1FLOW-XLATE(1) FLOW-XLATE(1)
2
6 flow-xlate - Apply translations to selected fields of a flow.
7
9 flow-xlate [ -hkn ] [ -b big|little ] [ -C comment ] [ -d
10 debug_level ] [ -v variable binding ] [ -V flow_version ] [ -x
11 xlate_fname ] [ -X xlate_definition ] [ -z z_level ]
12
14 The flow-xlate utility is used to apply translations to flows. Transla‐
15 tions are defined in a configuration file and are composed of actions
16 and a definition to invoke action(s). The definitions are in the form
17 of terms, each term can have a filter and multiple actions.
18 Words in the configuration file of the form @VAR or @{VAR:default} will
20 be expanded at run-time by setting variable names with the -v option.
21 Translation actions begin with the xlate-action keyword followed by a
23 symbolic name. Each action has a type defined below.
24 Translation definitions begin with the xlate-definition keyword fol‐
26 lowed by a symbolic name. Each definition is composed of terms which
27 are evaluated in the order of the configuration file. A term may invoke
28 a filter to conditionally invoke an action.
29 Action type/sub-commands Description/Example
31 ------------------------------------------------------------------------
32 ip-source-address-to-network Zero host bits based on mask.
33 ip-destination-address-to-network Zero host bits based on mask.
34 (no sub-commands)
36 ip-source-address-to-class-network Zero source host bits to
38 match class.
39 ip-destination-address-to-class-network Zero dst host bits to
40 match class.
41 (no sub-commands)
43 ip-source-address-anonymize Anonymize source address.
45 ip-destination-address-anonymize Anonymize destination address.
46 ip-address-anonymize Anonymize src/dst address.
47 algorithm Algorithm. cryptopan-aes128 is
50 currently supported.
51 algorithm cryptopan-aes128
52 key Key. Key is 128 bits in hex.
54 key 0123456789ABCDEFG
55 key-file File to load key from. Key is
57 128 bits in hex.
58 key-file /mfstmp/secret-key
59 key-file-refresh How often to check the key file.
61 Interval is in minutes, the
62 optional second argument is
63 hour:min:sec to specify the
64 first refresh. This example
65 will load a new key every day
66 at 12:00:00.
67 14400 12:00:00
68 ip-address-privacy-mask Apply a mask to the source and
71 destination address to remove
72 bits.
73 ip-port-privacy-mask Apply a mask to the source and
75 destination port to remove
76 bits.
77 tag-mask Apply mask to the source and
79 destination tag.
80 mask Source and Destination mask
82 to apply.
83 mask 0xFFFF 0xFFFF
84 scale Scale packets and bytes.
86 scale Scale to apply.
88 scale 100
89 replace-source-as0 Replace source AS 0
91 replace-destination-as0 Replace destination AS 0
92 as AS replacement value.
94 as 3112
95
98 -b big|little
99 Byte order of output.
100 -C Comment
102 Add a comment.
103 -d debug_level
105 Enable debugging.
106 -h Display help.
108 -k Keep time from input.
110 -n Don't load configuration file. Useful only with -V
112 -v variable binding
114 Set a variable FOO=bar.
115 -V pdu_version
117 Use pdu_version format output.
118 1 NetFlow version 1 (No sequence numbers, AS, or mask)
120 5 NetFlow version 5
121 6 NetFlow version 6 (5+ Encapsulation size)
122 7 NetFlow version 7 (Catalyst switches)
123 8.1 NetFlow AS Aggregation
124 8.2 NetFlow Proto Port Aggregation
125 8.3 NetFlow Source Prefix Aggregation
126 8.4 NetFlow Destination Prefix Aggregation
127 8.5 NetFlow Prefix Aggregation
128 8.6 NetFlow Destination (Catalyst switches)
129 8.7 NetFlow Source Destination (Catalyst switches)
130 8.8 NetFlow Full Flow (Catalyst switches)
131 8.9 NetFlow ToS AS Aggregation
132 8.10 NetFlow ToS Proto Port Aggregation
133 8.11 NetFlow ToS Source Prefix Aggregation
134 8.12 NetFlow ToS Destination Prefix Aggregation
135 8.13 NetFlow ToS Prefix Aggregation
136 8.14 NetFlow ToS Prefix Port Aggregation
137 1005 Flow-Tools tagged version 5
138 -x xlate_fname
141 Translation config file name. Defaults to /etc/flow-
142 tools/cfg/xlate.cfg
143 -X xlate_definition
145 Translation definition. Defaults to default.
146 -z z_level
148 Configure compression level to z_level. 0 is disabled (no com‐
149 pression), 9 is highest compression.
150
152 Convert the version 7 flows in flows.v7 to version 5, storing the
153 result in flows.v5.
154 flow-xlate -V5 < flows.v7 > flows.v5
156 Set the low 11 bits in the IP addresses to zero unless the address is
158 multicast or it belongs to the 192.88.99/24 network.
159 # xlate.cfg
161 include-filter filter.cfg
162 xlate-action MULTICAST-PRIVACY
164 type ip-address-privacy-mask
165 mask 0xFFFFFFFF 0xFFFFFFFF
166 xlate-action UNICAST-PRIVACY
168 type ip-address-privacy-mask
169 mask 0xFFFFFF00 0xFFFFF800
170 xlate-definition abilene_privacy
172 term
173 filter mcast
174 action MULTICAST-PRIVACY
175 stop
176 term
177 filter ucast
178 action UNICAST-PRIVACY
179 # filter.cfg
182 filter-primitive MCAST
183 type ip-address-mask
184 permit 224.0.0.0 240.0.0.0
185 filter-primitive UCAST
187 type ip-address-mask
188 deny 224.0.0.0 240.0.0.0
189 default permit
190 filter-primitive SKIP
192 type ip-address-mask
193 deny 192.88.99.0 255.255.255.0
194 default permit
195 filter-definition mcast
197 match ip-destination-address MCAST
198 filter-definition ucast
200 match ip-destination-address UCAST
201 match ip-destination-address SKIP
202 match ip-source-address SKIP
203 flow-cat flows | flow-xlate -xxlate.cfg -Xabilene_privacy | flow-print
205
207 Configuration files: Symbols - /etc/flow-tools/sym/*. Filter -
208 /etc/flow-tools/cfg/filter.cfg. Xlate - /etc/flow-tools/cfg/xlate.cfg.
209
211 The scale option can overflow the 32 bit flow counters. This could be
212 solved by detecting this condition and splitting the flow in two.
213 Translation between aggregated and non aggregated formats is not sup‐
215 ported.
216
218 Mark Fullmer <maf@splintered.net>
219
221 flow-tools(1)
222 26 Август 2010 FLOW-XLATE(1)