Suppose you want to identify all traffic between two machines. You could define primitives for those two hosts and then write a filter that specifically defines those hosts. However, this common situation will keep you very busy writing new filters. Instead, I find it much easier to define smaller filters and tie them together on the command line.

You can invoke flow-nfilter repeatedly in a single command. Find the flow files for the times you're interested in, filter them for the first host, and then filter them a second time for the second host.

# flow-cat ft-* | ❶ flow-nfilter -F host1 | ❷
 flow-nfilter -F host2 | flow-print | less

The first flow-nfilter invocation at ❶ passes only flows that include traffic from host1. The ...