Re: [Flow-tools] BGP next-hop

Wed, 01 Feb 2006 01:54:57 -0800 

Hi,
The next hop of the BGP route is actually the loopback address of the router where the route is learnt. Routing to the next-hop will traverse through the various inter-pop links. 

US ------- SG (contain R1, R2, R3)


So if i want to capture the amount of traffic going from US to SG 
(comprises of the three routers), can i use the following filters and 
match ip-next-hop-address to the 3 SG routers?



When my filters only lookout for the router loopback, it can't display 
anything:



filter-primitive router-loopback
  type ip-address
  permit 10.10.10.1

filter-definition test
  match ip-nexthop-address router-loopback


# ./flow-cat /usr/local/netflow/data/ft-* | ./flow-nfilter -f 
/usr/local/netflow/var/cfg/filter.cfg -F test | ./flow-print | more
srcIP            dstIP            prot  srcPort  dstPort  octets 
packets




When i change to match some of my origin prefixes, or with the "or" 
option, i get the desired output:


filter-primitive anc-prefix
  type ip-address-prefix
  permit 202.147.0.0/18
  permit 203.100.128.0/18
  permit 61.14.128.0/18
  default deny

filter-definition test
  match ip-source-address anc-prefix



# ./flow-cat /usr/local/netflow/data/ft-* | ./flow-nfilter -f 
/usr/local/netflow/var/cfg/filter.cfg -F tcy-test | ./flow-print | more
srcIP            dstIP            prot  srcPort  dstPort  octets 
packets

202.147.5.137    221.10.232.15    6     80       2205     2960        2
202.147.5.134    60.30.239.49     6     80       64133    48          1
61.14.172.132    218.51.76.178    6     80       1642     524         1
202.147.5.137    58.19.12.116     6     80       4927     1480        1
202.147.6.17     210.21.119.55    17    42128    51570    60          1
<snip>


On Fri, 27 Jan 2006, Zoltan Ori wrote:


On Friday 27 January 2006 03:56, Tay Chee Yong wrote:

Hi,

I am very new to the list, and flow-tools, so pardon me for my ignorance.
Had search through the archives, but can't seems to find any answers.

Is there a way to capture netflow data based on bgp next-hop. My aim is to
capture how much traffic of other PoPs is towards a specific PoPs, based on
bgp next-hop, since all our next-hop are the loopback address of the router
in the PoP. I had read somewhere that recommend using flow-nfilter, but it
seems that ip-nexthop-address doesn't seems to be recognized, as there are
no output.



Do you really route to the loopback of the other PoPs? Or, do you have a
different address?


filter-primitive router-loopback
  type ip-address
  permit 10.10.10.1

filter-definition test
  match ip-nexthop-address router-loopback
#  or
  match ip-source-address prefix



Without the 'or' both conditions will have to match to get an output. If you
just want ip-nexthop-address, that's all that should appear in the
filter-definition. Try it like that and see if you get output, then you can
add other primitives as you see fit.


The command I use is as follows, but I get no output.

./flow-cat /usr/local/netflow/data/ft-v05.2006-01-26.095424+0000 |
./flow-nfilter -f /usr/local/netflow/var/cfg/filter.cfg -F test |
./flow-print | more



That should work after you fix your filter.


Zoltan Ori



_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools






















					Reply via email to