Mon Jun 17 09:58:03 CDT 2002 - ellidz - Released 2.4 - -D mode for Dan. It resolves only hostnames, not services. Mon Feb 18 15:42:25 CST 2002 - ellidz - Released 2.3 - adds in flow-extract.1 Wed Oct 17 15:21:55 CDT 2001 - ellidz - added support for date in the format of YYYY-MM-DD and YY-MM-DD - added support for nexthop. It now prints as the first argument in { printall } - added support for >< to specify a range (eg. port 20 >< 27). Supported by port, srcport, dstport, packets, octets, iface, srciface, dstiface, date, time - added srchp, dsthp, and hp. These take a source host/port combination, such as: hp = mail.uchicago.edu 25, which will show all flows where either the source host is mail and the source port 25, or the dst host is mail and the dst port is 25. Also works with !=. Tue May 29 16:05:43 CDT 2001 - ellidz - added support for v6 & v7 flows. - it now uses the ftio.a library instead of needing a bunch of files copied into the same directory - tcp_flags are now shown in an ASCII representation instead of in hex - removed the tcp missed sequence and so forth counts - printall now prints all of the fields for the new entries for v5-v7 stuff - removed the -i option as it didn't work well and it's hard to tell what version of the flows it should be saved as. Tue Oct 31 16:46:31 CST 2000 - ellidz - now deals properly with the start and stop time of the flows in the flow header (it just copies them from the input file). Only relevant to binary output mode, of course. Mon Aug 21 16:33:28 CDT 2000 - ellidz - added in a { printall} statement that prints the fields that are in cisco flowfile version 5, but not in version 1. Mon Aug 21 15:54:27 CDT 2000 - ellidz - Released 1.6 - added in srciface, dstiface, and iface search functions. All of them support >, <, =, !=, etc. Changes made previous to this file: First, and foremost, it works on CISCO flow data as captured by Mark Fullmer's flowtools. It has a -z option to specify the compress level of output (only used with the -b option). -i to do read it's own input in as output (if it can no longer resolve the IP or the port it sets it to 0. Also the time isn't as accurate as the original flow and it looses the data that isn't printed by the flow-extract) It now supports port != and host !=. (Extract seems to have a bug where host != foo gets interpreted to srchost != foo || dsthost != foo. It should really be interpreted has srchost != foo && dsthost != foo.) You can also now search using proto, pkts, octets. (eg. flow-extract -e 'proto = 6 && pkts > 10 { print }'). It now supports flag (fin|syn|rst|push|ack|urg) Also flags S/SA (syn set, mask against syn-ack). Added Linux support. (Dealt with the Endian issues). By default it now shows ICMP in the same format as UDP and TCP. -O preserves the old behavior.