transcript compatibility for postscript use.
synopsis: .P! <file.ps>
\. .fl \" force out current output buffer \\!%PB \\!/showpage{}def the following is from Ken Flowers -- it prevents dictionary overflows
\\!/tempdict 200 dict def tempdict begin .fl \" prolog .sy cat \\$1\" bring in postscript file the following line matches the tempdict above
\\!end % tempdict % \\!PE \\!. .. .. . ft \\*(f4 . ds f4\" ' br \} . ft \\*(f3 . ds f3\" ' br \} . ft \\*(f2 . ds f2\" ' br \} . ft \\*(f1 . ds f1\" ' br \} ..
flow-capture [-hu] [-b big|little] [-C comment] [-c flow_clients] [-d debug_level] [-D daemonize] [-e expire_count] [-f filter_fname] [-F filter_definition] [-E expire_size] [-n rotations] [-N nesting_level] [-p pidfile] [-R rotate_program] [-S stat_interval] [-t tag_fname] [-T active_def|active_def,active_def ...] [-V pdu_version] [-z z_level] -w workdir [-x xlate_fname] [-X xlate_definition] localip/remoteip/port
The flow-capture utility will receive and store NetFlow exports to disk. The flow files are rotated rotationstimes per day and expiration of old flow files can be configured by number of files or total space utilization. Files are stored in workdir and can optionally be stored in additional levels of directories. Active files created by flow-capture begin with 'tmp'. Files that are complete begin with 'ft'.
When the remoteip is configured only flows from that exporter will be processed, this is the most secure and recommended configuration. When the localip is configured flow-capture will only process flows sent to the localip IP address. If remoteip is 0 (not configured) flows from any source IP address are accepted. Multiple non aggregated PDU versions may be accepted at once to support Cisco's Catalyst 6500 NetFlow implementation which exports from both the supervisor and MSFC with the same IP address and same port but different export versions. In this case the exports will be stored in the format specified by pdu_version or whichever export type is received first.
NetFlow exports are UDP and do not employ congestion control or a retransmission mechanism. If the server flow-capture is configured on is too busy, or the network is congested or lossy NetFlow exports will be lost. An estimate of lost flows is recorded in the flow files, and logged via syslog. Most servers will provide a count of dropped packets due to full socket buffers via the netstat utility. For example netstat -s | grep full will provide a count of UDP packets dropped due to full socket buffers. If this is a persistent occurrence either flow-capture will need a larger server or the compression level should be decreased with -z.
A SIGHUP signal will cause flow-capture to close the current file and create a new one.
A SIGQUIT or SIGTERM signal will cause flow-capture to close the current file and exit.
1 NetFlow version 1 (No sequence numbers, AS, or mask) 5 NetFlow version 5 6 NetFlow version 6 (5+ Encapsulation size) 7 NetFlow version 7 (Catalyst switches) 8.1 NetFlow AS Aggregation 8.2 NetFlow Proto Port Aggregation 8.3 NetFlow Source Prefix Aggregation 8.4 NetFlow Destination Prefix Aggregation 8.5 NetFlow Prefix Aggregation 8.6 NetFlow Destination (Catalyst switches) 8.7 NetFlow Source Destination (Catalyst switches) 8.8 NetFlow Full Flow (Catalyst switches) 8.9 NetFlow ToS AS Aggregation 8.10 NetFlow ToS Proto Port Aggregation 8.11 NetFlow ToS Source Prefix Aggregation 8.12 NetFlow ToS Destination Prefix Aggregation 8.13 NetFlow ToS Prefix Aggregation 8.14 NetFlow ToS Prefix Port Aggregation 1005 Flow-Tools tagged version 5
Receive flows from the exporter at 10.0.0.1 port 9800. Maintain 5 Gigabytes of flow files in /flows/krc4. Mask the source and destination IP addresses contained in the flow exports with 255.255.248.0.
flow-capture -w /flows/krc4 -m 255.255.248.0 -E5G 0/10.0.0.1/9800
Receive flows from any exporter on port 9800. Do not perform any flow file space management. Store the exports in /flows/krc4. Emit a stat log message every 5 minutes.
flow-capture -w /flows/krc4 0/0/9800 -S5
Empty directories are not removed.
Configuration files: Tag - /usr/local/etc/flow-tools/tag.cfg. Filter - /usr/local/etc/flow-tools/filter.cfg. Xlate - /usr/local/etc/flow-tools/xlate.cfg.
Mark Fullmer maf@splintered.net
flow-tools(1)
created by instant / docbook-to-man, Thu 11 Feb 2021, 21:34