1FLOW-TOOLS(1)                                                    FLOW-TOOLS(1)
2
3
4

NAME

6       flow-tools - Tool set for working with NetFlow data.
7

DESCRIPTION

9       Flow-tools  is  library  and  a collection of programs used to collect,
10       send, process, and generate reports from NetFlow data. The tools can be
11       used together on a single server or distributed to multiple servers for
12       large deployments. The flow-toools library provides an API for develop‐
13       ment  of  custom applications for NetFlow export versions 1,5,6 and the
14       14 currently defined version 8 subversions. A Perl and Python interface
15       have been contributed and are included in the distribution.
16
17       Flow  data  is  collected and stored by default in host byte order, yet
18       the files are portable across big and little endian architectures.
19
20       Commands that utilize the network use a localip/remoteip/port  designa‐
21       tion  for  communication. "localip" is the IP address the host will use
22       as a source for sending or bind to when receiving NetFlow PDU's (ie the
23       destination  address  of  the  exporter. Configuring the "localip" to 0
24       will force the kernel to decide what IP address to use for sending  and
25       listen on all IP addresses for receiving. "remoteip" is the destination
26       IP address used for sending or the expected address of the source  when
27       receiving.  If  the  "remoteip"  is  0 then the application will accept
28       flows from any source address. The "port" is the UDP port  number  used
29       for   sending   or   receiving.  When  using  multicast  addresses  the
30       localip/remoteip/port is used to represent the source, group, and  port
31       respectively.
32
33       Flows  are exported from a router in a number of different configurable
34       versions. A flow is a collection of key  fields  and  additional  data.
35       The  flow  key  is  {srcaddr, dstaddr, input, output, srcport, dstport,
36       prot, ToS}. Flow-tools supports one export version per file.
37
38       Export versions 1, 5, 6, and 7 all maintain {nexthop,  dPkts,  dOctets,
39       First,  Last,  flags},  ie  the next-hop IP address, number of packets,
40       number of octets (bytes), start time, end time, and flags such  as  the
41       TCP  header bits. Version 5 adds the additional fields {src_as, dst_as,
42       src_mask, dst_mask}, ie source AS, destination AS, source network mask,
43       and  destination network mask. Version 7 which is specific to the Cata‐
44       lyst switches adds in addition to the  version  5  fields  {router_sc},
45       which  is the Router IP address which populates the flow cache shortcut
46       in the Supervisor. Version 6 which is not officially supported by Cisco
47       adds  in  addition  to  the  version  5  fields {in_encaps, out_encaps,
48       peer_nexthop}, ie the input and output  interface  encapsulation  size,
49       and  the  IP address of the next hop within the peer. Version 1 exports
50       do not contain a sequence  number  and  therefore  should  be  avoided,
51       although  it  is  safe to store the data as version 1 if the additional
52       fields are not used.
53
54       Version 8 IOS NetFlow is a second level flow  cache  that  reduces  the
55       data  exported  from the router. There are currently 11 formats, all of
56       which provide {dFlows, dOctets, dPkts, First, Last} for the key fields.
57
58         8.1 -  Source and Destination AS, Input and Output interface
59         8.2 -  Protocol and Port
60         8.3 -  Source Prefix and Input interface
61         8.4 -  Destination Prefix and Output interface
62         8.5 -  Source/Destination Prefix and Input/Output interface
63         8.9 -  8.1 + ToS
64         8.10 - 8.2 + ToS
65         8.11 - 8.3 + ToS
66         8.12 - 8.5 + ToS
67         8.13 - 8.2 + ToS
68         8.14 - 8.3 + ports + ToS
69
70
71       Version 8 CatIOS NetFlow appears to be a less fine grained first  level
72       flow cache.
73
74         8.6 - Destination IP, ToS, Marked ToS,
75         8.7 - Source/Destination IP, Input/Output interface, ToS, Marked ToS,
76         8.8 - Source/Destination IP, Source/Destination Port,
77               Input/Output interface, ToS, Marked ToS,
78
79
80       The following programs are included in the flow-tools distribution.
81
82       flow-capture  -  Collect,  compress,  store,  and manage disk space for
83       exported flows from a router.
84
85       flow-cat - Concatenate flow files. Typically flow files will contain  a
86       small  window  of  5  or 15 minutes of exports. Flow-cat can be used to
87       append files for generating reports that span longer time periods.
88
89       flow-fanout - Replicate NetFlow datagrams to unicast or multicast  des‐
90       tinations.  Flow-fanout  is  used  to  facilitate  multiple  collectors
91       attached to a single router.
92
93       flow-report - Generate reports for NetFlow data sets.  Reports  include
94       source/destination  IP  pairs,  source/destination AS, and top talkers.
95       Over 50 reports are currently supported.
96
97       flow-tag - Tag flows based on IP address or AS #.  Flow-tag is used  to
98       group  flows by customer network. The tags can later be used with flow-
99       fanout or flow-report to generate customer based traffic reports.
100
101       flow-filter - Filter flows based on any of the export fields. Flow-fil‐
102       ter  is  used  in-line with other programs to generate reports based on
103       flows matching filter expressions.
104
105       flow-import - Import data from ASCII or cflowd format.
106
107       flow-export - Export data to ASCII or cflowd format.
108
109       flow-send - Send data over the network using the NetFlow protocol.
110
111       flow-receive - Receive exports using the NetFlow protocol without stor‐
112       ing to disk like flow-capture.
113
114       flow-gen - Generate test data.
115
116       flow-dscan  -  Simple tool for detecting some types of network scanning
117       and Denial of Service attacks.
118
119       flow-merge - Merge flow files in chronoligical order.
120
121       flow-xlate - Perform translations on some flow fields.
122
123       flow-expire - Expire flows using the same policy of flow-capture.
124
125       flow-header - Display meta information in flow file.
126
127       flow-split - Split flow files into smaller files based on  size,  time,
128       or tags.
129

AUTHOR

131       Mark Fullmer <maf@splintered.net>
132
133       flow-merge by Larry Lidz <ellidz@eridu.uchicago.edu>
134
135       Patches and other contribitions by a list too long to mention here.
136
137       flow-tools is avalable at
138        <URL:http://www.splintered.net/sw/flow-tools>.
139
140       A mailing list is maintained at <flow-tools@splintered.net>
141

SEE ALSO

143       flow-capture(1) flow-cat(1) flow-dscan(1) flow-expire(1) flow-export(1)
144       flow-fanout(1)   flow-filter(1)   flow-nfilter(1)   flow-gen(1)   flow-
145       header(1)  flow-import(1)  flow-merge(1)  flow-print(1) flow-receive(1)
146       flow-report(1)  flow-send(1)  flow-split(1)  flow-stat(1)   flow-tag(1)
147       flow-xlate(1)
148
149
150
151                                26 Август 2010                   FLOW-TOOLS(1)
Impressum