<HTML ><HEAD ><TITLE >flow-stat</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.71 "></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><H1 ><A NAME="AEN1" ><SPAN CLASS="APPLICATION" >flow-stat</SPAN ></A ></H1 ><DIV CLASS="REFNAMEDIV" ><A NAME="AEN6" ></A ><H2 >Name</H2 ><SPAN CLASS="APPLICATION" >flow-stat</SPAN > -- Generate reports with flow data.</DIV ><DIV CLASS="REFSYNOPSISDIV" ><A NAME="AEN10" ></A ><H2 >Synopsis</H2 ><P ><B CLASS="COMMAND" >flow-stat</B > [-hnpPw] [-d<TT CLASS="REPLACEABLE" ><I > debug_level</I ></TT >] [-f<TT CLASS="REPLACEABLE" ><I > format</I ></TT >] [-S<TT CLASS="REPLACEABLE" ><I > sort_field</I ></TT >] [-s<TT CLASS="REPLACEABLE" ><I > sort_field</I ></TT >] [-t<TT CLASS="REPLACEABLE" ><I > tally_lines</I ></TT >] [-T<TT CLASS="REPLACEABLE" ><I > title</I ></TT >]</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN26" ></A ><H2 >DESCRIPTION</H2 ><P >The <B CLASS="COMMAND" >flow-stat</B > utility generates usage reports for flow data sets by IP address, IP address pairs, ports, packets, bytes, interfaces, next hops, autonomous systems, ToS bits, exporters, and tags.</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN30" ></A ><H2 >OPTIONS</H2 ><P ></P ><DIV CLASS="VARIABLELIST" ><DL ><DT >-d<TT CLASS="REPLACEABLE" ><I > debug_level</I ></TT ></DT ><DD ><P >Enable debugging.</P ></DD ><DT >-f<TT CLASS="REPLACEABLE" ><I > format</I ></TT ></DT ><DD ><P ><P CLASS="LITERALLAYOUT" >Report format. Choose from the following:<br> <br> 0 Overall Summary<br> 1 Average packet size distribution<br> 2 Packets per flow distribution<br> 3 Octets per flow distribution<br> 4 Bandwidth per flow distribution<br> 5 UDP/TCP destination port<br> 6 UDP/TCP source port<br> 7 UDP/TCP port<br> 8 Destination IP<br> 9 Source IP<br> 10 Source/Destination IP<br> 11 Source or Destination IP<br> 12 IP protocol<br> 13 octets for flow duration plot data<br> 14 packets for flow duration plot data<br> 15 short summary<br> 16 IP Next Hop<br> 17 Input interface<br> 18 Output interface<br> 19 Source AS<br> 20 Destination AS<br> 21 Source/Destination AS<br> 22 IP ToS<br> 23 Input/Output Interface<br> 24 Source Prefix<br> 25 Destination Prefix<br> 26 Source/Destination Prefix<br> 27 Exporter IP<br> 28 Engine Id<br> 29 Engine Type<br> 30 Source Tag<br> 31 Destination Tag<br> 32 Source/Destination Tag</P ></P ></DD ><DT >-h</DT ><DD ><P >Display help.</P ></DD ><DT >-n</DT ><DD ><P >Use symbolic names where appropriate.</P ></DD ><DT >-p</DT ><DD ><P >Display header information.</P ></DD ><DT >-P</DT ><DD ><P >Report as percent total.</P ></DD ><DT >-s<TT CLASS="REPLACEABLE" ><I > sort_field</I ></TT ></DT ><DD ><P >Sort ascending on field <TT CLASS="REPLACEABLE" ><I >sort_field</I ></TT >.</P ></DD ><DT >-S<TT CLASS="REPLACEABLE" ><I > sort_field</I ></TT ></DT ><DD ><P >Sort descending on field <TT CLASS="REPLACEABLE" ><I >sort_field</I ></TT >.</P ></DD ><DT >-t<TT CLASS="REPLACEABLE" ><I > tally_lines</I ></TT ></DT ><DD ><P >Tally totals every <TT CLASS="REPLACEABLE" ><I >tally_lines</I ></TT >lines.</P ></DD ><DT >-T<TT CLASS="REPLACEABLE" ><I > title</I ></TT ></DT ><DD ><P >Set report title to <TT CLASS="REPLACEABLE" ><I >title</I ></TT >.</P ></DD ><DT >-w</DT ><DD ><P >Wide output.</P ></DD ></DL ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN88" ></A ><H2 >EXAMPLES</H2 ><DIV CLASS="INFORMALEXAMPLE" ><A NAME="AEN90" ></A ><P ></P ><P >Provide a report on top source/destination IP pairs sorted by octets, report in percent total form for the flows in <TT CLASS="FILENAME" >/flows/krc4</TT >. Use the preload option to flow-cat to preserve meta information and display it with flow-stat.</P ><P > <B CLASS="COMMAND" >flow-cat -p /flows/krc4 | flow-stat -f10 -P -p -S4</B ></P ><P ></P ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN95" ></A ><H2 >EXAMPLES</H2 ><DIV CLASS="INFORMALEXAMPLE" ><A NAME="AEN97" ></A ><P ></P ><P >Many times a campus network will have a single border router which has one interface pointing to the internal side and many interfaces pointing to other providers. These interfaces each have a unique numerical id known in SNMP terms as an ifIndex. The ifIndex to interface name mappings can be determined by using a tool such as <SPAN CLASS="APPLICATION" >snmpwalk</SPAN > or using show commands in recent versions of IOS with the 'show snmp mib ifmib ifindex' or JunOS 'show interfaces'. Once the ifIndex for each interface is known flow-filter can be combined with flow-stat to provide reports such as inbound vs outbound top src/destination IP addresses. Provide a top source IP address report by outbound traffic, ie the top senders of traffic on the campus network. Assume the ifIndex of the campus interface is 5.</P ><P > flow-cat -p /flows/krc4 | flow-filter -i5 | flow-stat -f9 -P -p -S3 </P ><P ></P ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN101" ></A ><H2 >EXAMPLES</H2 ><DIV CLASS="INFORMALEXAMPLE" ><A NAME="AEN103" ></A ><P ></P ><P >Provide a top destination IP address report by outbound traffic, ie the top sinks of traffic on the campus network. Assume the ifIndex of the campus interface is 5.</P ><P > flow-cat -p /flows/krc4 | flow-filter -I5 | flow-stat -f8 -P -p -S3 </P ><P ></P ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN106" ></A ><H2 >EXAMPLES</H2 ><DIV CLASS="INFORMALEXAMPLE" ><A NAME="AEN108" ></A ><P ></P ><P >Provide a top source/destination AS report. Use symbolic names.</P ><P > flow-cat -p /flows/krc4 | flow-stat -f20 -n -P -p -S4 </P ><P ></P ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN111" ></A ><H2 >BUGS</H2 ><P >None known.</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN114" ></A ><H2 >AUTHOR</H2 ><P >Mark Fullmer <TT CLASS="EMAIL" ><<A HREF="mailto:maf@splintered.net" >maf@splintered.net</A >></TT ></P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN121" ></A ><H2 >SEE ALSO</H2 ><P ><SPAN CLASS="APPLICATION" >flow-tools</SPAN >(1)</P ></DIV ></BODY ></HTML >