11.2. Retrieving Raw Session Data from the Command Line with ftsq

11.2. Retrieving Raw Session Data from the Command Line with `ftsq`

To retrieve raw session records, use the ftsq command.

For example, the following invocation of ftsq returns all records in the last hour to HTTP servers with a client address that is outside the 123.45.67.89 class-C block, in CSV format with a header line:

Figure 11.1. ftsq Example

The ftsq commands accepts a wide range of parameters. Some are optional and some are required.

You should always specify a FlowTraq Server to log in to (or accept the default, localhost), supply a username and password, and select a timeframe over which to perform your query (or accept the default, which is the last 15 minutes).

Optionally, you may supply a filter string to further narrow your query, and you may specify a preference for how you would like the command's output formatted.

Most of the parameters are self-explanatory, but timeframe specification and the filter string syntax are described in depth in Section 11.3, “Time Navigation” and Section 11.4, “Filter String Syntax”. First, however, please review the complete list of parameters:

Table 11.1. Connection Parameters

Parameter	Description
`-s SERVER`	Address (or hostname) of FlowTraq server to query. (Default: `localhost`.)
`-p PORT`	Port on which to connect to FlowTraq server. (Default: 9640.)

Table 11.2. Login Parameters

Parameter	Description
`-un USER`	Username for profile login. Required.
`-up PASS`	Password for profile login. (Note: If you do not use `-up` , you will be prompted to enter a password.)
`-us [SESSIONKEY]`	Authenticate with a session key rather than with a username and password, or generate a session key. (For more information, see Section 11.7, “Session Key Authorization”).

Table 11.3. Timeframe Parameters

Parameter	Description
`-te "MM/DD/YY hh:mm:ss.microsec"`	Specify an absolute timeframe starting time. Must be used in conjunction with `-tl` . Cannot be used in conjunction with `-tn` .
`-tl "MM/DD/YY hh:mm:ss.microsec"`	Specify an absolute timeframe ending time. Must be used in conjunction with `-te` . Cannot be used in conjunction with `-tn` .
`-tn RELTIME`	Specify a timeframe relative to now (e.g. `-tn -1h30m` for the last 1.5 hours). Default: last 15 minutes. Cannot be used in conjunction with `-te` or `-ts`. Please see Section 11.3, “Time Navigation” for more information on valid specifiers for `RELTIME`.

Table 11.4. Filtering Parameters

Parameter	Description
`-e IP`	Filter for flows from exporter with a given IP address. Default: all exporters. Must be specified before `-ei` and `-ef` .
`-ei INDEX`	Filter for flows with a given interface index of exporter. Default: all interfaces.
`-ef [nf1\|nf5\|nf9\|sf2\|sf4\|sf5]`	Filter for flows from a given exporter version. Default: any version.
`-snd`	The `-snd` parameter indicates that FlowTraq should only count outbound packets, bytes, or sessions when generating rankings. May not be used in conjunction with the `-rcv` parameter.
`-rcv`	The `-rcv` parameter indicates that FlowTraq should only count inbound packets, bytes, or sessions when generating rankings. May not be used in conjunction with the `-snd` parameter.
`-q "RAWQUERY"`	Specify a query string (enclose in ""-pair). See Section 11.4, “Filter String Syntax” for a description of the query string syntax.

	Important
	Note that the `-snd` and `-rcv` parameters are not applicable to the `ftsq` command, since rankings are not generated when returning raw session records. Use these parameters in conjunction with `ftstat`, as described below.

Table 11.5. Output Parameters

Parameter	Description
`-w NUM`	Create a time series with `NUM` slices. Default: don't create a time series.
`-r num`	Number of rows per table. Default: 128.
`-c`	Use CSV output format.
`-c+`	Use CSV output format with headers and summaries.
`-v`	Display a progress indicator. Useful for longer summary queries.
`-g filename.tga`	If specified, in addition to writing the tabular result to the terminal, the command will write a stack chart to `filename.tga` . Default: don't write a stack graph.
`-gx X`	The width, in pixels, of the image produced. May only be used in conjunction with `-g` and `-gy`.
`-gy Y`	The height, in pixels, of the image produced. May only be used in conjunction with `-g` and `-gx`.

	Important
	Note that the `-w` parameter is not applicable to the `ftsq` command, since there is no accompanying time series for raw session records. Use this parameter in conjunction with `ftstat`, as described below.

	Important
	Note that the `-g`, `-gx`, and `-gy` parameters are not applicable to the `ftsq` command, since there is no accompanying stack graph for raw session records. Use these parameters in conjunction with `ftstat`, as described below.

Prev	Up	Next
	Home