nfdump reads the flow data from one or more binary files, created by any nfdump collector nfcapd,nfpcapd
and sfcapd. It processes and lists the flows in many different output formats and can create a wide
range of statistics.
nfdump has a very powerful flow filter to process flows. The filter syntax is very similar to tcpdump,
but adapted and extended for flow filtering. A flow filter may also contain arrays of many thousand IP
addresses etc. to search for specific records.
nfdump can aggreagte flows according to a user defined number of elements. This masks certain elements
and allows to sum up flow records matching the same values.
The combination of flow filtering and aggregation as input for any flow statistics allows complex flow
processing. Pre-filtered and aggregated flow data may also be written back into a binary flow file, which
again may be processed with nfdumpnfdump can enrich the listing of flows with geo location information and AS information, unless AS
information is already available in the flow records. IP addresses can be tagged with a two letter
country code, or with a longer location label containing the geographic region, country and city. The
geo location and AS information is retrieved from the optional geoDB database, created by the geolookup
program from the nfdump tools. geolookup uses the Maxmind database GeoDB or GeoLite2 to create a binary
lookup database for nfdump Please check the geolooup(1) man page for more details.
The options are as follows:
-rflowpath
Reads flow records from this path. flowpath may be a single file, or a directory containing any
number of flow files or sub directories. All files are processed in the order, as listed by the
OS.
-woutfile
Writes all processed records into outfile instead of printing. The flowfile is a binary flow file
and may be processed again with nfdump This can be useful to limit flows according to a flow
filter and/or specific flow aggregation.
-ffilterfile
Reads the flow filter from filterfile. This can be useful for very long or structured filters,
with comments and long lists. Note: Any filter specified directly on the command line takes
precedence over the filterfile.-Cconfig
Read more options from file config.nfdump tries to read by default %prefix/etc/nfdump.config.
This may be overwritten by the environment valiable NFCONF which again may be overwritten by this
option -C. In order to prevent reading any config file, even if it would exist set -Cnone. A
config file is not required, but may be handy for often used output formats etc.
-Oorder
Sets an output order for records to be printed as text output. This order applies after all
records processing, such as filtering, and aggregation and before printing.
flows Sort according to the number of flows
packets Sort according to (in)packets
ipkg Same as packets
opkg Sort according to output packets
bytes Sort according to (in)bytes
ibyte Same as bytes
obyte Sort according to output bytes
pps Sort according to (in)packets per second
ipps Same as ipps
opps Sort according to out packets per second
bps Sort according to (in)bytes per second
ibps Same as bps
obps Sort according to output bytes per second
bpp Sort according to (in)bytes per packet
ibpp Same as bpp
obpp Sort according to output packets
tstart Sort according to start time of flow - former -m
tend Sort according to end time of flows
duration Sort according to duration of flows
-ttimewin
Set time window to process flows. This option is considered legacy andmay be replaced with a
filter primitive in future rleases. The time window is specified as:
YYYY/MM/dd.hh:mm:ss[-YYYY/MM/dd.hh:mm:ss]. Any parts of the time spec may be omitted e.g
YYYY/MM/dd expands to YYYY/MM/dd.00:00:00-infinity and processes all flow from a given day
onwards. The time window may also be specified as +/- n. In this case it is relative to the
beginning or end of all flows. +10 means the first 10 seconds of all flows, -10 means the last 10
seconds of all flows.
-cnum Limit the number of records to be processed to the first num records, which passwd the filter.-a Aggregate flow records. The default aggregation is done at connection level by taking the 5-tuple
protocol,srcip,dstip,srcport and dstport. This way of aggregation may be overwritten by option
-A-Aaggregation
Sets the list of elements in a flow record to be aggregated. aggregation is a ',' separated list
of any number of v9/ipfix elements. The following elements are accepted:
proto IP protocol
srcip Source IP address
dstip Destination IP address
srcip4/net IPv4 source IP address with applied netmask
srcip6/net IPv6 source IP address with applied netmask
dstip4/net IPv4 destination IP address with applied netmask
dstip6/net IPv6 destination IP address with applied netmask
srcnet Apply netmask srcmask in netflow record for source IP
dstnet Apply netmask dstmask in netflow record for dest IP
srcport Source port
dstport Destination port
srcmask Source mask
dstmask Destination mask
srcvlan Source vlan label
dstvlan Destination vlan label
srcas Source AS number
dstas Destination AS number
nextas BGP Next AS
prevas BGP Previous AS
inif SNMP input interface number
outif SNMP output interface number
next IP next hop
bgpnext BGP next hop
insrcmac In source MAC address
outdstmac out destination MAC address
indstmac In destination MAC address
outsrcmac Out source MAC address
tos Source type of service
srctos Source type of Service
dsttos Destination type of Service
mpls1 MPLS label 1
mpls2 MPLS label 2
mpls3 MPLS label 3
mpls4 MPLS label 4
mpls5 MPLS label 5
mpls6 MPLS label 6
mpls7 MPLS label 7
mpls8 MPLS label 8
mpls9 MPLS label 9
mpls10 MPLS label 10
router IP address of exporting router
odid observation domain ID
opid observation point ID
xsrcip X-late source IP address, if compiled with NSEL support
xdstip X-late destination IP address, if compiled with NSEL support
xsrcport X-late source port, if compiled with NSEL support
xdstport X-late destination port, if compiled with NSEL support
nfdump automatically compiles the appropriate output format for the selected aggregation elements
unless an explicit output format -o is given. The automatic output format is identical to
-o'fmt:%ts%td<fields>%pkt%byt%bps%bpp%fl'
where <fields> represents the selected aggregation tags.
-b Aggregate flow records as bidirectional flows. This automatically implies -a. Aggregation is
done on connection level by taking the 5-tuple protocol,srcip,dstip,srcport and dstport The
reverse order applies for the corresponding reverse flow. Input and output packets/bytes are
counted and reported separately. Both flows are merged into a single record with corresponding
input and output counters. An appropriate output format is selected automatically, which may be
overwritten by any -oformat option.
-B Similar to option -b but tries to guess the correct client to server direction. Automagically
swaps flows if src port is < dst port for TCP and UDP flows and src port < 1024 and dst port >
1024. Some exporters do not really care sending the flows in proper order. It's considered to
be a conveniency option.
-I Print flow statistics of a single file or the summary of all the files specified by -rflowpath.-g Print for each flow file given by -rflowpath a one line summary, which can be easily used by gnu
plot.
-Dnameserver
Sets the nameserver to translate hostnames into IP addresses in filter expressions. See filter
below for more details.
-GgeoDB
Use geoDB as geo lookup DB for geo location and AS lookups. nfdump tries to read the environment
variable NFGEODB for the path of geoDB. The option -G overwrites NFGEODB. In order to prevent
reading any geoDB file, even if it would exist set -Gnone.-sstatistic [:p [/orderby]]
Generate the Top N flow record or flow element statistic. By optionally adding :p to statistic,
the statistic is additionally split up into the transport layer protocols. By default the
statistic is transport protocol independent. Each statistic may be ordered by the optional
parameter orderby This can be flows,packets,bytes,pps,bps or bpp. You may specify more than
one orderby option, which results in the same statistic but ordered differently. If no orderby is
given, the statistic is ordered by flows. You can specify as many -s flow element statistics as
needed on the command line for the same run.
statistic can be:
record aggregated netflow records.
srcip source IP addresses
dstip destination IP addresses
ip any (src or dst) IP addresses
nhip next hop IP addresses
nhbip BGP next hop IP addresses
router exporting router IP address
srcport source ports
dstport destination ports
port any (source or destination) ports
tos type of service - default src
srctos src type of service
dsttos dst type of service
dir flow directions ingress/egress
srcas source AS numbers
dstas destination AS numbers
srcgeo 2 letter geo source country code
dstgeo 2 letter geo destination country code
as any (source or destination) AS numbers
inif input interface
outif output interface
if any interface
inam input interface name
onam output interface name
srcmask src mask
dstmask dst mask
srcvlan src vlan label
dstvlan dst vlan label
vlan any vlan label
insrcmac input src MAC address
outdstmac output dst MAC address
indstmac input dst MAC address
outsrcmac output src MAC address
srcmac any src MAC address
dstmac any dst MAC address
inmac any input MAC address
outmac any output MAC address
mask any mask
proto IP protocols
mpls1 MPLS label 1
mpls2 MPLS label 2
mpls3 MPLS label 3
mpls4 MPLS label 4
mpls5 MPLS label 5
mpls6 MPLS label 6
mpls7 MPLS label 7
mpls8 MPLS label 8
mpls9 MPLS label 9
mpls10 MPLS label 10
sysid Internal SysID of exporter
nbar nbar ID
ja3 ja3 hashes
odid observation domain ID
opid observation point ID
vrf/ivrf ingress vrf
evrf egress vrf
ivrfnam ingress vrf name
evrfnam egress vrf name
NSEL/ASA statistics
event NSEL/ASA event
xevent NSEL/ASA extended event
xsrcip NSEL/ASA translated src IP address
xsrcport NSEL/ASA translated src port
xdstip NSEL/ASA translated dst IP address
xdstport NSEL/ASA translated dst port
iacl NSEL/ASA ingress ACL
iace NSEL/ASA ingress ACE
ixace NSEL/ASA ingress xACE
eacl NSEL/ASA egress ACL
eace NSEL/ASA egress ACE
exace NSEL/ASA egress xACE
NAT statistics
nevent NAT event
nsrcip NAT src IP address
nsrcport NAT src port
ndstip NAT dst IP address
ndstport NAT dst port
%nfdump-ssrcip-sip/flows/bytes-srecord/bytes-nnum Set the number of records to be printed to num. This option applies to -s statistics as well as
to ordered output -O-or-aggregated-records-a The default is set to 10 for statistics and
unlimited for the other use cases. To disable the limit, set num to 0.
-oformat
Sets the output format to print flow records. hasmanydifferentoutputformatsalreadypredefined.formatmaybeoneoftheoptionsbelow:raw Print the full flow record on multiple lines. This prints all available information.
fmt:user Print the flow records according the format user. This is a very flexible and powerful
way to format flow records. See the section OUTPUT below for more details on how to
compile your own format.
json Print full record as a separate json object.
csv Legacy .csv format - will get removed in future releases. Please use json instead.
pipe Legacy '|' separated format - will get removed in future releases. Please use json
instead.
Already predefined fmt formats:
line Print each flow on one line. Default format.
long Print each flow on one line with more details
biline Same as line, but for bi-directional flows
bilong Same as long, but for bi-directional flows
gline Same as line, but add country code to IPs. If a geoDB file is supplied this is the
default output format
glong Same as long, but add country code to IPs
extended Print each flow on one line with even more details.
nsel Print format for NSEL event records. Default format if NSEL/NAT support has been
compiled in.
nel Print format for NAT event records.
The nfdump config file may contain additional formats. If you want to add new formats or change
existing ones, check the config file.
IPv6 addresses are printed condensed in any fmt defined format to prevent cluttering the output
with large blank blocks. A condensed IPV6 uses max 16 characters. If it is longer, then the
middle part of the IP is cut out and replaced be "..". For previewing an output, this fits most
needs. For a listing with the full IPV6 addresses add option -6.-6 Print full length of IPv6 addresses in output instead of condensed.
-q Quiet mode. Suppress the header line and the statistics at the bottom of text outputs.
-N Print plain numbers in output without scaling. Easier for output parsing with 3rd party tools.
-iident
Change the ident label in the file, specified by -r to ident-vflowfile
Verify the consistency of flowfile and print the file parameters and number of records.
-Eflowfile
Print the exporter and sampler list if found in flowfile. Additional statistics per exporter are
printed with number of flows, packets and sequence errors.
-xflowfile
This options works on nfdump version 1.6.x files only and may get removed in future. Scans and
prints extension maps located in flowfile-z=lzo Compress flow files with LZO1X-1 compression. Fastest compression.
-z=bz2 Compress flow files with bz2 compression. Slow but most efficient. May be used for archiving
files or if you are really short of spce.
-z=lz4[:level]
Compress flow files with LZ4 compression. Fast and efficient. Optional level should be between
1..10 Changing the level results in smaller files but uses up more time to compress. Levels > 5
may need more workers. See -W.
-z=zstd[:level]
Compress flow files with ZSTD compression. Fast and efficient. Optional level should be between
1..10 Changing the level results in smaller files but uses up more time to compress. Levels > 5
may need more workers. See -W.
-Wnum Sets the number of workers to compress flows. Defaults to 4. Must not be greater than the number
of cores online. Useful for higher levels of compression for lz4 or zstd and large amount of
flows per second. Please not, -W affects only writing flows.
-Jcompress
Change compression for any number of files given by option -rflowpath Set compress to 0 for no
compression or to any of: 1 or LZO, 2 or BZ2, 3 or LZ4. This option may be used for archiving
flow files and changing the compression to use less disk space.
-X Compiles the filter syntax and dumps the filter engine table to stdout. This is for debugging
purpose only.
-Z Check filter syntax and exit. Sets the return value accordingly.
-Rfilelist
Select a range of files. This option is mainly used by old NfSen and documented here as legacy
option.
/any/dir Read recursively all files in directory dir.
/dir/file Read all files beginning with file.
/dir/file1:file2 Read all files from file1 to file2.
When using in combination with a sub hierarchy: /dir/sub1/sub2/file1:sub3/sub4/file2 Read all
files from sub1/sub2/file1 sub3/sub4/file2 iterating over all required hierarchy levels. Note:
files are read in alphabetical order.
-Mdirlist
Read the same file hierarchy from multiple directories. This option is mainly used by old NfSen
and documented here as legacy option. Example: /any/path/to/dir1:dir2:dir3 etc. and will be
expanded to the directories: /any/path/to/dir1, /any/path/to/dir2 and /any/path/to/dir3. Any
number of colon separated directories may be given. A path ending with a wildcard '@' such as
/any/path/to@ will expand automatically in a list of all existing sub directories
/any/path/to/dir1:dir2:dir3. The files to read are specified by -r or -R and are expected to
exist in all the given directories. The options -r and -R must not contain any directories when
used in combination with -M.
-T Tag IP addresses with a prepending cntrl-A character, to allow output parsers to hook in. This
option is mainly used by old NfSen and documented here as legacy option.
-V Print nfdump version and exit.
-h Print help text on stdout with all options and exit.
filter selects, which records will be further processed. If no filter is given, all records will be
processed. Otherwise, only those flows matching the filter will be processed. Any IP address in a filter
may be specified as IPv4 or IPv6.
The filter syntax is similar to tcpdump but adapted and extended for flow records. The filter can be
either specified on the command line after all options or in a separate file. It can span several lines.
Anything after a '#' is treated as a comment and ignored to the end of the line. There is virtually no
limit in the length of the filter expression. All keywords are case insensitive.
A single filter primitive filters a single element of a flow record. A filter consists of one or more
primitives, which are linked together:
exprandexprexprorexprnotexprand(expr)
In all expressions, where a number is a valid argument, the number may be given as a normal decimal
number or as a hex number prefixed by 0x such as 0x22. A decimal number may also contain a multiplication
factor such as K,M,G,T which multiplies the number by the corresponding factor. For example 1K,2Getc.
String arguments may be single or double quoted or not quoted at all, if the string is not a reserved
filter key word - srcgeoCH but srcgeo'IN'
Possible filter primitives:
@includefile Expands the content of file into the current filter
countcompnumber True if the comparison with the record counter matches number Each record gets
assigned a record number at the time it is read from file. Therefore this record
number is not unique and may change, depending on the order files are read.
identstring True if the record ident field matches string. This filter can be used to filter out
different sources.
inetipv4 True if source and destination IP of a record are IPv4 IPs.
inet6ipv6 True if source and destination IP of a record are IPv6 IPs.
protoprotocol True if the record protocol field matches protocol.protocol can be a string such as
tcp, udp, icmp, ah, esp, ipip, and many more or a protocol number, such as 6, 17 for
protocol tcp and udp.
tunprotoprotocol True if the record tunnel protocol field matches protocol.protocolmaybeastringorprotocolnumber.ipipaddrsrcipipaddrdstipipaddr True if the respective IP field of the record matches ipaddr. ipaddr may be an IPv4
or IPv6 address or a symbolic hostname. In this case a DNS lookup resolves the
hostname to one or more IP addresses. If more than one IP results, all IPs are
chained together in an or chain. (IP or IP or IP). If ip is not specified with src
or dst the source or destination IP may match.
hostipaddrhost is just a synonym for ip (See above)
ipin [iplist]
srcinip [iplist]
dstip [iplist] True if the respective IP field of the record is in iplist.iplist is a space or ','
separated list of IP addresses or networks in CIDR notation. This is the preferred
way to search in large list of IP addresses and networks and is much more efficient
than to chain all IP addresses together. (IP1 or IP2 or IP3). The iplist may contain
several hundreds to thousand IPs and/or networks. For just a few IPs use an or chain,
otherwise use an iplist If ip is not specified with src or dst the source or
destination IP may match.
netnetworknetmasksrcnetnetworknetmaskdstnetnetworknetmasknetnetwork/netbitssrcnetnetwork/netbitsdstnetnetwork/netbits
True if the respective IP field of the record matches the network if the
corresponding netmask or netbits are applied to the IP address. If net is not
specified with src or dst the source or destination IP may match.
geostringsrcgeostringdstgeostring True, if the 2-letter country code resolved by geolookup of the source or destination
IP address matches string. This filter works only, if a valid geoDB is specified. See
geo location option above. The 2-letter country code corresponds to the maxmind DB
definitions. if geo is not specified with src or dst the source or destination geo
location code may match. Please note: country codes, which match nfdump filter
language reserved words such as IN, LT etc must be explicitly quoted to be recoginzed
as string.
tunipipaddrsrctunipipaddrdsttunipipaddr True if the respective tunnel IP field of the record matches ipaddr. If tunip is not
specified with src or dst the source or destination tunnel IP may match.
portcompnumsrcportcompnumdstportcompnum True if the comparison of the respective port field matches num See comp for the
comparator details. If port is not specified with src or dst the source or
destination port may match.
portin [portlist]
srcportin [portlist]
dstportin [portlist]
True if the respective port field of the record is in portlist.portlist is a space
or ',' separated list of port numbers. This is the preferred way to search in large
list of port numbers and is much more efficient than to chain all ports together.
(PORT1 or PORT2 or PORT3). portlist may contain several hundreds to thousand of port
numbers. If port is not specified with src or dst the source or destination port may
match.
icmp-typenumicmp-codenum True if the respective icmp field of the record matches num. This automatically
implies protoicmp.engine-typenumengine-idnumsysidnum True if the respective fields of the record matches num engine type and ID are set by
the exporting device, sysid refers to the nfdump collector internal assigned number.
See also option -E above.
ifnuminifnumoutifnum True if the respective interface fields of the record matches num. This ID may
correspond to the SNMP ID of the interface but depends on the exporter. If if is not
specified with in or out the input or output interface may match.
ascompnumsrcascompnumdstascompnumprevascompnumnextascompnum True if the comparison of the respective AS fields matches nfdump supports 32-bit AS
numbers every where. Without or the source or destination AS may match. See comp for
the comparator details.
asin [aslist]
srcasin [aslist]
dstasin [aslist]
prevasin [aslist]
nextasin [aslist]
True if the respective AS field of the record is in aslist.aslist is a space or ','
separated list of AS numbers. This is the preferred way to search in large list of
AS numbers and is much more efficient than to chain all ports together. aslist may
contain several hundreds to thousand of AS numbers. If as is not specified with src,dst,prev or next the source or destination AS may match.
maskbitssrcmaskbitsdstmaskbits True if the respective mask bit field of the record matches bits If mask is not
specified with src or dst the source or destination mask bits may match.
vlannumsrcvlannumdstvlannum True if the respective vlan field of the record matches num If vlan is not specified
with src or dst the source or destination vlan may match.
flagstcpflags True if the respective tcp flags field of the record matches any of the given
tcpflags.tcpflags is a string combination of all flags to be tested:
A ACK.
S SYN.
F FIN.
R Reset.
P Push.
U Urgent.
X All flags on.
The order of the flags within tcpflags is not relevant. Flags not mentioned are
treated as don't care. In order to get those flows with only the SYN flag set, use
the syntax
flagsSandnotflagsAFRPUrouteripipaddr True if the ip address of the sending router matches ipaddr as valid IPv4/IPv6
address.
nextipipaddr True if the field next-ip of the record matches ipaddr as valid IPv4/IPv6 address.
bgpnextipipaddr True if the field bgpnext-ip of the record matches ipaddr as valid IPv4/IPv6 address.
macmacaddrinmacmacaddrinsrcmacmacaddrindstmacmacaddroutmacmacaddroutsrcmacmacaddroutdstmacmacaddr
True if the respective mac address field of the record matches macaddr By prepending
mac with any combination of a direction specifier as defined by CISCO v9 the test is
limited to those mac addresses only. Otherwise multiple matches are possible. Without
any specifiers any mac address is tested against macaddrmplslabelNcompnumber
True if the comparison of the mpls label N with N as mpls label number 1..10 matches
number Filters according a specific number in the mpls label stack.
mplseoscompnumber
True if the comparison of the end of stack mpls label matches numbermplsexpNcompnumber
True if the comparison of the experimental bits 0..7 of mpls label N with N as mpls
label number 1..10 matches numberpacketscompnuminpacketscompnumoutpacketscompnum
True if the comparison of the packet counter in the flow record matches num.num may
contain any valid scaling factor such as k,m,g Example: packets > 1k. For a single
flow packets and inpackets is equivalent and describes the number of packets from
source to destination. In case of a bi-directional flow (sent by an exporter or
combined by option --B ) the packet counter for the reverse flow can be tested with
outpacketbytescompnuminbytescompnumoutbytescompnum True if the comparison of the byte counter in the flow record matches num.num may
contain any valid scaling factor such as k,m,g Example: bytes > 1k bytes and inbytes is equivalent and describes the number of bytes from source to destination. In
case of a bi-directional flow (sent by an exporter or combined by option --B ) the
byte counter for the reverse flow can be tested with outbytesflowscompnum True if the comparison of the flow counter in the flow record matches num.num may
contain any valid scaling factor such as k,m,g For each received flow, the flow
counter is set to 1, unless the exporter sends this information. If multiple flows
are aggregated, this counter is increased respectively.
tosnum True if the type of service field of the flow record matches numflowdirdirection True, if the flow direction field in the flow record matches direction.direction may
be ingress,egress,0 for ingress, or 1 for egress
durationcomptime True if the calculated duration of a flow (tend - tstart) compares to time. The
duration is specified in msec (milliseconds)
ppscompnum True if the calculated value of in-packets/duration (packets per second) compares
with the number num.num may contain any valid scaling factor such as k,m,gbpscompnum True if the calculated value of 8*in-bytes/duration (bits per second) compares with
the number num.num may contain any valid scaling factor such as k,m,gbppcompnum True if the calculated value of in-bytes/in-packets (bytes per packet) compares with
the number num.num may contain any valid scaling factor such as k,m,gobservationdomainidcompnumberobservationpointidcompnumber
True if the comparison of the observation domain ID or point ID field respectively
matches number
payload filters Some exporters, such as yaf or the nfdump collector nfpcapcansendpayloaddataalongthenetflowinformation.Ifsuch payloads are sent it can be filtered according
the filter primitives below:
payloadcontent'string'
True if the string string is found in the payload data. string must be quoted with
single or double quotes: 'string', “string”
payloadregex'regex'payloadregex'regex'flags
True if regex matches the payload data. regex searches over the full payload length.
A ' ' byte does not stop the match process. regex must be quoted with single or
double quotes: 'regex' or “regex” The regex engine understands the following reduced
syntax:
(...) subexpressions/capture ranges
| the "or" operator
^and$ anchors
[...] and [^...] character classes
?,*,+, simple quantifiers
*?,+?,?? lazy quantifiers
{<num>},{<num1>,<num2>} complex quantifiers
flags are optional can be:
m multiline
i case insensitive matching
spayloadja3md5string
True, if the payload contains the start of an SSL/TLS handshake and the calculated
jas value of the handshake matches md5stringpayloadja3defined
True, if the payload contains the start of an SSL/TLS handshake and a valid ja3 value
can be calculated. Useful to mask out all flow records with no SSL/TLS traffic in
order to generate a -sja3 statistic.
OpenBSD pflog implemented elements
pfactionaction True, if the respective pflog action field compares to one of pass,block,scrub,noscrub,nat,nonat,binat,nobinat,rdr,nordr,synblock,defer,match,divert,rt,afrtpfreasonreason True, if the respective pflog reason field compares to one of match,bad-offset,fragment,short,normalize,memory,bad-timestamp,congestion,ip-option,proto-cksum,state-mismatch,state-insert,state-limit,src-limit,synproxy,translate,no-routepfruleruleNr True, if the respective pflog rule number field matches ruleNrpfdirin|out True, if the respective pflog rule direction field matches in or outpfinterfaceinterfaceName
True, if the respective pflog rule interface name field matches the string
interfaceName
nprobe implemented elements
clientlatencycomptimeserverlatencycomptime
True, if the respective latency field in the flow record compares to time.time is
specified in msec.
CISCO ASA, network security event logging (NSEL) and NAT event logging (NEL) specific filters:
NSEL specific filters:
asaeventevent True if the NSEL event type of an event record matches event which may be: ignore,create,term,delete,denyasaeventcompnumber
True if the comparison of the NSEL event type of an event records matches number as a
number.
asaeventdeniedreason
True if the event denied type of an event records matches reason which may be
ingress,egress,interface,nosynasaxeventcompnum
True, if the comparison of the extended event field of the event record matches numxipipaddrsrcxipipaddrdstxipipaddr True, if the field of the translated source or destination IP address matches ipaddr
if xip is specified without src or dst both IP addresses may match.
xportipaddrsrcxportipaddrdstxportipaddr True, if the field of the translated source or destination IP address matches ipaddr
if xport is specified without src or dst both ports may match.
xnetnetwork/masksrcxnetnetwork/maskdstxnetnetwork/mask
True if the translated source or destination IP address matches network if mask mask
is applied. if xnet is specified without src or dst both IP addresses may match.
ingressACLcompnumberingressACEcompnumberingressXACEcompnumber
True if the comparison of the respective ingress field matches numberegressACLcompnumber
True if the comparison of the egress field matches number
NEL specific filters:
nateventevent True if the NEL event type of an event record matches event.event may be add,deletenateventcompnumber
True if the comparison of the NEL event type of an event records matches number as a
number.
nipipaddrsrcnipipaddrdstnipipaddr True, if the field of the nat source or destination IP address matches ipaddr if nip
is specified without src or dst both IP addresses may match.
It Cm nport Ar number
srcnportnumberdstnportnumber True, if the field of the nat source or destination port matches number if nip is
specified without src or dst both ports may match.
ingressvrfnumber True, if the field of the ingess vrf field of the event record matches numberpblockstartcompnumberpblockstepcompnumberpblockendcompnumber
True if the comparison of the start, step or end of the NAT port block in the event
record matches numberportinpblocksrcportinpblockdstportinpblock True, if the source or destination port field matches the NAT port block range
comp Many filter elements support the comparison with a number. The following comparators
are supported for each of those filters: =,==,>,<,>=,<= To prevent collisions
with bash interpretation, alternative comparators are available: EQ,LT,GT,LE,GE
If comp is omitted, '==' is assumed.
Install Now
PNG Icons
