Sebastian Krieger schrieb:
ulisses schrieb:
Hello all
two questions on flow-xlate:
- It seems that the example in in the man page doesn't work.
The example should "Set the low 11 bits in the IP addresses to zero
unless the address is multicast or it belongs to the 192.88.99/24
network."
but it doesn't:
$ flow-cat sample.ft | flow-xlate -x
/home/ulisses/rediris/netflow/xlate_sample.cfg -X abilene_privacy |
flow-print | head
srcIP dstIP prot srcPort dstPort octets
packets
158.49.117.98 62.15.127.218 6 6881 3888 1420 2
158.49.117.98 68.109.94.228 6 6881 64719 360 1
158.49.117.98 201.144.57.234 6 6881 2478 69 1
158.49.117.98 130.219.8.253 6 6881 9727 200 5
83.153.176.98 158.49.140.67 6 4064 25 1460 1
81.33.190.98 158.49.27.117 6 1782 46001 57 1
80.50.249.98 158.49.27.117 6 2650 6969 40 1
83.213.3.99 158.49.27.154 6 1044 90 40 1
81.38.23.99 158.49.118.158 6 13438 7111 1440 1
$ flow-print < sample.ft | head
srcIP dstIP prot srcPort dstPort octets
packets
158.49.117.98 62.15.127.218 6 6881 3888 1420 2
158.49.117.98 68.109.94.228 6 6881 64719 360 1
158.49.117.98 201.144.57.234 6 6881 2478 69 1
158.49.117.98 130.219.8.253 6 6881 9727 200 5
83.153.176.98 158.49.140.67 6 4064 25 1460 1
81.33.190.98 158.49.27.117 6 1782 46001 57 1
80.50.249.98 158.49.27.117 6 2650 6969 40 1
83.213.3.99 158.49.27.154 6 1044 90 40 1
81.38.23.99 158.49.118.158 6 13438 7111 1440 1
any hint? any working example file?
- The other question on flow-xlate, when aggregating host flows into
subnet flows, other than anonymizing at subnet level, does flow-xlat
does
also data reduction? That is, can I reduce the netflow v5 file size
using
ip-source-address-to-network/ip-destination-address-to-network/
ip-source-address-to-class-network/ip-destination-address-to-class-network/
ip-address-privacy-mask
and converting to netflow v8?
Thanks in advance
Ulisses
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
Hi Ulisses,
I also searched for netflow anonymization and found no way to do it.
After all I wrote a little perl script "flow-anonymize".
You need the following great perl modules installed on your system...
use Cflow;
use Net::Patricia;
use Getopt::Long;
Here is the usage for flow-anonymize...
---
Usage: flow-anonymize -network <IP/MASK[,IP/MASK]> -read <FILE> -write
<FILE>
-network <IP/MASK> = Network(s) to anonymize (e.g.
192.168.1.0/24[,10.1.1.0/24])
-ports = Eliminate ports that should not be service ports
-read <FILE> = Input file with flows (binary flow-tools format)
-write <FILE> = Output file for anonymized flows (binary
flow-tools format)
-version = This help
-help = This help
flow-anonymize 1.0, 13.02.2006 by skr
---
You can define several networks to anonymize based on the given
netmask. Combine them by ",". (eg. 192.168.1.0/24,10.10.0.0/16).
Also you can eliminate the ports that shouldn't be service ports. This
is based on the occurrence of a port.
I will directly send the script to your email address. Please give me
some feedback after testing.
Regards
Sebastian
I temporary placed the script on...
http://www.freewebs.com/skrieger/
Bye
Sebastian
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
