FLOW-TOOLS(1)FLOW-TOOLS(1)NAMEflow-tools - Tool set for working with NetFlow data.
DESCRIPTION
Flow-tools is library and a collection of programs used to collect,
send, process, and generate reports from NetFlow data. The tools can be
used together on a single server or distributed to multiple servers for
large deployments. The flow-toools library provides an API for develop‐
ment of custom applications for NetFlow export versions 1,5,6 and the
14 currently defined version 8 subversions. A Perl and Python interface
have been contributed and are included in the distribution.
Flow data is collected and stored by default in host byte order, yet
the files are portable across big and little endian architectures.
Commands that utilize the network use a localip/remoteip/port designa‐
tion for communication. "localip" is the IP address the host will use
as a source for sending or bind to when receiving NetFlow PDU's (ie the
destination address of the exporter. Configuring the "localip" to 0
will force the kernel to decide what IP address to use for sending and
listen on all IP addresses for receiving. "remoteip" is the destination
IP address used for sending or the expected address of the source when
receiving. If the "remoteip" is 0 then the application will accept
flows from any source address. The "port" is the UDP port number used
for sending or receiving. When using multicast addresses the
localip/remoteip/port is used to represent the source, group, and port
respectively.
Flows are exported from a router in a number of different configurable
versions. A flow is a collection of key fields and additional data.
The flow key is {srcaddr, dstaddr, input, output, srcport, dstport,
prot, ToS}. Flow-tools supports one export version per file.
Export versions 1, 5, 6, and 7 all maintain {nexthop, dPkts, dOctets,
First, Last, flags}, ie the next-hop IP address, number of packets,
number of octets (bytes), start time, end time, and flags such as the
TCP header bits. Version 5 adds the additional fields {src_as, dst_as,
src_mask, dst_mask}, ie source AS, destination AS, source network mask,
and destination network mask. Version 7 which is specific to the Cata‐
lyst switches adds in addition to the version 5 fields {router_sc},
which is the Router IP address which populates the flow cache shortcut
in the Supervisor. Version 6 which is not officially supported by Cisco
adds in addition to the version 5 fields {in_encaps, out_encaps,
peer_nexthop}, ie the input and output interface encapsulation size,
and the IP address of the next hop within the peer. Version 1 exports
do not contain a sequence number and therefore should be avoided,
although it is safe to store the data as version 1 if the additional
fields are not used.
Version 8 IOS NetFlow is a second level flow cache that reduces the
data exported from the router. There are currently 11 formats, all of
which provide {dFlows, dOctets, dPkts, First, Last} for the key fields.
8.1 - Source and Destination AS, Input and Output interface
8.2 - Protocol and Port
8.3 - Source Prefix and Input interface
8.4 - Destination Prefix and Output interface
8.5 - Source/Destination Prefix and Input/Output interface
8.9 - 8.1 + ToS
8.10 - 8.2 + ToS
8.11 - 8.3 + ToS
8.12 - 8.5 + ToS
8.13 - 8.2 + ToS
8.14 - 8.3 + ports + ToS
Version 8 CatIOS NetFlow appears to be a less fine grained first level
flow cache.
8.6 - Destination IP, ToS, Marked ToS,
8.7 - Source/Destination IP, Input/Output interface, ToS, Marked ToS,
8.8 - Source/Destination IP, Source/Destination Port,
Input/Output interface, ToS, Marked ToS,
The following programs are included in the flow-tools distribution.
flow-capture - Collect, compress, store, and manage disk space for
exported flows from a router.
flow-cat - Concatenate flow files. Typically flow files will contain a
small window of 5 or 15 minutes of exports. Flow-cat can be used to
append files for generating reports that span longer time periods.
flow-fanout - Replicate NetFlow datagrams to unicast or multicast des‐
tinations. Flow-fanout is used to facilitate multiple collectors
attached to a single router.
flow-report - Generate reports for NetFlow data sets. Reports include
source/destination IP pairs, source/destination AS, and top talkers.
Over 50 reports are currently supported.
flow-tag - Tag flows based on IP address or AS #. Flow-tag is used to
group flows by customer network. The tags can later be used with flow-
fanout or flow-report to generate customer based traffic reports.
flow-filter - Filter flows based on any of the export fields. Flow-fil‐
ter is used in-line with other programs to generate reports based on
flows matching filter expressions.
flow-import - Import data from ASCII or cflowd format.
flow-export - Export data to ASCII or cflowd format.
flow-send - Send data over the network using the NetFlow protocol.
flow-receive - Receive exports using the NetFlow protocol without stor‐
ing to disk like flow-capture.
flow-gen - Generate test data.
flow-dscan - Simple tool for detecting some types of network scanning
and Denial of Service attacks.
flow-merge - Merge flow files in chronoligical order.
flow-xlate - Perform translations on some flow fields.
flow-expire - Expire flows using the same policy of flow-capture.
flow-header - Display meta information in flow file.
flow-split - Split flow files into smaller files based on size, time,
or tags.
AUTHOR
Mark Fullmer <maf@splintered.net>
flow-merge by Larry Lidz <ellidz@eridu.uchicago.edu>
Patches and other contribitions by a list too long to mention here.
flow-tools is avalable at
<URL:http://www.splintered.net/sw/flow-tools>.
A mailing list is maintained at <flow-tools@splintered.net>
SEE ALSOflow-capture(1)flow-cat(1)flow-dscan(1)flow-expire(1)flow-export(1)flow-fanout(1)flow-filter(1)flow-nfilter(1)flow-gen(1) flow-
header(1)flow-import(1)flow-merge(1)flow-print(1)flow-receive(1)flow-report(1)flow-send(1)flow-split(1)flow-stat(1)flow-tag(1)flow-xlate(1)
26 Август 2010 FLOW-TOOLS(1)
