1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
...\"
...\" transcript compatibility for postscript use.
...\"
...\" synopsis: .P! <file.ps>
...\"
.de P!
\\&.
.fl \" force out current output buffer
\\!%PB
\\!/showpage{}def
...\" the following is from Ken Flowers -- it prevents dictionary overflows
\\!/tempdict 200 dict def tempdict begin
.fl \" prolog
.sy cat \\$1\" bring in postscript file
...\" the following line matches the tempdict above
\\!end % tempdict %
\\!PE
\\!.
.sp \\$2u \" move below the image
..
.de pF
.ie �\\*(f1�� .ds f1 \\n(.f
.el .ie �\\*(f2�� .ds f2 \\n(.f
.el .ie �\\*(f3�� .ds f3 \\n(.f
.el .ie �\\*(f4�� .ds f4 \\n(.f
.el .tm ? font overflow
.ft \\$1
..
.de fP
.ie !�\\*(f4�� \{\
. ft \\*(f4
. ds f4\"
' br \}
.el .ie !�\\*(f3�� \{\
. ft \\*(f3
. ds f3\"
' br \}
.el .ie !�\\*(f2�� \{\
. ft \\*(f2
. ds f2\"
' br \}
.el .ie !�\\*(f1�� \{\
. ft \\*(f1
. ds f1\"
' br \}
.el .tm ? font underflow
..
.ds f1\"
.ds f2\"
.ds f3\"
.ds f4\"
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n
.TH "\fBflow-import\fP" "1"
.SH "NAME"
\fBflow-import\fP \(em Import flows into flow-tools from other NetFlow packages\&.
.SH "SYNOPSIS"
.PP
\fBflow-import\fP [-h] [-b\fI big|little\fP] [-d\fI debug_level\fP] [-f\fI format\fP] [-m\fI mask_fields\fP] [-V\fI pdu_version\fP] [-z\fI z_level\fP]
.SH "DESCRIPTION"
.PP
The \fBflow-import\fP utility will convert data from
cflowd and ASCII CSV files into flow-tools format\&.
.SH "OPTIONS"
.IP "-b\fI big\fP|\fIlittle\fP" 10
Byte order of output\&.
.IP "-d\fI debug_level\fP" 10
Enable debugging\&.
.IP "-f\fI format\fP" 10
Export format\&. Supported formats are:
.PP
.nf
0 cflowd
2 ASCII CSV
3 Cisco NFCollector
.fi
.IP "-h" 10
Display help\&.
.IP "-m\fI mask_fields\fP" 10
Select fields for cflowd and ASCII formats\&. The
\fImask_fields\fP is built from a bitwise OR of the following:
.IP "" 10
.PP
.nf
UNIX_SECS 0x0000000000000001LL
UNIX_NSECS 0x0000000000000002LL
SYSUPTIME 0x0000000000000004LL
EXADDR 0x0000000000000008LL
DFLOWS 0x0000000000000010LL
DPKTS 0x0000000000000020LL
DOCTETS 0x0000000000000040LL
FIRST 0x0000000000000080LL
LAST 0x0000000000000100LL
ENGINE_TYPE 0x0000000000000200LL
ENGINE_ID 0x0000000000000400LL
SRCADDR 0x0000000000001000LL
DSTADDR 0x0000000000002000LL
SRC_PREFIX 0x0000000000004000LL
DST_PREFIX 0x0000000000008000LL
NEXTHOP 0x0000000000010000LL
INPUT 0x0000000000020000LL
OUTPUT 0x0000000000040000LL
SRCPORT 0x0000000000080000LL
DSTPORT 0x0000000000100000LL
PROT 0x0000000000200000LL
TOS 0x0000000000400000LL
TCP_FLAGS 0x0000000000800000LL
SRC_MASK 0x0000000001000000LL
DST_MASK 0x0000000002000000LL
SRC_AS 0x0000000004000000LL
DST_AS 0x0000000008000000LL
IN_ENCAPS 0x0000000010000000LL
OUT_ENCAPS 0x0000000020000000LL
PEER_NEXTHOP 0x0000000040000000LL
ROUTER_SC 0x0000000080000000LL
EXTRA_PKTS 0x0000000100000000LL
MARKED_TOS 0x0000000200000000LL
.fi
.IP "" 10
The default value is all fields applicable to the \fIpdu_version\fP\&.
.IP "-V\fI pdu_version\fP" 10
Use \fIpdu_version\fP format output\&.
.PP
.nf
1 NetFlow version 1 (No sequence numbers, AS, or mask)
5 NetFlow version 5
6 NetFlow version 6 (5+ Encapsulation size)
7 NetFlow version 7 (Catalyst switches)
8\&.1 NetFlow AS Aggregation
8\&.2 NetFlow Proto Port Aggregation
8\&.3 NetFlow Source Prefix Aggregation
8\&.4 NetFlow Destination Prefix Aggregation
8\&.5 NetFlow Prefix Aggregation
8\&.6 NetFlow Destination (Catalyst switches)
8\&.7 NetFlow Source Destination (Catalyst switches)
8\&.8 NetFlow Full Flow (Catalyst switches)
8\&.9 NetFlow ToS AS Aggregation
8\&.10 NetFlow ToS Proto Port Aggregation
8\&.11 NetFlow ToS Source Prefix Aggregation
8\&.12 NetFlow ToS Destination Prefix Aggregation
8\&.13 NetFlow ToS Prefix Aggregation
8\&.14 NetFlow ToS Prefix Port Aggregation
1005 Flow-Tools tagged version 5
.fi
.IP "-z\fI z_level\fP" 10
Configure compression level to \fI z_level\fP\&. 0 is
disabled (no compression), 9 is highest compression\&.
.SH "EXAMPLES"
.PP
Convert the cflowd file \fBflows\&.cflowd\fP to the flow-tools
file \fBflows\fP\&. Store as Version 5 with compression level 5\&.
.PP
\fBflow-import -V5 -z5 -f0 < flows\&.cflowd > flows\fP
.SH "EXAMPLES"
.PP
Convert the ASCII CSV data in flows\&.ascii to flow-tools format\&. The
ASCII data must include all fields represented by 0xFF31EF in the order
listed above\&. Store as Version 5 with no compression\&.
.PP
\fBflow-import -z0 -f2 -m0xFF31EF < flows\&.ascii > flows\fP
.SH "BUGS"
.PP
The pcap format is a hack\&.
.SH "AUTHOR"
.PP
Mark Fullmer maf@splintered\&.net
.SH "SEE ALSO"
.PP
\fBflow-tools\fP(1)
...\" created by instant / docbook-to-man, Sat 05 Oct 2002, 20:46
|
