is given, statistics are
261 ordered by flows. Optionally to the order you add a :direction ':a'
262 for ascending or ':d' for descending. By default all -s statitics
263 are printed in descending order. You can specify as many -s flow
264 element statistics as needed on the command line for the same run.
265 Example:
267 -s srcip -s ip/flows -s dstport/pps/packets/bytes -s record/bytes
268 -l [+/-]packet_num
270 Limit statistics output to those records above or below the
271 packet_num limit. packet_num accepts positive or negative numbers
272 followed by 'K' , 'M' or 'G' 10E3, 10E6 or 10E9 flows respectively.
273 See also note at -L
274 -L [+/-]byte_num
276 Limit statistics output to those records above or below the byte_num
277 limit. byte_num accepts positive or negative numbers followed by 'K'
278 , 'M' or 'G' 10E3, 10E6 or 10E9 bytes respectively. Note: These lim‐
279 its only apply to the statistics and aggregated outputs generated
280 with -a -s. To filter netflow records by packets and bytes, use the
281 filter syntax 'packets' and 'bytes' described below.
282 -n num
284 For record statistics (-s .. ): Define the number for the Top N. De‐
285 faults to 10. Use -n 0 to list all records.
286 For record sorting and aggregation (-a .. -O ..): Limit the records
287 to the first top num sorted records. if not specified or -n 0 is
288 given, all records are listed.
289 -o format
291 Selects the output format to print flows or flow record statistics
292 (-s record). The following formats are available:
293 raw Print full flow record on multiple lines.
294 line Print each flow on one line. Default format.
295 long Print each flow on one line with more details
296 biline Same as line, but for bidir flows
297 bilong Same as long, but for bidir flows
298 extended Print each flow on one line with even more details.
299 nsel Print each NSEL event on one line. Default if NSEL/NAT
300 nel Print each NAT event on one line.
301 csv Comma separated output for machine readable processing.
302 json Print full record as separate json object.
303 pipe Legacy machine readable format: fields are '|' separated.
304 fmt:format User defined output format.
305 For each defined output format except -o fmt:<format> an IPv6 long
306 output format exists. line6, long6 and extended6. See output for‐
307 mats below for more information.
308 -q Be quiet. Suppress the header line and the statistics at the bottom.
310 -N Print plain numbers in output. Easier for post-parsing.
312 -i ident
314 Change ident label in file, specified by -r to ident
315 -v file
317 Verify file. Print data file version, number of blocks and compres‐
318 sion status.
319 -E file
321 Print exporter/sampler list found in file. In case of a nfcapd col‐
322 lector file, additional statistics per exporter are printed with
323 number of flows, packets and sequence errors.
324 -x file
326 Scan and print extension maps located in file file
327 -j Compress flows. Use bz2 compression in output file. Space efficient
329 method
330 -y Compress flows. Use LZ4 compression in output file. Time efficient
332 method
333 -z Compress flows. Use fast LZO1X-1 compression in output file. Time
335 efficient method
336 -J num
338 Change compression for file(s) given by -r <file> or -R <dir> num: 0
339 uncompress, 1: LZO1X-1, 2: bz2, 3: LZ4 compression
340 -Z Check filter syntax and exit. Sets the return value accordingly.
342 -X Compiles the filer syntax and dumps the filter engine table to std‐
344 out. This is for debugging purpose only.
345 -V Print nfdump version and exit.
347 -h Print help text on stdout with all options and exit.
349
351 Returns
352 0 No error.
353 255 Initialization failed.
354 254 Error in filter syntax.
355 250 Internal error.
356
358 The output format raw prints each flow record on multiple lines, in‐
359 cluding all information available in the record. This is the most de‐
360 tailed view on a flow.
361 Other output formats print each flow on a single line. Predefined out‐
363 put formats are line, long and extended The output format line is the
364 default output format when no format is specified. It limits the im‐
365 formation to the connection details as well as number of packets, bytes
366 and flows.
367 The output format long is identical to the format line, and includes
369 additional information such as TCP flags and Type of Service.
370 The output format extended is identical to the format long, and in‐
372 cludes additional computed information such as pps, bps and bpp.
373 Fields:
375 Date flow start: Start time the flow was first seen. ISO 8601 format
377 including milliseconds.
378 Duration: Duration of the flow in seconds and milliseconds. If
380 flows are aggregated, duration is the time span over the entire pe‐
381 riod of time from first seen to last seen.
382 Proto: Protocol used in the connection.
384 Src IP Addr:Port: Source IP address and source port.
386 Dst IP Addr:Port: Destination IP address and destination port. In
388 case of ICMP, port is decoded as type.code.
389 Flags: TCP flags OR-ed of the connection.
391 Tos: Type of service.
393 Packets: The number of packets in this flow. If flows are aggre‐
395 gated, the packets are summed up.
396 Bytes: The number of bytes in this flow. If flows are aggregated,
398 the bytes are summed up.
399 pps: The calculated packets per second: number of packets / dura‐
401 tion. If flows are aggregated this results in the average pps dur‐
402 ing this period of time.
403 bps: The calculated bits per second: 8 * number of bytes / duration.
405 If flows are aggregated this results in the average bps during this
406 period of time.
407 Bpp: The calculated bytes per packet: number of bytes / number of
409 packets. If flows are aggregated this results in the average bpp
410 during this period of time.
411 Flows: Number of flows. If flows are listed only, this number is al‐
413 ways 1. If flows are aggregated, this shows the number of flows ag‐
414 gregated in this one record.
415 Numbers larger than 1'000'000 (1000*1000), are scaled to 4 digits and
417 one decimal digit including the scaling factor M, G or T for cleaner
418 output, e.g. 923.4 M
419 To make the output more readable, IPv6 addresses are shrinked down to
421 16 characters. The seven leftmost and seven rightmost digits connected
422 with two dots '..' are displayed in any normal output formats. To dis‐
423 play the full IPv6 address, use the appropriate long format, which is
424 the format name followed by a 6.
425 Example: -o line displays an IPv6 address as 2001:23..80:d01e where the
427 format -o line6 displays the IPv6 address in full length
428 2001:234:aabb::211:24ff:fe80:d01e. The combination of -o line -6 is
429 equivalent to -o line6.
430 The output format fmt:<format> allows you to define your own output
432 format. A format description format consists of a single line contain‐
433 ing arbitrary strings and format specifier as described below
434 %<format> Inserts the predefined format at this position. e.g. %line
436 %ff flow record flags in hex.
437 %nfv Netflow/Sflow/Event record version.
438 %ts Start Time - first seen
439 %tsr Start Time, but in fractional seconds since the epoch
440 (1970-01-01)
441 %te End Time - last seen
442 %ter End Time, in fractional seconds
443 %tr Time the flow was received by the collector
444 %trr Time the flow was received, in fractional seconds
445 %td Duration
446 %pr Protocol
447 %exp Exporter ID
448 %eng Engine Type/ID
449 %lbl Flowlabel
450 %sa Source Address
451 %da Destination Address
452 %sap Source Address:Port
453 %dap Destination Address:Port
454 %sp Source Port
455 %dp Destination Port
456 %sn Source Network, mask applied
457 %dn Destination Network, mask applied
458 %nh Next-hop IP Address
459 %nhb BGP Next-hop IP Address
460 %ra Router IP Address
461 %sas Source AS
462 %das Destination AS
463 %nas Next AS
464 %pas Previous AS
465 %in Input Interface num
466 %out Output Interface num
467 %pkt Packets - default input
468 %ipkt Input Packets
469 %opkt Output Packets
470 %byt Bytes - default input
471 %ibyt Input Bytes
472 %obyt Output Bytes
473 %fl Flows
474 %flg TCP Flags
475 %tos Tos - default src
476 %stos Src Tos
477 %dtos Dst Tos
478 %dir Direction: ingress, egress
479 %smk Src mask
480 %dmk Dst mask
481 %fwd Forwarding Status
482 %bfd BiFlow Direction
483 %svln Src vlan label
484 %dvln Dst vlan label
485 %ismc Input Src Mac Addr
486 %odmc Output Dst Mac Addr
487 %idmc Input Dst Mac Addr
488 %osmc Output Src Mac Addr
489 %mpls1 MPLS label 1
490 %mpls2 MPLS label 2
491 %mpls3 MPLS label 3
492 %mpls4 MPLS label 4
493 %mpls5 MPLS label 5
494 %mpls6 MPLS label 6
495 %mpls7 MPLS label 7
496 %mpls8 MPLS label 8
497 %mpls9 MPLS label 9
498 %mpls10 MPLS label 10
499 %mpls MPLS labels 1-10
500 %bps bps - bits per second
501 %pps pps - packets per second
502 %bpp bps - Bytes per package
503 NSEL specific formats
505 %nfc NSEL connection ID
506 %evt NSEL event
507 %xevt NSEL extended event
508 %sgt NSEL Source security group tag
509 %msec NSEL event time in msec
510 %iacl NSEL ingress ACL
511 %eacl NSEL egress ACL
512 %xsa NSEL XLATE src IP address
513 %xda NSEL XLATE dst IP address
514 %xsp NSEL XLATE src port
515 %xdp NSEL SLATE dst port
516 %xsap Xlate Source Address:Port
517 %xdap Xlate Destination Address:Port
518 %uname NSEL user name
519 NEL/NAT specific formats
521 %nevt NAT event - same as %evt
522 %ivrf NAT ingress VRF ID
523 %evrf NAT egress VRF ID
524 %nsa NAT src IP address
525 %nda NAT dst IP address
526 %nsp NAT src port
527 %ndp NAT dst port
528 %pbstart NAT pool block start
529 %pbend NAT pool block end
530 %pbstep NAT pool block step
531 %pbsize NAT pool block size
532 Nprobe formats
534 %cl Client latency
535 %sl Server latency
536 %al Application latency
537 The "flow flags" format (%ff) prints the internal record flags as a
540 single hexadecimal number, consisting of any of these flag values OR-ed
541 together:
542 1 Record contains IPv6 addresses
544 2 Packet counters are 64-bit
545 4 Byte counters are 64-bit
546 8 IP next hop is an IPv6 address
547 16 BGP next hop is an IPv6 address
548 32 Exporting router is an IPv6 address
549 64 Record is an EVENT record
550 128 Record is sampled
551 Example: the standard output format long can be created as
553 -o "fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %fl"
554 You may also define your own output format and have it compiled into
556 nfdump. See nfdump.c section Output Formats for more details.
557 The csv output format is intended to be read by another program for
559 further processing. As an example, see the parse_csv.pl Perl program.
560 The csv output format consists of one or more output blocks and one
561 summary block. Each output block starts with a csv index line followed
562 by the csv record lines. The index lines describes the order, how each
563 following record is composed.
564 Example:
566 Index line: ts,te,td,sa,da,sp,dp,pr,...
567 Record line: 2004-07-11 10:30:00,2004-07-11 10:30:10,10.010,...
568 All records are in ASCII readable form. Numbers are not scaled, so each
570 line can be easily parsed.
571 Indices used in nfdump 1.6:
573 ts,te,td time records: t-start, t-end, duration
575 sa,da src dst address sp,dp src, dst port
576 pr protocol PF_INET or PF_INET6
577 flg TCP Flags:
578 000001 FIN.
579 000010 SYN
580 000100 RESET
581 001000 PUSH
582 010000 ACK
583 100000 URGENT
584 e.g. 6 => SYN + RESET
585 fwd forwarding status
586 stos src tos
587 ipkt,ibyt input packets/bytes
588 opkt,obyt output packets, bytes
589 in,out input/output interface SNMP index number
590 sas,das src, dst AS
591 smk,dmk src, dst mask
592 dtos dst tos
593 dir direction
594 nh,nhb next hop IP address, bgp next hop IP
595 svln,dvln src, dst vlan id
596 ismc,odmc input src, output dst MAC
597 idmc,osmc input dst, output src MAC
598 mpls1,mpls2 MPLS label 1-10
599 mpls3,mpls4
600 mpls5,mpls6
601 mpls7,mpls8
602 mpls9,mpls10
603 ra router IP
604 eng router engine type/id
605 See parse_csv.pl for more details.
607
609 The filter syntax is similar to the well known pcap library used by
610 tcpdump. The filter can be either specified on the command line after
611 all options or in a separate file. It can span several lines. Anything
612 after a '#' is treated as a comment and ignored to the end of the line.
613 There is virtually no limit in the length of the filter expression. All
614 keywords are case insensitive.
615 Any filter consists of one or more expressions expr. Any number of expr
617 can be linked together:
618 expr and expr, expr or expr, not expr and ( expr ).
620 Expr can be one of the following filter primitives:
622 include
624 @include <file>
625 include the content of <file> into filter.
626 ip version
628 inet or ipv4 for IPv4
629 inet6 or ipv6 for IPv6
630 protocol
632 proto <protocol>
633 proto <number>
634 where <protocol> is known protocol such as tcp, udp, icmp, icmp6,
635 gre, esp, ah, etc. or a valid protocol number: 6, 17 etc.
636 IP address
638 [src|dst] ip <ipaddr>
639 [src|dst] host <ipaddr>
640 with <ipaddr> as any valid IPv4, IPv6 address, or a fully qualified
641 hostname. In case of a hostname, the IP address is looked up in
642 DNS. If more than a single IP address is found, all IP addresses
643 are chained together. (ip1 or ip2 or ip3 ... )
644 To check if an IP address is in a known IP list, use
646 [src|dst] ip in [ <iplist> ]
647 [src|dst] host in [ <iplist> ]
648 <iplist> is a space or comma separated list of individual <ipaddr>
649 or fully qualified hostnames, which are looked up in DNS. If more
650 than a single IP address is found, all IP addresses are put into
651 the list.
652 [src|dst]
654 IP addresses, networks, ports, AS numbers etc. can be specifically
655 selected by using a direction qualifier, such as src or dst. They
656 can also be used in combination with and and or. such as src and
657 dst ip ...
658 network
660 [src|dst] net a.b.c.d m.n.r.s
661 Select the IPv4 network a.b.c.d with netmask m.n.r.s.
662 [src|dst] net <net>/<num>
664 with <net> as a valid IPv4 or IPv6 network and <num> as mask bits.
665 The number of mask bits must match the appropriate address family
666 in IPv4 or IPv6. Networks may be abbreviated such as 172.16/16 if
667 they are unambiguous.
668 Port
670 [src|dst] port [comp] <num>
671 with <num> as any valid port number. If comp is omitted,
672 '=' is assumed. comp is explained in more details below.
673 [src|dst] port in [ <portlist> ]
674 A port can be compared against a know list, where <portlist> is a
675 space separated list of individual port numbers.
676 ICMP
678 icmp-type <num>
679 icmp-code <num>
680 with <num> as a valid icmp type/code. This automatically implies
681 proto icmp.
682 Router ID
684 engine-type <num>
685 engine-id <num>
686 sysid <num>
687 with <num> as a valid router engine type/id or exporter ID(0..255).
688 Netflow version
690 nfversion [comp] <num>
691 netflow version exported.
692 Interface
694 [in|out] if <num>
695 Select input or output or either interface ID, with num as the SNMP
696 interface number.
697 Example: in if 3
698 AS numbers
700 [src|dst|prev|next] as [comp] <num>
701 Selects source, destination, previous, next or any AS number with
702 <num> as any valid as number. 32-bit AS numbers are supported. If
703 comp is omitted, '=' is assumed. comp is explained in more details
704 below.
705 [src|dst|prev|next] as in [ <ASlist> ]
707 An AS number can be compared against a know list, where <ASlist> is
708 a space or comma separated list of individual AS numbers.
709 Prefix mask bits
711 [src|dst] mask <bits>
712 with <bits> as any valid prefix mask bit value.
713 Vlan labels
715 [src|dst] vlan <num>
716 with <num> as any valid vlan label.
717 Flags
719 flags <tcpflags>
720 with <tcpflags> as a combination of:
721 A ACK.
722 S SYN.
723 F FIN.
724 R Reset.
725 P Push.
726 U Urgent.
727 X All flags on.
728 The ordering of the flags is not relevant. Flags not mentioned are
729 treated as don't care. In order to get those flows with only the SYN
730 flag set, use the syntax 'flags S and not flags AFRPU'.
731 Next hop IP
733 next ip <ipaddr>
734 with <ipaddr> as IPv4/IPv6 IP address of next hop router.
735 Next-hop router's IP in the BGP domain
737 bgpnext ip <ipaddr>
738 with <ipaddr> as IPv4/IPv6 next-hop router's IP in the BGP domain.
739 ( v9 #18 )
740 Router IP
742 router ip <ipaddr>
743 Filter the flows according the IP address of the exporting router.
744 MAC addresses
746 [InOutSrcDst] mac <addr>
747 With <addr> any valid MAC address. mac can be made more specific by
748 using any combination of a direction specifier as defined by CISCO
749 v9. in src, in dst, out src, out dst.
750 MPLS labels
752 mpls label<n> [comp] <num>
753 With <n> as any mpls label number 1..10. Filters exactly specified
754 label<n>.
755 mpls eos [comp] <num>
756 Filters End of Stack label for a given value <num>.
757 mpls exp<n> [comp] <bits>
758 Filters experimental bits of label <n> with <bits> 0..7.
759 Packets
761 packets [comp] <num> [scale]
762 To filter for netflow records with a specific packet count.
763 Example: packets > 1k
764 Bytes
766 bytes [comp] <num> [scale]
767 To filter for netflow records with a specific byte count.
768 Example: bytes 46 filters all empty IPv4 packets
769 Aggregated flows
771 flows [comp] <num> [scale]
772 To filter for netflow records with a specific number of aggregated
773 flows.
774 Type of Service (TOS)
776 [SourceDestination] tos <num>
777 With <num> 0..255. For compatibility with nfdump 1.5.x: tos <num>
778 is equivalent with src tos <num>
779 Packets per second: Calculated value.
781 pps [comp] num [scale]
782 To filter for flows with specific packets per second.
783 Duration: Calculated value
785 duration [comp] num
786 To filter for flows with specific duration in milliseconds.
787 Bits per second: Calculated value.
789 bps [comp] num [scale]
790 To filter for flows with specific bytes per second.
791 Bytes per packet: Calculated value.
793 bpp [comp] num [scale]
794 To filter for flows with specific bytes per packet.
795 scale scaling factor. Maybe k m g. Factor is 1000
797 comp The following comparators are supported:
799 =, ==, >, <, >=, <=, EQ, LT, GT, LE, GE . If comp is omitted, '='
800 is assumed.
801 NSEL/ASA specific filters:
803 NSEL/ASA Event
805 asa event <ignore|create|term|delete|deny>
806 asa event [comp] <number>
807 select NSEL/ASA event by name or number. If given as number it can
808 be compared with a number
809 NSEL/ASA denied reason
811 asa event denied <ingress|egress|interface|nosyn>
812 Select a NSEL/ASA denied event by type
813 NSEL/ASA extended events
815 asa xevent [comp] <num>
816 Select an extended NSEL ASA event by number, or optionally compared
817 by a number.
818 X-late IP addresses and ports
820 [src|dst] xip <ip>
821 Select the translated IP address - identical to nip
822 [src|dst] xnet <net>/<num>
824 with <net> as a valid translated IPv4 or IPv6 network and <num> as
825 mask bits. The number of mask bits must match the appropriate ad‐
826 dress family in IPv4 or IPv6. Networks may be abbreviated such as
827 172.16/16 if they are unambiguous.
828 [src|dst] xport <port>
830 Select the translated port
831 NSEL/ASA ingress/egress
833 ingress <ACL|ACE|XACE> [comp] number
834 Select/compare an ingress ACL
835 egress ACL [comp] <number>
837 Select/compare an egress ACL
838 NEL specific NAT filters:
840 NAT Event
842 nat event <add|delete>
843 nat event [comp] <number>
844 select NEL NAT event by name or number. If given as number it can
845 be compared with a number
846 NEL NAT ip addresses and ports
848 [src|dst] nip <ip>
849 Match NAT IP address
850 [src|dst] nip in [ <iplist> ]
852 Match NAT IP from list <iplist> - see ip in [ <iplist> ] for syn‐
853 tax.
854 [src|dst] nport <port>
856 Match NAT port
857 NEL NAT vrf
859 ingress vrf <num>
860 Select the vrf
861
864 One or more specific filter expressions can be assigned a flowlabel in
865 order to identify the flow in the output according to the label. A
866 flowlabel has the form %LabelName and is appended or prepended to a
867 filter expression in braces. It may have up to 16 characters. Example:
868 (ip 8.8.8.8) %GoogleDNS. If a filter matches, with a labeled expres‐
869 sions, and that expression is in the matching filter path, the label
870 can be printed in the output, using the %%lbl format token. See OUTPUT
871 FORMATS. Example: Add flowlabel to end of 'line' format:
872 ./nfdump -r <file> -o 'fmt:%line %lbl" ..
873 Note: A filter may have multiple matching paths - for example proto tcp
874 or ip 8.8.8.8 The shortest path which evaluates successfully wins.
875 Other paths are skipped, which means that flowlabels are not printed in
876 not evaluated filter paths. A filter may contain multiple flowlabels.
877 The flowlabel of the last matching expression in the winning path is
878 printed. Flowlabels are most useful in large and complex filters
879 stored in one or multiple files, to better read the flow output list.
880 Example: (ip in [172.16.1.0/24]) %ISP_1 or (ip in [172.16.16.0/24])
881 %IPS_2 or %GoogleDNS((proto udp or proto tcp) and ip 8.8.8.8)
882
884 nfdump -r /and/dir/nfcapd.201107110845 -c 100 'proto tcp and ( src ip
885 172.16.17.18 or dst ip 172.16.17.19 )' Dumps the first 100 netflow
886 records which match the given filter:
887 nfdump -r /and/dir/nfcapd.201107110845 -B Map matching flows as bi-di‐
889 rectional single flow.
890 nfdump -R /and/dir/nfcapd.201107110845:nfcapd.200407110945 'host
892 192.168.1.2' Dumps all netflow records of host 192.168.1.2 from July 11
893 08:45 - 09:45
894 nfdump -M /to/and/dir1:dir2 -R nfcapd.200407110845:nfcapd.200407110945
896 -s record -n 20 Generates the Top 20 statistics from 08:45 to 09:45
897 from 3 sources
898 nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 -o extended Gen‐
900 erates the Top 20 statistics, extended output format
901 nfdump -r /and/dir/nfcapd.201107110845 -s record -n 20 'in if 5 and bps
903 > 10k' Generates the Top 20 statistics from flows coming from interface
904 with SNMP index of 5
905 nfdump -r /and/dir/nfcapd.201107110845 'inet6 and proto tcp and ( src
907 port > 1024 and dst port 80 ) Dumps all port 80 IPv6 connections to any
908 web server.
909
911 Generating the statistics for data files of a few hundred MB is no
912 problem. However, be careful if you want to create statistics of sev‐
913 eral GB of data. This may consume a lot of memory and can take a while.
914 Flow anonymization has moved into nfanon.
915
917 nfcapd(1), nfanon(1), nfprofile(1), nfreplay(1)
918
920 There is still the famous last bug. Please report them - all the last
921 bugs - back to me.
922 2009-09-09 nfdump(1)