flow-filter large arrays off stack.

use offset masks to determine export capability instead of checking
version/agg version

flow-filter to use new offset struct

symbol names in import/export for mask

flow-filter to use config'd path (/var/ft/cfg/filter-acl) by default

new ToS Aggregation formats

packet sampling rate need to be stored in the flow file.  flow-stat would
need to use this to estimate total # of flows

--with-cflow - automagically build Dave's Cflow module

tagging
 <id> prefix 10/8
 <id> as-list 100,101,102,103
 or
 tag <id> prefix-list <foo>
 tag <id> asn-list <bar>

Units in flow-stat summary output.

flow-capture may not be exiting cleanly when multiple instances are
running on the same directory.

cat6k IOS based mixed flows

flow-stat - export in friendlier format

flow-cat
  -R ifalias  Reset ifalias
  -R ifmap    Reset ifmap
  -L ifalias  Load ifalias
  -L ifmap    Load ifmap
  -S <path>   where to look for symbol names
  -I <iplist> only load for IP's

flow-capture
  -M <path>   where to look for symbol names

symbol file:
 ifmap exporter=1.2.3.4 ifIndex=99 name=FastEthernet0/0 encap=60 sample_rate=100
 ifalias exporter=1.2.3.4 name=outside ifIndex_list=5,1,2,3,4,5

flow-top

flow-receive | flow-print then hit ^C.  flow-print gets the ^C and
 misses some output.  Who should be processing the interrupt?

flow-capture ager is running on all errors

flow-capture could be smarter and allow capturing multiple versions
to a single directory.

incorporate flow-sort

update .pod files

AC_ARG_WITH(socks,
[  --with-libwrap            use the libwrap library],
[AC_DEFINE(HAVE_LIBWRAP)])

EXAMPLES

autoconf/automake problems
 bins need installed

fix libwrap

buffering around inflate() and deflate() might improve performance

instrument read/write for compression stats by using total_in and total_out

flow-5to8 - convert v5 to v8 flows

fix the tally code

flow-capture should accept TCP connections and export the flows that way.
  XXX need to add secondary buffering

why is flow-capture with -a and -e 86399 creating files every 10
seconds instead of every 5?

flow-active
 maintains active src or destination IP address first/last seen on disk
   first_time
   last_time
   flows
   octets
   packets

regression tests

the extended ip eval is ignoring lots of stuff

the "matches" addition should only happen if DEBUG2 is defined.

add a normalize call to pre condition the access lists so the additional
& is not needed in the eval

-E and others should accept an interface parameter in flow-filter

add IP range option for acl
 - use an extended access list with a different specifier, ie R instead of E

add options to flow-filter to look at next hop, ala -S or -D

flow-filter
 filter flow pipeline
  read cisco access lists ie  flow-filter -f foo.confg -l 10
   -e flag to accomodate an access list on the command line
   -S to restrict start time
   -E to restrict end time

flow-dns
 -l level (heirachy level, 0 is infinity)
  - level 1 would only be top level domains (.com, .edu, .net)
  - level 2 would be second level (ohio-state.edu, psu.edu, cic.net)
  - level 0 would be any level, ie FQDN's (shattered.net.ohio-state.edu)

flow-stat foreach summary:
  total flows,octets,packets,duration, and entries printed

flow-reduce
 various data reducations
 glue together TCP connections

flow-domains
 characterize flows into output files by a set of criteria,
 like an access list

keep state when there's a ftp control connection, then use that
to give hints about ftp data connections

