1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
|
...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
...\"
...\" transcript compatibility for postscript use.
...\"
...\" synopsis: .P! <file.ps>
...\"
.de P!
\\&.
.fl \" force out current output buffer
\\!%PB
\\!/showpage{}def
...\" the following is from Ken Flowers -- it prevents dictionary overflows
\\!/tempdict 200 dict def tempdict begin
.fl \" prolog
.sy cat \\$1\" bring in postscript file
...\" the following line matches the tempdict above
\\!end % tempdict %
\\!PE
\\!.
.sp \\$2u \" move below the image
..
.de pF
.ie �\\*(f1�� .ds f1 \\n(.f
.el .ie �\\*(f2�� .ds f2 \\n(.f
.el .ie �\\*(f3�� .ds f3 \\n(.f
.el .ie �\\*(f4�� .ds f4 \\n(.f
.el .tm ? font overflow
.ft \\$1
..
.de fP
.ie !�\\*(f4�� \{\
. ft \\*(f4
. ds f4\"
' br \}
.el .ie !�\\*(f3�� \{\
. ft \\*(f3
. ds f3\"
' br \}
.el .ie !�\\*(f2�� \{\
. ft \\*(f2
. ds f2\"
' br \}
.el .ie !�\\*(f1�� \{\
. ft \\*(f1
. ds f1\"
' br \}
.el .tm ? font underflow
..
.ds f1\"
.ds f2\"
.ds f3\"
.ds f4\"
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n
.TH "\fBflow-tag\fP" "1"
.SH "NAME"
\fBflow-tag\fP \(em Apply tags to flow files\&.
.SH "SYNOPSIS"
.PP
\fBflow-tag\fP [-hk] [-b\fI big\fP|\fIlittle\fP] [-C\fI comment\fP] [-d\fI debug_level\fP] [-t\fI tag_fname\fP] [-T\fI tag_definition\fP] [-v\fI variable binding\fP]
.SH "DESCRIPTION"
.PP
The \fBflow-tag\fP utility is used to add or modify
source and destination tags in flow records\&. Tags are 32 bit
identifiers derived from rules and fields in a flow record\&. Tags
can be used to group flows with common prefixes, autonomous systems,
next hops, exporter id and/or input/output interface\&.
\fBflow-stat\fP can be used with tagged flows to produce
group based reports\&. For example, all outbound traffic for a customer
where the customer is defined by a list of IP prefixes\&.
.SH "OPTIONS"
.IP "-b\fI big\fP|\fIlittle\fP" 10
Byte order of output\&.
.IP "-C\fI Comment\fP" 10
Add a comment\&.
.IP "-d\fI debug_level\fP" 10
Enable debugging\&.
.IP "-h" 10
Display help\&.
.IP "-k" 10
Keep time from input\&.
.IP "-t\fI tag_fname\fP" 10
Load tags from \fBtag_name\fP\&. Defaults to
\fB@localstatedir@/cfg/tag\fP
.IP "-T\fI active_def\fP|" 10
Use \fIactive_def\fP as the active tag definition(s)\&.
.IP "-v\fI variable binding\fP" 10
Set a variable FOO=bar\&.
.PP
.PP
The configuration file is a collection of actions and definitions\&. An
action is triggered by a definition and a definition is invoked only
if listed with the \fI-T\fP flag\&. Lines begining
with # are treated as comments and ignored\&.
.PP
Words in the configuration file of the form @VAR or @{VAR:default} will be
expanded at run-time by setting variable names with the -v option\&.
.PP
.PP
.nf
tag-action command Description/Example
----------------------------------------------------------------------
tag-action Begin tag-action section
tag-action foo
type Configure the type of action, one of
source-prefix, destination-prefix, prefix,
source-as, destination-as, as, next-hop,
tcp-source-port, tcp-destination-port,
tcp-port, udp-source-port,
udp-destination-port, udp-port,
tos, exporter, source-ip-address,
destination-ip-address, ip-address,
input-interface, output-interface,
interface, any\&.
type src-prefix
match Match criteria\&. The match condition
depends on the type\&. Following the
match condition is one of
set-destination, set-source,
or-destination, or-source to
set or logically or a value to the
source or destination tag\&.
match 128\&.146/16 set-destination 0x010001
Multiple actions may match and set tags on the same flow\&. Note that
listing many actions will cause tags to be applied in O(actions) time\&.
The actions try to run in O(1) time\&. For example if 10 prefixes are
listed in a single action it will take about the same CPU as if 100
prefixes are used\&. Listing 100 actions will require 100 times the
CPU as 1 action\&.
tag-action types Description
----------------------------------------------------------------------
source-prefix Source Prefix
destination-prefix Destination Prefix
prefix Source or Destination Prefix
source-as Source AS
destination-as Destination AS
as Source or Destination AS
next-hop IP Next Hop
tcp-source-port TCP Source Port
tcp-destination-port TCP Destination Port
tcp-port TCP Source or Destination Port
udp-source-port UDP Source Port
udp-destination-port UDP Destination Port
udp-port UDP Source or Destination Port
tos Type of Service
exporter Exporter IP Address
source-ip-address Source IP Address
destination-ip-address Destination IP Address
ip-address Source or Destination IP Address
input-interface Input Interface
output-interface Output Interface
interface Input or Output Interface
any Match any flows
tag-action matches Description
----------------------------------------------------------------------
set-destination Set the destination tag, replacing
any previous tag\&.
set-source Set the source tag, replacing any
previous tag\&.
or-destination Logically or this value to the
existing destination tag
or-source Logically or this value to the
existing source tag
.fi
.PP
A definition lists a set of actions which are evaluated if the filter
criteria is met\&. Each definition is built with terms\&. A term has
its action(s) evaluated if the filter is passed\&.
.PP
.nf
definition command Description/Example
-----------------------------------------------------------------------
tag-definition Begin tag-defintion secrion
tag-definition bar
term Begin a list of actions to be
evaluated that match the filter
rule\&.
term
input-filter List of input ifIndexes the flow
must match\&.
input-filter 1,2,3,4
output-filter List of output ifIndexes the flow
must match\&.
output-filter 1,2,3,4
exporter IP address of exporter the flow must
match\&.
exporter 1\&.2\&.3\&.4
action Name of action to evaluate\&. Actions
are evaluated in the order they
appear in a definition\&.
action foo
.fi
.PP
.SH "EXAMPLES"
.PP
The meaning of a tag is user defined\&. The following example uses
16 bits of a tag as a customer ID and 4 bits as a customer type\&.
\fBflow-xlate\fP can be used to apply a mask to these
fields\&.
.PP
.nf
\f(CW# file: gigapop-tags
# tag format
#
# 0 7 15 23 31
# 0000 0000 0000 0000 0000 0000 0000 0000 (32 bits)
# RRRRRRRRRRRRRR TTTT NNNNNNNNNNNNNNNNNNN
# | | | Site name
# | | Site type
# | Reserved
#
#
# SITE_NAME_MASK = 0x0000FFFF
# SITE_TYPE_MASK = 0x00FF0000
#
# ID Name
#---------------------------------
# 0x0001 OSU
# 0x0002 CWRU
# 0x0003 BGSU
# \&.\&.\&. etc
# 0x0019 MULTICAST
#
# ID Type
#------------------------
# 0x01 Participant
# 0x02 SEGP
# 0x03 Sponsored-Participant
# 0x04 Gigapop
# 0x05 MULTICAST
tag-action OHIO-GIGAPOP_DST
type destination-prefix
# OSU
match 128\&.146/16 set-destination 0x010001
match 164\&.107/16 set-destination 0x010001
match 140\&.254/16 set-destination 0x010001
match 192\&.153\&.26/24 set-destination 0x010001
# CWRU
match 129\&.22/16 set-destination 0x010002
match 192\&.5\&.110/24 set-destination 0x010002
# BGSU
match 129\&.1/16 set-destination 0x010003
# \&.\&.\&.etc
# MULTICAST
match 224/4 set-destination 0x050019
tag-action OHIO-GIGAPOP_SRC
type source-prefix
# OSU
match 128\&.146/16 set-source 0x010001
match 164\&.107/16 set-source 0x010001
match 140\&.254/16 set-source 0x010001
match 192\&.153\&.26/24 set-source 0x010001
# CWRU
match 129\&.22/16 set-source 0x010002
match 192\&.5\&.110/24 set-source 0x010002
# BGSU
match 129\&.1/16 set-source 0x010003
# \&.\&.\&.etc
tag-action OTHER_DST
type destination-prefix
match 0/0 set-destination 0x0
tag-action OTHER_SRC
type source-prefix
match 0/0 set-source 0x0
tag-definition OHIO-GIGAPOP
term
# Abilene interface
input-filter 25
# clear tag first -- it defaults to 0, so this may not be necessary\&.
action OTHER_DST
action OHIO-GIGAPOP_DST
term
# Abilene interface
output-filter 25
# clear tag first -- it defaults to 0, so this may not be necessary\&.
action OTHER_SRC
action OHIO-GIGAPOP_SRC
\fR
.fi
.PP
.PP
First populate \fB@localstatedir@/sym/tag\fP for \fBflow-stat\fP to use as symbols\&.
.PP
.nf
\f(CW0x0001 OSU
0x0002 CWRU
0x0003 BGSU
0x0019 MULTICAST
0x010000 PART
0x020000 SEGP
0x030000 SPART
0x040000 GIGAPOP
0x050000 MULTICAST\fR
.fi
.PP
.PP
To generate a report for outgoing traffic to Abilene based on customer ID:
.PP
.nf
\f(CWflow-cat \fBflows\fP | flow-filter -I25 | flow-tag -t gigapop-tags -TOHIO-GIGAPOP | flow-xlate -t0x0000FFFF | flow-stat -n -f30 -S2\fR
.fi
.PP
.PP
.nf
# --- ---- ---- Report Information --- --- ---
#
# Fields: Total
# Symbols: Enabled
# Sorting: Descending Field 2
# Name: Source Tag
#
# Args: \&.\&./flow-stat -n -f30 -S2
#
#
# Src Tag flows octets packets
#
OSU 4942230 181326237007 302476793
CWRU 874883 54358312807 70589318
BGSU 1008797 7600209852 22060870
.fi
.PP
To generate a report for inbound traffic from Abilene based on customer type:
.PP
.nf
\f(CWflow-cat \fBflows\fP | flow-filter -i25 | flow-tag -t gigapop-tags -TOHIO-GIGAPOP | flow-xlate -T0xFF0000 | flow-stat -n -f31 -S2\fR
.fi
.PP
.PP
.nf
# --- ---- ---- Report Information --- --- ---
#
# Fields: Total
# Symbols: Enabled
# Sorting: Descending Field 2
# Name: Destination Tag
#
# Args: \&.\&./flow-stat -n -f31 -S2
#
#
# Dst Tag flows octets packets
#
PART 15923156 663289954569 981163979
SEGP 4995795 135525076170 196534917
MULTICAST 45171 49866825003 137798118
GIGAPOP 942209 26422533266 23199961
SPART 73998 5170323905 7597985
.fi
.SH "FILES"
.PP
Configuration files:
Symbols - \fB@localstatedir@/sym/*\fP\&.
Tag - \fB@localstatedir@/cfg/tag\&.cfg\fP\&.
.SH "BUGS"
.PP
None known\&.
.SH "AUTHOR"
.PP
Mark Fullmer maf@splintered\&.net
.SH "SEE ALSO"
.PP
\fBflow-tools\fP(1)
...\" created by instant / docbook-to-man, Fri 02 Jan 2004, 16:26
|
