ngfilter − filters flows based on any of the export fields. ngfilter is used in-line with ngindex to generate reports based on flows matching filter expressions.
ngfilter [options [parameters]] −d DIRNAME −t TEMPLATE
ngfilter filters flows based on any of the export fields. It uses database in directory DIRNAME created with Berkeley DB which was built by ngindex. All the fields of flow records must be described in file TEMPLATE.
−c CONDITIONS_FILE, −-criterion=CONDITIONS_FILE
Sets name of file with conditions. If not set, then ngfilter uses file ngfilter.conf by default.
−d DIRNAME, −-db-dir=DIRNAME
Name of directory with database in Berkley DB format build by ngindex.
−h, −-help
Shows help about these options.
−o OUTPUT_FILE, −-output=OUTPUT_FILE
Set name of file, where ngfilter prints the result. If not set, then ngfilter outputs result to stdout.
−t TEMPLATE, −-template=TEMPLATE
File, which describes fields of flow records.
−v, −-verbose
Turns on printing messages to stdout about successful or non-successful operation finish.
−V, −-version
Shows version of ngfilter.
TEMPLATE
is a text file, each line of which describes fields of flow
record for internal system declaration. This file must be
created by user for every format of flow records. You should
name fist these fields, that will be used in search more
often for increase of effectiveness. Each line must
correspond to such a format:
FIELD_NAME TYPE LENGTH_OF_FIELD INDEXED
FIELD_NAME
- symbolic name of field in flow record, according to specification NetFlow
|
TYPE |
- one of defined types: int, time, prot, ipv4 |
LENGTH_OF_FILED
- length in bytes
INDEXED
- value "indexed" if creating index by this field is necessary or empty if not necessary
Template file may contain
comment lines which begin with symbol ’#’.
For describing fields of records in format NetFlow v5 names
of fields
must correspond to CISCO specification.
CONDITIONS_FILE
is a text file, each line of which describes conditions for
search of flow records. Each line must correspond to such a
format:
FIELD_NAME TYPE_OF_SEARCH LOW_BORDER HIGH_BORDER
FIELD_NAME
- symbolic name of field in flow record, according to specification NetFlow
TYPE_OF_SEARCH
- values "interval" or "i" for range retrieval and "equal" or "e" for exact-match search.
LOW_BORDER HIGH_BORDER
- verge of values for range retrieval. For exact-match search You should name only one value.
Conditions file may contain comment lines which begin with simbol ’#’.
Select records
matching criterions in ngfilter.conf into file
one_day_flow.txt from database in directory flows_db. Fields
are
described in file netflv5 (if You used that file for
indexing flow
records, then You can find this file in the directory with
database).
ngfilter −o one_day_flow.txt −d flows_db −t flows_db/netflv5
Elena Mitrukova (mitrukov at cs.karelia.ru)
ngindex(1)