Hey all,
I use the below very simple PHP script to look for high bandwidth usage inbound
on the network.
$command = "/var/netflow/bin/flow-cat /var/netflow/current |
/var/netflow/bin/flow-filter -Dnetwork -f/var/netflow/bin/flow.
acl| /var/netflow/bin/flow-stat -f8 -S2 | head -n 22";
$z = trim(shell_exec($command));
$array = explode("\n", "$z");
foreach ($array as $line) {
#look for #
$test = strpos("$line", "#");
if ($test === FALSE) {
$lnary = explode(" ", "$line");
$line_array = array();
foreach ($lnary as $thedata) {
if ($thedata != "") {
$line_array[] = $thedata;
}
}
$dest_ip = $line_array[0];
$flows = $line_array[1] * 500;
$octets = $line_array[2] * 500;
$packets = $line_array[3] * 500;
$actual_data[$dest_ip]['octets'] = $octets;
$actual_data[$dest_ip]['packets'] = $packets;
$actual_data[$dest_ip]['rate'] = $octets * 8 / 300 / 1000000;
}
}
$y = 1;
foreach ($actual_data as $ip => $info) {
$rate = number_format($info['rate'], 2);
$rate = "{$rate}Mbps";
if ($rate > 80) {
if ($rate < 125) {
$severity = 0;
} elseif ($rate > 125 && $rate < 300) {
$severity = 1;
} elseif ($rate > 500 && $rate < 800) {
$severity = 2;
} elseif ($rate > 1000) {
$severity = 3;
}
alert($ip, $rate, $severity);
}
echo "$ip - $rate\n";
}
The problem I have is that this script doesn't take into account the length of
the flow and so the numbers it produces are skewed higher somewhat.
Has anyone else already figured out a way to incorporate the length of flows
into calculations?
or is there a better way to do what I am trying to do?
thanks,
-Drew
_______________________________________________
Flow-tools mailing list
[email protected]
http://mailman.splintered.net/mailman/listinfo/flow-tools
