1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
...\" $Header: /usr/src/docbook-to-man/cmd/RCS/docbook-to-man.sh,v 1.3 1996/06/17 03:36:49 fld Exp $
...\"
...\" transcript compatibility for postscript use.
...\"
...\" synopsis: .P! <file.ps>
...\"
.de P!
\\&.
.fl \" force out current output buffer
\\!%PB
\\!/showpage{}def
...\" the following is from Ken Flowers -- it prevents dictionary overflows
\\!/tempdict 200 dict def tempdict begin
.fl \" prolog
.sy cat \\$1\" bring in postscript file
...\" the following line matches the tempdict above
\\!end % tempdict %
\\!PE
\\!.
.sp \\$2u \" move below the image
..
.de pF
.ie �\\*(f1�� .ds f1 \\n(.f
.el .ie �\\*(f2�� .ds f2 \\n(.f
.el .ie �\\*(f3�� .ds f3 \\n(.f
.el .ie �\\*(f4�� .ds f4 \\n(.f
.el .tm ? font overflow
.ft \\$1
..
.de fP
.ie !�\\*(f4�� \{\
. ft \\*(f4
. ds f4\"
' br \}
.el .ie !�\\*(f3�� \{\
. ft \\*(f3
. ds f3\"
' br \}
.el .ie !�\\*(f2�� \{\
. ft \\*(f2
. ds f2\"
' br \}
.el .ie !�\\*(f1�� \{\
. ft \\*(f1
. ds f1\"
' br \}
.el .tm ? font underflow
..
.ds f1\"
.ds f2\"
.ds f3\"
.ds f4\"
.ta 8n 16n 24n 32n 40n 48n 56n 64n 72n
.TH "\fBflow-xlate\fP" "1"
.SH "NAME"
\fBflow-xlate\fP \(em Apply translations to selected fields of a flow\&.
.SH "SYNOPSIS"
.PP
\fBflow-xlate\fP [-hkn] [-b\fI big\fP|\fIlittle\fP] [-C\fI comment\fP] [-d\fI debug_level\fP] [-v\fI variable binding\fP] [-V\fI flow_version\fP] [-x\fI xlate_fname\fP] [-X\fI xlate_definition\fP] [-z\fI z_level\fP]
.SH "DESCRIPTION"
.PP
The \fBflow-xlate\fP utility is used to apply translations
to flows\&. Translations are defined in a configuration file and are
composed of actions and a definition to invoke action(s)\&. The definitions
are in the form of terms, each term can have a filter and multiple actions\&.
.PP
Words in the configuration file of the form @VAR or @{VAR:default} will be
expanded at run-time by setting variable names with the -v option\&.
.PP
Translation actions begin with the xlate-action keyword followed by
a symbolic name\&. Each action has a type defined below\&.
.PP
Translation definitions begin with the xlate-definition keyword followed
by a symbolic name\&. Each definition is composed of terms which are
evaluated in the order of the configuration file\&. A term may invoke
a filter to conditionally invoke an action\&.
.PP
.nf
Action type/sub-commands Description/Example
------------------------------------------------------------------------
ip-source-address-to-network Zero host bits based on mask\&.
ip-destination-address-to-network Zero host bits based on mask\&.
(no sub-commands)
ip-source-address-to-class-network Zero source host bits to
match class\&.
ip-destination-address-to-class-network Zero dst host bits to
match class\&.
(no sub-commands)
ip-source-address-anonymize Anonymize source address\&.
ip-destination-address-anonymize Anonymize destination address\&.
ip-address-anonymize Anonymize src/dst address\&.
algorithm Algorithm\&. cryptopan-aes128 is
currently supported\&.
algorithm cryptopan-aes128
key Key\&. Key is 128 bits in hex\&.
key 0123456789ABCDEFG
key-file File to load key from\&. Key is
128 bits in hex\&.
key-file /mfstmp/secret-key
key-file-refresh How often to check the key file\&.
Interval is in minutes, the
optional second argument is
hour:min:sec to specify the
first refresh\&. This example
will load a new key every day
at 12:00:00\&.
14400 12:00:00
ip-address-privacy-mask Apply a mask to the source and
destination address to remove
bits\&.
ip-port-privacy-mask Apply a mask to the source and
destination port to remove
bits\&.
tag-mask Apply mask to the source and
destination tag\&.
mask Source and Destination mask
to apply\&.
mask 0xFFFF 0xFFFF
scale Scale packets and bytes\&.
scale Scale to apply\&.
scale 100
replace-source-as0 Replace source AS 0
replace-destination-as0 Replace destination AS 0
as AS replacement value\&.
as 3112
.fi
.SH "OPTIONS"
.IP "-b\fI big\fP|\fIlittle\fP" 10
Byte order of output\&.
.IP "-C\fI Comment\fP" 10
Add a comment\&.
.IP "-d\fI debug_level\fP" 10
Enable debugging\&.
.IP "-h" 10
Display help\&.
.IP "-k" 10
Keep time from input\&.
.IP "-n" 10
Don\&'t load configuration file\&. Useful only with -V
.IP "-v\fI variable binding\fP" 10
Set a variable FOO=bar\&.
.IP "-V\fI pdu_version\fP" 10
Use \fIpdu_version\fP format output\&.
.PP
.nf
1 NetFlow version 1 (No sequence numbers, AS, or mask)
5 NetFlow version 5
6 NetFlow version 6 (5+ Encapsulation size)
7 NetFlow version 7 (Catalyst switches)
8\&.1 NetFlow AS Aggregation
8\&.2 NetFlow Proto Port Aggregation
8\&.3 NetFlow Source Prefix Aggregation
8\&.4 NetFlow Destination Prefix Aggregation
8\&.5 NetFlow Prefix Aggregation
8\&.6 NetFlow Destination (Catalyst switches)
8\&.7 NetFlow Source Destination (Catalyst switches)
8\&.8 NetFlow Full Flow (Catalyst switches)
8\&.9 NetFlow ToS AS Aggregation
8\&.10 NetFlow ToS Proto Port Aggregation
8\&.11 NetFlow ToS Source Prefix Aggregation
8\&.12 NetFlow ToS Destination Prefix Aggregation
8\&.13 NetFlow ToS Prefix Aggregation
8\&.14 NetFlow ToS Prefix Port Aggregation
1005 Flow-Tools tagged version 5
.fi
.IP "-x\fI xlate_fname\fP" 10
Translation config file name\&. Defaults to \fB@localstatedir@/cfg/xlate\&.cfg\fP
.IP "-X\fI xlate_definition\fP" 10
Translation definition\&. Defaults to default\&.
.IP "-z\fI z_level\fP" 10
Configure compression level to \fI z_level\fP\&. 0 is
disabled (no compression), 9 is highest compression\&.
.SH "EXAMPLES"
.PP
Convert the version 7 flows in \fBflows\&.v7\fP to version 5,
storing the result in \fBflows\&.v5\fP\&.
.PP
\fBflow-xlate -V5 < flows\&.v7 > flows\&.v5\fP
.PP
Set the low 11 bits in the IP addresses to zero unless the address
is multicast or it belongs to the 192\&.88\&.99/24 network\&.
.PP
.nf
# xlate\&.cfg
include-filter filter\&.cfg
xlate-action MULTICAST-PRIVACY
type ip-address-privacy-mask
mask 0xFFFFFFFF 0xFFFFFFFF
xlate-action UNICAST-PRIVACY
type ip-address-privacy-mask
mask 0xFFFFFF00 0xFFFFF800
xlate-definition abilene_privacy
term
filter mcast
action MULTICAST-PRIVACY
stop
term
filter ucast
action UNICAST-PRIVACY
.fi
.PP
.nf
# filter\&.cfg
filter-primitive MCAST
type ip-address-mask
permit 224\&.0\&.0\&.0 240\&.0\&.0\&.0
filter-primitive UCAST
type ip-address-mask
deny 224\&.0\&.0\&.0 240\&.0\&.0\&.0
default permit
filter-primitive SKIP
type ip-address-mask
deny 192\&.88\&.99\&.0 255\&.255\&.255\&.0
default permit
filter-definition mcast
match ip-destination-address MCAST
filter-definition ucast
match ip-destination-address UCAST
match ip-destination-address SKIP
match ip-source-address SKIP
.fi
\fBflow-cat \fBflows\fP | flow-xlate -xxlate\&.cfg -Xabilene_privacy | flow-print\fP
.SH "FILES"
.PP
Configuration files:
Symbols - \fB@localstatedir@/sym/*\fP\&.
Filter - \fB@localstatedir@/cfg/filter\&.cfg\fP\&.
Xlate - \fB@localstatedir@/cfg/xlate\&.cfg\fP\&.
.SH "BUGS"
.PP
The scale option can overflow the 32 bit flow counters\&. This could be
solved by detecting this condition and splitting the flow in two\&.
.PP
Translation between aggregated and non aggregated formats is not supported\&.
.SH "AUTHOR"
.PP
Mark Fullmer maf@splintered\&.net
.SH "SEE ALSO"
.PP
\fBflow-tools\fP(1)
...\" created by instant / docbook-to-man, Tue 10 May 2005, 11:19
|
