Re: [Flow-tools] Incorporating flow length (time) into scripting...

[Joe Loiacono]

Drew,

'flow-print -f1' gives you flow-times including flow length (and source, 
destination, octets, etc.)

Joe



From:
Drew Weaver <drew.wea...@thenap.com>
To:
"flow-tools@list.splintered.net" <flow-tools@list.splintered.net>
Date:
04/12/2011 08:08 AM
Subject:
[Flow-tools] Incorporating flow length (time) into scripting...



Hey all,
 
I use the below very simple PHP script to look for high bandwidth usage 
inbound on the network.
 
$command = "/var/netflow/bin/flow-cat /var/netflow/current | 
/var/netflow/bin/flow-filter -Dnetwork -f/var/netflow/bin/flow.
acl| /var/netflow/bin/flow-stat -f8 -S2 | head -n 22";
$z = trim(shell_exec($command));
$array = explode("\n", "$z");
foreach ($array as $line) {
        #look for #
        $test = strpos("$line", "#");
        if ($test === FALSE) {
                $lnary = explode(" ", "$line");
                $line_array = array();
                foreach ($lnary as $thedata) {
                        if ($thedata != "") {
                                $line_array[] = $thedata;
                        }
                }
                $dest_ip = $line_array[0];
                $flows = $line_array[1] * 500;
                $octets = $line_array[2] * 500;
                $packets = $line_array[3] * 500;
                $actual_data[$dest_ip]['octets'] = $octets;
                $actual_data[$dest_ip]['packets'] = $packets;
                $actual_data[$dest_ip]['rate'] = $octets * 8 / 300 / 
1000000;
        }
}
$y = 1;
foreach ($actual_data as $ip => $info) {
        $rate = number_format($info['rate'], 2);
        $rate = "{$rate}Mbps";
        if ($rate > 80) {
                if ($rate < 125) {
                        $severity = 0;
                } elseif ($rate > 125 && $rate < 300) {
                        $severity = 1;
                } elseif ($rate > 500 && $rate < 800) {
                        $severity = 2;
                } elseif ($rate > 1000) {
                        $severity = 3;
                }
                alert($ip, $rate, $severity);
        }
        echo "$ip - $rate\n";
}
 
The problem I have is that this script doesn't take into account the 
length of the flow and so the numbers it produces are skewed higher 
somewhat.
 
Has anyone else already figured out a way to incorporate the length of 
flows into calculations?
 
or is there a better way to do what I am trying to do?
 
thanks,
-Drew
 _______________________________________________
Flow-tools mailing list
flow-to...@splintered.net
http://mailman.splintered.net/mailman/listinfo/flow-tools


_______________________________________________
Flow-tools mailing list
flow-to...@splintered.net
http://mailman.splintered.net/mailman/listinfo/flow-tools