FromNetFlowSummaryDump Element Documentation

FromNetFlowSummaryDump -- Click element; reads packets from a NetFlow summary file

FromNetFlowSummaryDump(FILE [, KEYWORDS])

Ports: no inputs, 1 output
Processing: agnostic
Drivers: userlevel
Package: analysis (core)

Reads IP packet descriptors from a file containing NetFlow data, in the ASCII summary format described below, then creates packets containing info from the descriptors and pushes them out the output. Optionally stops the driver when there are no more packets. FILE may be compressed with gzip(1) or bzip2(1); FromNetFlowSummaryDump will run zcat(1) or bzcat(1) to uncompress it. Keyword arguments are:

STOP

Boolean. If true, then FromNetFlowSummaryDump will ask the router to stop when it is done reading. Default is false.

ACTIVE

Boolean. If false, then FromNetFlowSummaryDump will not emit packets (until the `active' handler is written). Default is true.

ZERO

Boolean. If true (the default), then emitted packet data is zero, except for data set by the dump. If false, this data is random garbage.

MULTIPACKET

Boolean. If true, then generate multiple packets for each flow, according to the flow's packet count. Packet timestamps vary smoothly from the flow start timestamp to the flow end timestamp. Default is false.

LINK

Sets the interface type used to set the paint annotation. Can be "input", "output", or "both", which means the upper 4 bits of the annotation are the input interface and the lower 4 bits are the output interface. Too-large interface numbers are pinned at 255 (or 15, for "both"). Default is "input".

TIMING

Boolean. If true, FromNetDlowSummaryDump tries to maintain the timing of the original packet stream. TIMING is false by default. Only available in user-level processes.

Packets generated by FromNetFlowSummaryDump always have IP version 4 and IP header length 5. The rest of the packet data is zero or garbage, unless set by the dump. Generated packets will usually have incorrect checksums. The link annotation is equal to one of the interface numbers, or a combination of both.

FromNetFlowSummaryDump reads line-oriented ASCII files. Blank lines, and lines starting with `!' or `#', are ignored. Data lines contain 15 or more fields separated by vertical bars `|'. FromNetFlowSummaryDump pays attention to some of these fields:

  Field  Meaning                       Example
  -----  ----------------------------  ----------
  0      Source IP address             192.4.1.32
  1      Destination IP address        18.26.4.44
  3      Input interface number        14
  4      Output interface number       16
  5      Packet count in flow          5
  6      Byte count in flow            10932
  7      Flow timestamp (UNIX-style)   998006995
  8      Flow end timestamp            998006999
  9      Source port                   3917
  10     Destination port              80
  12     TCP flags (OR of all pkts)    18
  13     IP protocol                   6
  14     IP TOS bits                   0

Generated packets have both their "first timestamp" and timestamp annotations set. The timestamp annotation is set to the flow end timestamp unless that was zero, in which case it is set to the flow timestamp. The "first timestamp" annotation is always set to the flow timestamp. FromNetFlowSummaryDump is a notifier signal, active when the element is active and the dump contains more packets.

active (read/write)

Value is a Boolean.

encap (read-only)

Returns `IP'. Useful for ToDump's USE_ENCAP_FROM option.

filesize (read-only)

Returns the length of the NetFlow summary file, in bytes, or "-" if that length cannot be determined.

filepos (read-only)

Returns FromNetFlowSummaryDump's position in the file, in bytes.

FromDump, FromIPSummaryDump

Generated by 'click-elem2man' from '../elements/analysis/fromnetflowsumdump.hh' on 24/May/2007.