<HTML ><HEAD ><TITLE >flow-xlate</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.71 "></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><H1 ><A NAME="AEN1" ><SPAN CLASS="APPLICATION" >flow-xlate</SPAN ></A ></H1 ><DIV CLASS="REFNAMEDIV" ><A NAME="AEN6" ></A ><H2 >Name</H2 ><SPAN CLASS="APPLICATION" >flow-xlate</SPAN > -- Apply translations to selected fields of a flow.</DIV ><DIV CLASS="REFSYNOPSISDIV" ><A NAME="AEN10" ></A ><H2 >Synopsis</H2 ><P ><B CLASS="COMMAND" >flow-xlate</B > [-fhl] [-0<TT CLASS="REPLACEABLE" ><I > AS0_substitution</I ></TT >] [-b<TT CLASS="REPLACEABLE" ><I > big</I ></TT >|<TT CLASS="REPLACEABLE" ><I >little</I ></TT >] [-C<TT CLASS="REPLACEABLE" ><I > comment</I ></TT >] [-d<TT CLASS="REPLACEABLE" ><I > debug_level</I ></TT >] [-m<TT CLASS="REPLACEABLE" ><I > privacy_mask</I ></TT >] [-s<TT CLASS="REPLACEABLE" ><I > scale</I ></TT >] [-t<TT CLASS="REPLACEABLE" ><I > src_tag_mask</I ></TT >] [-T<TT CLASS="REPLACEABLE" ><I > dst_tag_mask</I ></TT >] [-V<TT CLASS="REPLACEABLE" ><I > pdu_version</I ></TT >] [-z<TT CLASS="REPLACEABLE" ><I > z_level</I ></TT >]</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN35" ></A ><H2 >DESCRIPTION</H2 ><P >The <B CLASS="COMMAND" >flow-xlate</B > utility can translate between the non aggregated flow export versions (1,5,6,7) and modify some fields of a flow.</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN39" ></A ><H2 >OPTIONS</H2 ><P ></P ><DIV CLASS="VARIABLELIST" ><DL ><DT >-0<TT CLASS="REPLACEABLE" ><I > AS0_substitution</I ></TT ></DT ><DD ><P >Cisco's NetFlow exports represent the local autonomous system as 0 instead of the real value. This option can be used to replace the 0 in the export with the a configured value. Unfortunately under certain configurations AS 0 can also represent a cache miss or non forwarded traffic so use with caution.</P ></DD ><DT >-b<TT CLASS="REPLACEABLE" ><I > big</I ></TT >|<TT CLASS="REPLACEABLE" ><I >little</I ></TT ></DT ><DD ><P >Byte order of output.</P ></DD ><DT >-C<TT CLASS="REPLACEABLE" ><I > Comment</I ></TT ></DT ><DD ><P >Add a comment.</P ></DD ><DT >-d<TT CLASS="REPLACEABLE" ><I > debug_level</I ></TT ></DT ><DD ><P >Enable debugging.</P ></DD ><DT >-f</DT ><DD ><P >Convert the source and destination IP addresses to network addresses using the mask bits in the flow. For example 128.146.1.7/16 would become 128.146/16</P ></DD ><DT >-h</DT ><DD ><P >Display help.</P ></DD ><DT >-l</DT ><DD ><P >Convert the source and destination IP addresses to legacy classful network addresses. For example 128.146.1.7 would become 128.146.0.0.</P ></DD ><DT >-m<TT CLASS="REPLACEABLE" ><I > privacy_mask</I ></TT ></DT ><DD ><P >Apply <TT CLASS="REPLACEABLE" ><I >privacy_mask</I ></TT > to the source and destination IP address of flows. For example a privacy_mask of 255.255.255.0 would convert flows with source/destination IP addresses 10.1.1.1 and 10.2.2.2 to 10.1.1.0 and 10.2.2.0 respectively.</P ></DD ><DT >-n<TT CLASS="REPLACEABLE" ><I > version</I ></TT ></DT ><DD ><P >Generate version type exports. Supported versions are: <P CLASS="LITERALLAYOUT" > 1 NetFlow version 1 (No sequence numbers, AS, or mask)<br> 5 NetFlow version 5<br> 6 NetFlow version 6 (5+ Encapsulation size)<br> 7 NetFlow version 7 (Catalyst switches)<br> 8.1 NetFlow AS Aggregation<br> 8.2 NetFlow Proto Port Aggregation<br> 8.3 NetFlow Source Prefix Aggregation<br> 8.4 NetFlow Destination Prefix Aggregation<br> 8.5 NetFlow Prefix Aggregation<br> 8.6 NetFlow Destination (Catalyst switches)<br> 8.7 NetFlow Source Destination (Catalyst switches)<br> 8.8 NetFlow Full Flow (Catalyst switches)<br> 8.9 NetFlow ToS AS Aggregation<br> 8.10 NetFlow ToS Proto Port Aggregation<br> 8.11 NetFlow ToS Source Prefix Aggregation<br> 8.12 NetFlow ToS Destination Prefix Aggregation<br> 8.13 NetFlow ToS Prefix Aggregation<br> 8.14 NetFlow ToS Prefix Port Aggregation<br> 1005 Flow-Tools tagged version 5</P ></P ></DD ><DT >-s<TT CLASS="REPLACEABLE" ><I > scale</I ></TT ></DT ><DD ><P >Scale the flows and octets and packets fields by <TT CLASS="REPLACEABLE" ><I >scale</I ></TT >.</P ></DD ><DT >-t<TT CLASS="REPLACEABLE" ><I > src_tag_mask</I ></TT ></DT ><DD ><P >AND <TT CLASS="REPLACEABLE" ><I >src_tag_mask</I ></TT > with src_tag in flow.</P ></DD ><DT >-T<TT CLASS="REPLACEABLE" ><I > dst_tag_mask</I ></TT ></DT ><DD ><P >AND <TT CLASS="REPLACEABLE" ><I >dst_tag_mask</I ></TT > with dst_tag in flow.</P ></DD ><DT >-z<TT CLASS="REPLACEABLE" ><I > z_level</I ></TT ></DT ><DD ><P >Configure compression level to <TT CLASS="REPLACEABLE" ><I > z_level</I ></TT >. 0 is disabled (no compression), 9 is highest compression.</P ></DD ></DL ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN111" ></A ><H2 >EXAMPLES</H2 ><DIV CLASS="INFORMALEXAMPLE" ><A NAME="AEN113" ></A ><P ></P ><P >Convert the version 7 flows in <TT CLASS="FILENAME" >flows.v7</TT > to version 5, storing the result in <TT CLASS="FILENAME" >flows.v5</TT >.</P ><P > <B CLASS="COMMAND" >flow-xlate -V5 < flows.v7 > flows.v5</B ></P ><P ></P ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN119" ></A ><H2 >EXAMPLES</H2 ><DIV CLASS="INFORMALEXAMPLE" ><A NAME="AEN121" ></A ><P ></P ><P >Summarize IP addresses to IP network numbers and generate a source prefix list report sorted by octets.</P ><P > <B CLASS="COMMAND" >flow-xlate -f < flows | flow-stat -f9 -w -S2</B ></P ><P ></P ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN125" ></A ><H2 >BUGS</H2 ><P >The scale option can overflow the 32 bit flow counters. This could be solved by detecting this condition and splitting the flow in two.</P ><P >Translation between aggregated and non aggregated formats is not supported.</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN129" ></A ><H2 >AUTHOR</H2 ><P >Mark Fullmer <TT CLASS="EMAIL" ><<A HREF="mailto:maf@splintered.net" >maf@splintered.net</A >></TT ></P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN136" ></A ><H2 >SEE ALSO</H2 ><P ><SPAN CLASS="APPLICATION" >flow-tools</SPAN >(1)</P ></DIV ></BODY ></HTML >