RE: [Flow-tools] Flow tools on Windows 2000/2003

[Jeremy Saunders]

Hi Alistair,

Thanks heaps for your reply and advice. I'm just getting into the Netflow
stuff, so have been trying to find the right tools to fit. I use RRD a lot
with a front-end of Cricket, and have just been looking for something to
"plug-in" to that environment. My problem has been that because all these
tools have been specifically written for Linux/Unix OS's, I've been having
trouble understanding how to port it across to Win32. Because I don't have
good *nix skills, I've been finding a lot of the documentation and posts
very confusing. Now that I have Cygwin installed, I may find things are a
bit easier. Your information and instructions have been very valuable.

If I do get this working, I'll post some complete instructions back to the
forum for future reference.

Cheers,
Jeremy



                                                                           
             "McGlinchy,                                                   
             Alistair"                                                     
             <Alistair.McGlinc                                          To 
             [EMAIL PROTECTED]         Jeremy Saunders/Australia/[EMAIL 
PROTECTED] 
             cer.com>                                                   cc 
                                       <flow-tools@list.splintered.net>    
             07/05/2005 03:11                                      Subject 
             AM                        RE: [Flow-tools] Flow tools on      
                                       Windows 2000/2003                   
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Jeremy Saunders wrote:
> Has anyone ported this, or got some form of Netflow
> application running on a Windows 2000/2003 server?
>
> I'm not clever enough to port it myself, and I'm not very
> good with Linux.
>
> Any advice would be greatly appreciated.

I don't run flow-tools on windows/cygwin any more. Flow-tools is now
running on a grunty AIX box, as my post-collection perl scripts were
getting a little too CPU intensive. However I just retested on my
WinXP/Cygwin box and it seems to work fine. You don't say what went
wrong so I presume it means you can't compile. The only other gotcha I
am aware of is that you must use the -m flag when running flow-cat.

Here's an tidied up version of the installation I just performed on
WinXP SP1 with "CYGWIN_NT-5.1 D0034111 1.5.12(0.116/4/2) 2004-11-10
08:34 i686".

Follow the installation instructions as for a normal install

             tar -zxf flow-tools-0.66.tar.gz
             cd flow-tools-0.66
             ./configure

We can't run make yet. First edit the file lib/ftlib.h and insert the
following structure at line 473 (before the struct ftnet declaration).

             struct cmsghdr {
         u_int32         cmsg_len;         /* data byte count, including
hdr */
         int             cmsg_level;      /* originating protocol */
         int             cmsg_type;       /* protocol-specific type */
             };

This tweak came from a similar error in this email.
http://www.pairlist.net/pipermail/flow-tools/2002-February/000150.html

Return to the normal installation processes. There are several warnings
about deprecated syntax, but it compiled happily from this point.

             make
             make install

All the binaries are now in /usr/local/netflow/bin. You can either add
that to your path or as I prefer, Just make an environment variable.

             export NF=/usr/local/netflow/bin

Choose somewhere to put your flow files and turn on collection (I use
UDP 9996 for my flows and use the V7 structure)
             mkdir -p /flow/v7
             cd /flow/v7
             $NF/flow-capture -N0 -z0 -V7 -n 288 -w /flow/v7 0/0/9996

Check that the process is running
             ps --all | grep flow
I got
     800       1     800        800    ?  500 19:17:17
/usr/local/netflow/bin/flow-capture

Then check for the existence of tmp* files in the capture directory
             ls -l /flow/v7

Generate some noise flow data in the /flow/v7 directory
             $NF/flow-gen.exe -V7 | $NF/flow-send 0/127.0.0.1/9996

Wait 5 minutes for tmp* to turn into ft* then export the flow files to
CSV

$ $NF/flow-cat -m /flow/v7/f* | $NF/flow-export -f2 | more
#:unix_secs,unix_nsecs,sysuptime,exaddr,dpkts,doctets,first,last,engine_
type,engine_id,srcaddr,dst
addr,nexthop,input,output,srcport,dstport,prot,tos,tcp_flags,src_mask,ds
t_mask,src_as,dst_as,route
r_sc
0,0,0,127.0.0.1,1,1,0,4294901760,0,0,0.0.0.0,255.255.0.0,0.0.0.0,0,65280
,0,65280,17,0,0,0,0,0,6528
0,0.0.0.0
0,0,0,127.0.0.1,2,2,1,4294901761,0,0,0.0.0.1,255.255.0.1,0.0.0.0,1,65281
,1,65281,17,0,0,0,0,1,6528
1,0.0.0.1

Flow-filter et al are left as an exercise to the reader. :-)


HTH,

Alistair




**********************************************************************
Registered Office:
Marks and Spencer plc
Waterside House
35 North Wharf Road
London
W2 1NW

Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

<<www.marksandspencer.com>>

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us
know and then delete it from your system; you should not copy, disclose, or
distribute its contents to anyone nor act in reliance on this e-mail, as
this is prohibited and may be unlawful.




_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools