flow-fanout(1) flow-fanout(1)
NAME
flow-fanout — Fanout (replicate) flow exports to many destinations.
SYNOPSIS
flow-fanout [-h] [-A AS0_substitution] [-d debug_level] [-f
filter_fname] [-F filter_definition] [-m privacy_mask] [-p pidfile]
[-s] [-S stat_interval] [-V pdu_version] [-x xmit_delay]
localip/remoteip/port localip/remoteip/port ...
DESCRIPTION
The flow-fanout utility will replicate flows arriving on
localip/remoteip/port to destination(s) specified by
localip/remoteip/port.
Flows processed by multiple exporters will be mixed into a single
output stream. This functionality appeared to support Cisco Catalyst
exports and may have other uses.
A SIGQUIT or SIGTERM signal will cause flow-fanout to exit.
OPTIONS
-A AS0_substitution
Cisco’s NetFlow exports represent the local autonomous system
as 0 instead of the real value. This option can be used to
replace the 0 in the export with the a configured value.
Unfortunately under certain configurations AS 0 can also
represent a cache miss or non forwarded traffic so use with
caution.
-d debug_level
Enable debugging.
-f filter_fname
Filter list filename. Defaults to /etc/flow-
tools/cfg/filter.
-F filter_definition
Select the active definition. Defaults to default.
-h Display help.
-m privacy_mask
Apply privacy_mask to the source and destination IP address
of flows. For example a privacy_mask of 255.255.255.0 would
convert flows with source/destination IP addresses 10.1.1.1
and 10.2.2.2 to 10.1.1.0 and 10.2.2.0 respectively.
-p pidfile
Configure the process ID file. Use - to disable pid file
creation.
-s Spoof the source IP address. If the IP address is 0 then it
is replaced with the exporter source IP.
-S stat_interval
When configured flow-fanout will emit a timestamped message
on stderr every stat_interval minutes indicating counters
such as the number of flows received, packets processed, and
lost flows.
-V pdu_version
Use pdu_version format output.
1 NetFlow version 1 (No sequence numbers, AS, or mask)
5 NetFlow version 5
6 NetFlow version 6 (5+ Encapsulation size)
7 NetFlow version 7 (Catalyst switches)
8.1 NetFlow AS Aggregation
8.2 NetFlow Proto Port Aggregation
8.3 NetFlow Source Prefix Aggregation
8.4 NetFlow Destination Prefix Aggregation
8.5 NetFlow Prefix Aggregation
8.6 NetFlow Destination (Catalyst switches)
8.7 NetFlow Source Destination (Catalyst switches)
8.8 NetFlow Full Flow (Catalyst switches)
8.9 NetFlow ToS AS Aggregation
8.10 NetFlow ToS Proto Port Aggregation
8.11 NetFlow ToS Source Prefix Aggregation
8.12 NetFlow ToS Destination Prefix Aggregation
8.13 NetFlow ToS Prefix Aggregation
8.14 NetFlow ToS Prefix Port Aggregation
1005 Flow-Tools tagged version 5
-x xmit_delay
Configure a microsecond transmit delay between packets. This
may be necessary in some configurations to prevent a transmit
buffer overrun.
EXAMPLES
Replicate flows arriving to local IP address 10.0.0.1 from the router
exporting with IP address 10.1.1.1 on port 9500 to localhost port 9500
and 10.5.5.5 port 9200. The exports sent to 10.5.5.5 will be sent with
a source IP address of 10.0.0.5 which must be a valid local IP address.
flow-fanout 10.0.0.1/10.1.1.1/9500 0/0/9500 10.0.0.5/10.5.5.5/9200
BUGS
NetFlow exports do not contain the exporter IP address inside the
payload so the original exporter IP address (typically a router) will
be lost when using flow-fanout. A work around for this protocol
limitation is to use local IP aliases and the localip option.
When the spoofing option is used multiple exporters with different IP
addresses will share the same sequence number but will have the
original source IP. Fixing this requires per source : destination
sequence number mapping. It is much easier to just use multiple
instances of flow-fanout running on different ports.
AUTHOR
Mark Fullmer maf@splintered.net
SEE ALSO
flow-tools(1)
flow-fanout(1)