Now that you understand how primitives and filters work together, I'll discuss primitives in depth.
flow-nfilter supports many different primitives, but I'll cover only the most commonly useful ones here. The
flow-nfilter man page includes the complete primitive list, but this book contains every one that I have used during several years of flow analysis.
Filtering on network protocol and port information is one of the most common ways to strip a list of flow records down to only interesting traffic.
You saw a basic IP protocol primitive earlier, but you can check for protocols other than TCP. For example, if you use IPSec, OSPF, or other network protocols that run ...