flow-filter(1)flow-filter(1)NAMEflow-filter — Filter flows.
SYNOPSISflow-filter [-hko] [-a src_as_filter] [-A dst_as_filter] [-b
big|little] [-C comment] [-D dstaddr_filter_name] [-d debug_level]
[-e exaddr_filter] [-f acl_fname] [-i input_filter] [-I output_fil‐
ter] [-p srcport_filter] [-P dstport_filter] [-r ipprot_filter] [-S
srcaddr_filter_name] [-t tos_filter] [-T tcp_flags_filter] [-x nex‐
thop_filter_name] [-z z_level]
DESCRIPTION
The flow-filter utility will filter flows based on user selectable cri‐
teria. The IP address filters are defined in flow.acl or by the file‐
name specified by -f.
Other filters such as input interface and ports are defined on the com‐
mand line. These filters accept range and negation operators, ie
-i1-15 for input interfaces 1 through 15 or -i1,15 for input interfaces
1 and 15, or !1,15 for not input interfaces 1 and 15.
The syntax is kludgy and needs reworked but works for most applica‐
tions.
OPTIONS-a src_as_filter
Source AS filter, ie -a159 to permit Autonomous System 159.
-A dst_as_filter
Destination AS filter, ie -A159,3112 to permit Autonomous
Systems 159 and 3112.
-b big|little
Byte order of output.
-C Comment
Add a comment.
-d debug_level
Enable debugging.
-D dstaddr_filter_name
Destination IP address filter. This is the name or number of
a standard access list defined in flow.acl or the file speci‐
fied by -f.
-e exaddr_filter
Exporter IP address filter. One exporter address can be fil‐
tered.
-f acl_fname
Access list filename. Defaults to flow.acl.
-h Display help.
-i input_filter
Input interface filter, ie -i0 to permit traffic from inter‐
face 0.
-k Keep time from input.
-I output_filter
Output interface filter, ie -I0 to permit traffic to inter‐
face 0.
-o Logical OR instead of AND filters.
-p srcport_filter
Source port filter, ie -p80 to only permit source port 80.
-P dstport_filter
Destination port filter, ie -P80,8080 to permit destination
ports 80 and 8080.
-r ipprot_filter
IP Protocol filter, ie -r6 to only permit TCP traffic.
-S srcaddr_filter_name
Source IP address filter. This is the name or number of a
standard access list defined in flow.acl or the file speci‐
fied by -f.
-t tos_filter
ToS bits filter. An optional mask is available which is
applied to the tos field before comparing to the filter list.
For example to match a tos bit pattern of 101xxxxx use
0xA0/0xE0.
-T tcp_flags_filter
TCP bits filter. An optional mask is available which is
applied to the TCP flags field before comparing to the filter
list. For example to match a flows with the SYN bit set use
0x2/0x2.
-x nexthop_filter_name
NextHop IP address filter. This is the name or number of a
standard access list defined in flow.acl or the file speci‐
fied by -f.
-z z_level
Configure compression level to z_level. 0 is disabled (no
compression), 9 is highest compression.
EXAMPLES
Print all traffic with a destination port of 80.
flow-cat /flows/krc4 | flow-filter-P80 | flow-print
Print all traffic with with source IP 10.0.0.1. Populate flow.acl with
ip access-list standard badguy permit host 10.0.0.1
flow-cat /flows/krc4 | flow-filter-Sbadguy | flow-print
Report all destinations that IP 10.0.0.1 has sent traffic to. Sort by
octets. Populate flow.acl with
ip access-list standard badguy permit host 10.0.0.1
flow-cat /flows/krc4 | flow-filter-Sbadguy | flow-stat -f8 -S2
BUGS
Extended access lists are not fully implemented. The command line fil‐
ter syntax is a kludge.
NOTES
Use flow-nfilter.
AUTHOR
Mark Fullmer maf@splintered.net
SEE ALSOflow-tools(1)flow-filter(1)
