SRIFLOW(8) SRI International SRIFLOW(8)
NAME
sriflow - netflow collection daemon
SYNOPSIS
sriflow [ -hqvx ] [ -b bytes ] [ -c file ] [ -e network ] [ -i seconds
] [ -l listen address ] [ -n network ] [ -p packets ] [ -P bytes ] [ -S
seconds ] [ -t seconds ] [ -T seconds ] device | file
DESCRIPTION
SRIFlow reads Internet packets from a tap device or dump file, and pro-
duces flow descriptions summarizing the traffic. These flow descrip-
tions can be parsed by network security tools to generate automatic
alerts about suspicious traffic, or automatically reconfigure a network
in response to the traffic. By default, flow records are output to
stdout, though SRIFlow can be configured to listen for connections from
clients who want flow records.
OPTIONS
-b bytes
Configure the generation of UPDATE records for active flows
after seeing the specified number of bytes in the flow.
-c file
Read configuration commands from the specified file
-e network
Ignore packets to or from the specified network for all flows
and summaries
-h Output usage message with one-line summary of each option
-i seconds
Infer existing TCP connections without seeing the SYN/ACK for
the first seconds seconds after startup. An argument of -1
allows inference of existing TCP connections indefinitely; this
is useful if you use a -T option of less than the normal TCP
timeout or keepalive period.
-l address
-l address(network)
-l address[network]
Listen on the specified TCP port for connections, outputting flow
summaries as requested by the connecting client. If a network
is specified, only accept connections from the specified net-
work. Address is of the form IPaddress:port where IPaddress can
be a dotted-IP address or a name corresponding to a an interface
on the host, or 0 for the wildcard listening address. Network
is of the form IPaddress/mask where mask is an actual netmask in
dotted notation, or a netmask size in bits.
-n network...
Set the home network(s) for reporting flows as input flows or
output flows in the network statistics summaries
-p packets
Configure the generation of UPDATE records for active flows
after seeing the specified number of packets in the flow.
-P bytes
Capture the initial prefix of the given number of bytes in each
direction for flows. Defaults to 32.
-q Quiet -- don't output flow summaries to stdout.
-S seconds
Output STATS records with overall statistics of traffic in the
given period.
-t seconds
Configure the generation of UPDATE records for active flows
after seeing the specified elapsed time.
-T seconds
Set flow timeout; a flow is considered to have ended if no pack-
ets are seen for the specified time. Defaults to 600 (5 min-
utes).
-v Verbose output -- output messages to stderr about various
surprising things (mostly packets that can't be classified to a
flow for various reasons)
-x Output flow records in XML format instead of CSV.
CLIENT OPTIONS
Clients that connect to the SRIFlow service port can configure the flow
records they see by issuing simple text commands terminated by a new-
line to the server. Other whitespace on the lines is ignored, except
as needed to separate tokens. When A client initially connects, no
format for records is specified, so no records will be sent. A client
must issue a csv or xml command to receive flow records. Unless other
commands are issued (before or after), the server will send all normal
flow records to the client, and no other records.
csv Output records as comma-separated values. The first value on
each line determines the type of record if multiple types are
requested. When csv records are first requested, the server
will output a line for each type prefixed with a # describing
the fields of the type.
xml Output records in xml format
flow filter
Output normal flow records, filtered by the requested filter
expression. With no filter, all flow records will be sent to
the client
noflow Do not output FLOW records
dns Output DNS records
nodns Do not output DNS records
stats Output periodic statistics summaries of overall flows
nostats
Do not output statistics summaries
stats_period seconds
Change the rate at which statistics summaries are collected and
output. This affects ALL connected clients.
update bytes|packets|time count
Change the rate and metric governing the output of UPDATE FLOW
records.
CONFIG
The -c option allows for configuration information to be read from a
file. Lines in the file contain keyword = value pairs. Text after a #
or ; character on a line is considered a comment and ignored. Keywords
recognized are
AllowConnect
Specifies one or more networks that connections will be accepted
from. Only relevant if there is Listen option after the Allow-
Connect
ByteUpdateThreshold
Generate FLOW UPDATE records when the specified number of bytes
have been seen. Same as the -b option.
Device Specify the tap device to read packets from. The command line
may override this.
DurationUpdateThreshold
Generate FLOW UPDATE records when the specified time (seconds)
has passed. Same as the -t option.
ExcludeNet
Ignore all packets from the specified network or networks. Same
as the -e option.
GeoLookup
Specifies the database file to use for GeoIP translation of IP
addresses
HomeNet
Specifies one or more networks that are considered local for
STATS records. Same as the -n option.
InferTCPStartup
Specifies the period after SRIFlow startup that it should infer
the existence of TCP flows based on payload packets seen, with-
out having seen a SYN/ACK establishing the connection. Same as
the -i option. An argument of -1 allows inference of existing
TCP connections indefinitely; this is useful if you use a TCPTi-
meout option of less than the normal TCP timeout or keepalive
period.
Listen Listen on the specified address and port for connections. Only
connections from networks specified by AllowConnect before the
Listen option will be accepted. If there is no AllowConnect
before the Listen in the config file, connections will be
accepted from anywhere.
PacketUpdateThreshold
Generate FLOW UPDATE records when the specified number of pack-
ets have been seen. Same as the -p option.
PrefixLimit
Maximum number of bytes to record in each flow for reporting in
the FLOW record. Defaults to 32. Same as the -P option.
StatsInterval
Specifies the interval (in seconds) for STATS records
Timeout
Specifies the timeout (in seconds) for flows. Same as the -T
option
TCPTimeout UDPTimeout ICMPTimeout
Specifies the timeout for flows of a specific protocol, overrid-
ing Timeout if both are specified.
EXAMPLES
Start SRIFlow listening on a tap interface, with FLOW UPDATE and STATS
records every 20 seconds, and timing out flows after 2 minutes.
Records will be output to stdout in csv format.
sriflow -n 130.107.0.0/16 -t 20 -S 20 -T 120 eth1
As above but instead of outputting to stdout, listen for connections
from localhost on port 2222
sriflow -n 130.107.0.0/16 -t 20 -S 20 -T 120 -lq 127.0.0.1:2222 eth1
Use netcat to connect to the above SRIFlow instance running on the same
machine and show UP flow records.
{ echo flow proto=UDP; echo csv; cat; } nc localhost 2222
Start sriflow reading options from a config file
sriflow -c config.txt eth1
config.txt file that configures things much like the second example,
but also filtering out some packets and accepting some remote connec-
tions.
DurationUpdateThreshold = 20
StatsInterval = 20
Timeout = 120
AllowConnect = 127.0/30, 130.107.15.0/24
Listen = 0:2222
HomeNet = 130.107.0.0/16
ExcludeNet = 130.107.128.0/17
ERRORS
Errors from clients (such as invalid filter expressions) will generally
result in the connection being closed. Better diagnostics should be
provided.
SRI International August 7, 2013 SRIFLOW(8)
NAME
sriflow - netflow collection daemon
SYNOPSIS
sriflow [ -hqvx ] [ -b bytes ] [ -c file ] [ -e network ] [ -i seconds
] [ -l listen address ] [ -n network ] [ -p packets ] [ -P bytes ] [ -S
seconds ] [ -t seconds ] [ -T seconds ] device | file
DESCRIPTION
SRIFlow reads Internet packets from a tap device or dump file, and pro-
duces flow descriptions summarizing the traffic. These flow descrip-
tions can be parsed by network security tools to generate automatic
alerts about suspicious traffic, or automatically reconfigure a network
in response to the traffic. By default, flow records are output to
stdout, though SRIFlow can be configured to listen for connections from
clients who want flow records.
OPTIONS
-b bytes
Configure the generation of UPDATE records for active flows
after seeing the specified number of bytes in the flow.
-c file
Read configuration commands from the specified file
-e network
Ignore packets to or from the specified network for all flows
and summaries
-h Output usage message with one-line summary of each option
-i seconds
Infer existing TCP connections without seeing the SYN/ACK for
the first seconds seconds after startup. An argument of -1
allows inference of existing TCP connections indefinitely; this
is useful if you use a -T option of less than the normal TCP
timeout or keepalive period.
-l address
-l address(network)
-l address[network]
Listen on the specified TCP port for connections, outputting flow
summaries as requested by the connecting client. If a network
is specified, only accept connections from the specified net-
work. Address is of the form IPaddress:port where IPaddress can
be a dotted-IP address or a name corresponding to a an interface
on the host, or 0 for the wildcard listening address. Network
is of the form IPaddress/mask where mask is an actual netmask in
dotted notation, or a netmask size in bits.
-n network...
Set the home network(s) for reporting flows as input flows or
output flows in the network statistics summaries
-p packets
Configure the generation of UPDATE records for active flows
after seeing the specified number of packets in the flow.
-P bytes
Capture the initial prefix of the given number of bytes in each
direction for flows. Defaults to 32.
-q Quiet -- don't output flow summaries to stdout.
-S seconds
Output STATS records with overall statistics of traffic in the
given period.
-t seconds
Configure the generation of UPDATE records for active flows
after seeing the specified elapsed time.
-T seconds
Set flow timeout; a flow is considered to have ended if no pack-
ets are seen for the specified time. Defaults to 600 (5 min-
utes).
-v Verbose output -- output messages to stderr about various
surprising things (mostly packets that can't be classified to a
flow for various reasons)
-x Output flow records in XML format instead of CSV.
CLIENT OPTIONS
Clients that connect to the SRIFlow service port can configure the flow
records they see by issuing simple text commands terminated by a new-
line to the server. Other whitespace on the lines is ignored, except
as needed to separate tokens. When A client initially connects, no
format for records is specified, so no records will be sent. A client
must issue a csv or xml command to receive flow records. Unless other
commands are issued (before or after), the server will send all normal
flow records to the client, and no other records.
csv Output records as comma-separated values. The first value on
each line determines the type of record if multiple types are
requested. When csv records are first requested, the server
will output a line for each type prefixed with a # describing
the fields of the type.
xml Output records in xml format
flow filter
Output normal flow records, filtered by the requested filter
expression. With no filter, all flow records will be sent to
the client
noflow Do not output FLOW records
dns Output DNS records
nodns Do not output DNS records
stats Output periodic statistics summaries of overall flows
nostats
Do not output statistics summaries
stats_period seconds
Change the rate at which statistics summaries are collected and
output. This affects ALL connected clients.
update bytes|packets|time count
Change the rate and metric governing the output of UPDATE FLOW
records.
CONFIG
The -c option allows for configuration information to be read from a
file. Lines in the file contain keyword = value pairs. Text after a #
or ; character on a line is considered a comment and ignored. Keywords
recognized are
AllowConnect
Specifies one or more networks that connections will be accepted
from. Only relevant if there is Listen option after the Allow-
Connect
ByteUpdateThreshold
Generate FLOW UPDATE records when the specified number of bytes
have been seen. Same as the -b option.
Device Specify the tap device to read packets from. The command line
may override this.
DurationUpdateThreshold
Generate FLOW UPDATE records when the specified time (seconds)
has passed. Same as the -t option.
ExcludeNet
Ignore all packets from the specified network or networks. Same
as the -e option.
GeoLookup
Specifies the database file to use for GeoIP translation of IP
addresses
HomeNet
Specifies one or more networks that are considered local for
STATS records. Same as the -n option.
InferTCPStartup
Specifies the period after SRIFlow startup that it should infer
the existence of TCP flows based on payload packets seen, with-
out having seen a SYN/ACK establishing the connection. Same as
the -i option. An argument of -1 allows inference of existing
TCP connections indefinitely; this is useful if you use a TCPTi-
meout option of less than the normal TCP timeout or keepalive
period.
Listen Listen on the specified address and port for connections. Only
connections from networks specified by AllowConnect before the
Listen option will be accepted. If there is no AllowConnect
before the Listen in the config file, connections will be
accepted from anywhere.
PacketUpdateThreshold
Generate FLOW UPDATE records when the specified number of pack-
ets have been seen. Same as the -p option.
PrefixLimit
Maximum number of bytes to record in each flow for reporting in
the FLOW record. Defaults to 32. Same as the -P option.
StatsInterval
Specifies the interval (in seconds) for STATS records
Timeout
Specifies the timeout (in seconds) for flows. Same as the -T
option
TCPTimeout UDPTimeout ICMPTimeout
Specifies the timeout for flows of a specific protocol, overrid-
ing Timeout if both are specified.
EXAMPLES
Start SRIFlow listening on a tap interface, with FLOW UPDATE and STATS
records every 20 seconds, and timing out flows after 2 minutes.
Records will be output to stdout in csv format.
sriflow -n 130.107.0.0/16 -t 20 -S 20 -T 120 eth1
As above but instead of outputting to stdout, listen for connections
from localhost on port 2222
sriflow -n 130.107.0.0/16 -t 20 -S 20 -T 120 -lq 127.0.0.1:2222 eth1
Use netcat to connect to the above SRIFlow instance running on the same
machine and show UP flow records.
{ echo flow proto=UDP; echo csv; cat; } nc localhost 2222
Start sriflow reading options from a config file
sriflow -c config.txt eth1
config.txt file that configures things much like the second example,
but also filtering out some packets and accepting some remote connec-
tions.
DurationUpdateThreshold = 20
StatsInterval = 20
Timeout = 120
AllowConnect = 127.0/30, 130.107.15.0/24
Listen = 0:2222
HomeNet = 130.107.0.0/16
ExcludeNet = 130.107.128.0/17
ERRORS
Errors from clients (such as invalid filter expressions) will generally
result in the connection being closed. Better diagnostics should be
provided.
SRI International August 7, 2013 SRIFLOW(8)
Man Page
