Hi Ulisses, > Does anybody has a reference to a doc/presentation/whatever > that points strategies when capturing from networks with many > routers that may capture the same traffic for some subnets. > for instance, it is best to capture from all routers to a single > file?
This used to be one of my biggest bug-bears with flow-tools. See this for my comments last year: http://mailman.splintered.net/pipermail/flow-tools/2005-May/002748.html I have attached a slightly more advanced de-duplication script to remove flows seen by multiple routers. It is horrendously CPU and memory intensive and has some nasty gotchas if your timestamps on your routers are out sync, but it did the trick for me. You could easily convert this into a script to read by flow-import of you want to stick to the flow-tools format, but again CPU may be an issue. I don't use it very much any more as I have got the hang of writing better filter files for flow-nfilter to grok. I will now just target the exporters and interfaces I want before I filter. flow-nfilter is 100s of times faster than grep, so a standard query might look like: flow-cat -m <files> | \ flow-nfilter -f exporters.cfg -F London_WAN_Routers | \ flow-nfilter -f applications.cfg -F FOO_app_web_servers | \ fx > \ out.csv HTH Alistair ********************************************************************** Registered Office: Marks and Spencer plc Waterside House 35 North Wharf Road London W2 1NW Registered No. 214436 in England and Wales. Telephone (020) 7935 4422 Facsimile (020) 7487 2670 <<www.marksandspencer.com>> Please note that electronic mail may be monitored. This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful. 2005
fxdedup.pl
Description: fxdedup.pl
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
