Usage:

flow-extract -a     		ASCII output (default)
             -b     		Binary output
             -n     		No reverse hostname lookups on ASCII output
             -h			Print out brief help message
             -e script  	Specify script on command line (like sed -e)
             -E script		Specify script on command line
             -f file  		Specify script file (like awk -f)
             -F file		Specify script file
             -d file  		Specify dump file to read (default stdin)
             -o file  		Specify output file (default stdout)
             -z complevel	Specify compression level (default 6)

Multiple '-e', '-E', '-f' and '-F' options can be given.  They are,
in effect, treated as a single input file.  '-e' and '-f' scripts
are appended to the "input" file, while '-E' and '-F' scripts are
prepended.  Using '-E' or '-F', one can add additional functionality
to extract script files from the command line.

If neither -e or -f is given, then it is equivalent to -e '{print}'
which will print all records.


Script syntax:

condition { action ; action ... }

Where condition is used to select records for which the set of
actions is to be performed on.  condition can be "" in which case
all records are selected.

Actions:

print 	print the record
next    Skip to next record, start processing at top of script


Conditionals:

net   =, != hostname|ipaddr [/ netmask]
srcnet =, != hostname|ipaddr [/netmask]
dstnet =, != hostname|ipaddr [/netmask]
host =, !=, <, >, <=, >= hostname|ipaddr
srchost =, !=, <, >, <=, >= hostname|ipaddr
dsthost =, !=, <, >, <=, >= hostname|ipaddr
srcport =, !=, <, >, <=, >= service-name|port#
dstport =, !=, <, >, <=, >= service-name|port#
port =, !=, <, >, <=, >= service-name|port#
proto =, !=, <, >, <=, >= proto#
pkts =, !=, <, >, <=, >= #pkts
octets =, !=, <, >, <=, >= #octets
date =, !=, <, >, <=, >= MM/DD/YYYY | MM/DD/YY | MM/DD | today | yesterday
time =, !=, <, >, <=, >= HH:MM:SS | HH:MM
before MM/DD/YYYY [HH:MM] | MM/DD/YY [HH:MM] | today [HH:MM] | yesterday [HH:MM]
since MM/DD/YYYY [HH:MM] | MM/DD/YY [HH:MM] | today [HH:MM] | yesterday [HH:MM]

Connectors:

and, &&   Short circuited boolean and
or, ||    Short circuited boolean or
not, !    Unary negation

All operators have equal precedence.  Parenthesis can be used
to group subexpressions.