FLOW-XLATE(1)FLOW-XLATE(1)NAMEflow-xlate - Apply translations to selected fields of a flow.
SYNOPSISflow-xlate [ -hkn ] [ -b big|little ] [ -C comment ] [ -d
debug_level ] [ -v variable binding ] [ -V flow_version ] [ -x
xlate_fname ] [ -X xlate_definition ] [ -z z_level ]
DESCRIPTION
The flow-xlate utility is used to apply translations to flows. Transla‐
tions are defined in a configuration file and are composed of actions
and a definition to invoke action(s). The definitions are in the form
of terms, each term can have a filter and multiple actions.
Words in the configuration file of the form @VAR or @{VAR:default} will
be expanded at run-time by setting variable names with the -v option.
Translation actions begin with the xlate-action keyword followed by a
symbolic name. Each action has a type defined below.
Translation definitions begin with the xlate-definition keyword fol‐
lowed by a symbolic name. Each definition is composed of terms which
are evaluated in the order of the configuration file. A term may invoke
a filter to conditionally invoke an action.
Action type/sub-commands Description/Example
------------------------------------------------------------------------
ip-source-address-to-network Zero host bits based on mask.
ip-destination-address-to-network Zero host bits based on mask.
(no sub-commands)
ip-source-address-to-class-network Zero source host bits to
match class.
ip-destination-address-to-class-network Zero dst host bits to
match class.
(no sub-commands)
ip-source-address-anonymize Anonymize source address.
ip-destination-address-anonymize Anonymize destination address.
ip-address-anonymize Anonymize src/dst address.
algorithm Algorithm. cryptopan-aes128 is
currently supported.
algorithm cryptopan-aes128
key Key. Key is 128 bits in hex.
key 0123456789ABCDEFG
key-file File to load key from. Key is
128 bits in hex.
key-file /mfstmp/secret-key
key-file-refresh How often to check the key file.
Interval is in minutes, the
optional second argument is
hour:min:sec to specify the
first refresh. This example
will load a new key every day
at 12:00:00.
14400 12:00:00
ip-address-privacy-mask Apply a mask to the source and
destination address to remove
bits.
ip-port-privacy-mask Apply a mask to the source and
destination port to remove
bits.
tag-mask Apply mask to the source and
destination tag.
mask Source and Destination mask
to apply.
mask 0xFFFF 0xFFFF
scale Scale packets and bytes.
scale Scale to apply.
scale 100
replace-source-as0 Replace source AS 0
replace-destination-as0 Replace destination AS 0
as AS replacement value.
as 3112
OPTIONS-b big|little
Byte order of output.
-C Comment
Add a comment.
-d debug_level
Enable debugging.
-h Display help.
-k Keep time from input.
-n Don't load configuration file. Useful only with -V
-v variable binding
Set a variable FOO=bar.
-V pdu_version
Use pdu_version format output.
1 NetFlow version 1 (No sequence numbers, AS, or mask)
5 NetFlow version 5
6 NetFlow version 6 (5+ Encapsulation size)
7 NetFlow version 7 (Catalyst switches)
8.1 NetFlow AS Aggregation
8.2 NetFlow Proto Port Aggregation
8.3 NetFlow Source Prefix Aggregation
8.4 NetFlow Destination Prefix Aggregation
8.5 NetFlow Prefix Aggregation
8.6 NetFlow Destination (Catalyst switches)
8.7 NetFlow Source Destination (Catalyst switches)
8.8 NetFlow Full Flow (Catalyst switches)
8.9 NetFlow ToS AS Aggregation
8.10 NetFlow ToS Proto Port Aggregation
8.11 NetFlow ToS Source Prefix Aggregation
8.12 NetFlow ToS Destination Prefix Aggregation
8.13 NetFlow ToS Prefix Aggregation
8.14 NetFlow ToS Prefix Port Aggregation
1005 Flow-Tools tagged version 5
-x xlate_fname
Translation config file name. Defaults to /etc/flow-
tools/cfg/xlate.cfg
-X xlate_definition
Translation definition. Defaults to default.
-z z_level
Configure compression level to z_level. 0 is disabled (no com‐
pression), 9 is highest compression.
EXAMPLES
Convert the version 7 flows in flows.v7 to version 5, storing the
result in flows.v5.
flow-xlate-V5 < flows.v7 > flows.v5
Set the low 11 bits in the IP addresses to zero unless the address is
multicast or it belongs to the 192.88.99/24 network.
# xlate.cfg
include-filter filter.cfg
xlate-action MULTICAST-PRIVACY
type ip-address-privacy-mask
mask 0xFFFFFFFF 0xFFFFFFFF
xlate-action UNICAST-PRIVACY
type ip-address-privacy-mask
mask 0xFFFFFF00 0xFFFFF800
xlate-definition abilene_privacy
term
filter mcast
action MULTICAST-PRIVACY
stop
term
filter ucast
action UNICAST-PRIVACY
# filter.cfg
filter-primitive MCAST
type ip-address-mask
permit 224.0.0.0 240.0.0.0
filter-primitive UCAST
type ip-address-mask
deny 224.0.0.0 240.0.0.0
default permit
filter-primitive SKIP
type ip-address-mask
deny 192.88.99.0 255.255.255.0
default permit
filter-definition mcast
match ip-destination-address MCAST
filter-definition ucast
match ip-destination-address UCAST
match ip-destination-address SKIP
match ip-source-address SKIP
flow-cat flows | flow-xlate-xxlate.cfg -Xabilene_privacy | flow-print
FILES
Configuration files: Symbols - /etc/flow-tools/sym/*. Filter -
/etc/flow-tools/cfg/filter.cfg. Xlate - /etc/flow-tools/cfg/xlate.cfg.
BUGS
The scale option can overflow the 32 bit flow counters. This could be
solved by detecting this condition and splitting the flow in two.
Translation between aggregated and non aggregated formats is not sup‐
ported.
AUTHOR
Mark Fullmer <maf@splintered.net>
SEE ALSOflow-tools(1)
26 Август 2010 FLOW-XLATE(1)
