Hi,
here is my reverge for all the great support I got from the list in the
past ;-) Maybe it is usefull for someone.
I wrote a little perl script to create histograms for netflow data.
Either you can plot the data to a png or you write it in csv format. It
is possible to define several networks as local for a graph. E.g. for
representing the traffic of a whole country even if the subnets are
completely different. The graphs look similar to the output from
Flowscan module JKFlow, because I was really impressed by it. But you do
not need to pre-define sites and services etc. and you also do not need
to store tons of data in rrd files or a database after scanning incoming
netflow logs in realtime. If you notice you need a special histogram at
any time you only filter the logs you want and process it by this
script. Also you can set the interval between checkpoints to adjust the
sampling for your graph at execution time. Unfortunately it is not
possible to read flow data from stdin, because it is needed to read the
data twice to prevent the script from being a memory eater. At first it
makes service detection and collects top statistics. After that it
evaluates the flow data based on this.
The script is still dirty code but for me it works fine. Please get in
contact with me for update issues if someone will use this script.
I temporary placed the script on...
http://www.freewebs.com/skrieger/
There you can also find a sample graph with the inbound/outbound traffic
on a 2 Mbit line with several subnets behind by remoteips-services. I
placed black boxes on the areas where local networks and the remoteips
are shown to protect privacy.
Bye
Sebastian
<<< Perl Modules: >>>
The following perl modules are used:
use Cflow;
use Net::Patricia;
use Getopt::Long;
use POSIX qw(ceil);
use Date::Manip;
<<< Gnuplot Version: >>>
In my environment it works great to generate the graphs in png format
with gnuplot version 4.0 patchlevel 0.
In lower versions of gnuplot the syntax is different and this may result
in an error.
It's not needed to use a higher version of gnuplot then 4.0 p0 with the
known stacking options, because the stacking/cumulation is calculated
within the perl script.
<<< Filtering Netflow Data: >>>
You should better pre-filter your netflow logs with e.g. flow-nfilter
because its faster than matching only by Net::Patricia perl module.
<<< Usage for flow-histogram: >>>
Usage: flow-histogram -network <IP/MASK[,IP/MASK]> -read <FILE> -write
<FILE> [ -options ]
-network <IP/MASK> = Local network(s) with in/out (e.g.
192.168.1.0/24[,10.1.1.0/24])
-read <FILE> = Input file with flows (binary flow-tools format)
-write <FILE> = Output file for graph
-interval <SECONDS> = Stat interval for graph in seconds (default: 300)
-top <COUNT> = Show only top rows in graph with others (default: 10)
-unit <UNIT> = Calc values into special unit (default: Kbits/s)
-show <FIELD> = [protocols|services|remoteips|localips] (default:
services)
or combination [remoteips-services|localips-services]
-output <TYPE> = Type of output [plot|csv] (default: plot)
-version = This help
-help = This help
flow-histogram 1.5, 12.02.2006 by skr
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
