Ian McClarty wrote:
> Is there any way to filter nfdump so that a new profile could be created
> for a specific AS to be graphed? It would be nice to be able to see how
> much traffic comes from a specified AS.
Here's how I do that...
(good luck)
Not for all ASNs mind you, but the top 1000, who push over a low bandwidth
threshold of 1000 bps.
To me, that's the ones I care about.
Three perl scripts..
1. Wrapper to run every 10m or so.
2. nfdump to top asn list to rrd
3. ASN to name lookup
-----------------------------------------------------------------
#!/usr/bin/perl
$topdir = "/netflow/nfsen/profiles-data/live/la0b1/";
$parseflows = "/netflow/asn-traffic/parseflows";
# find /netflow/nfsen/profiles-data/live/la0b1/ | grep -v current | sort | tail
-n 10
open DATA, "find $topdir | grep -v current | grep -v nfstat | sort | tail -n 4
| " or die "Can't
open datastream : $!";
while ($line = <DATA>) {
chomp $line;
print "$line\n";
if ($line =~ /nfcapd/) {
#print "OLD: $line\n";
$line =~ s/$topdir//;
print "Data: $line\n";
print "$parseflows $line\n";
system "$parseflows $line";
}
}
-----------------------------------------------------------------
#!/usr/bin/perl
use Time::Local;
$datadir = "/netflow/nfsen/profiles-data";
$rrddir = "/newtflow/asn-traffic";
$nfdumpbin = "/usr/local/bin/nfdump";
$datadirs = "$datadir/live/la0b0:la0b1:pa1b0";
$numberofasns = 1000;
$filestamp=$ARGV[0];
if ($filestamp eq "") {print "No dataset given. Exit.\n"; exit;}
print "Analyzing $filestamp\n";
($junk, $stamp) = split (/\./, $filestamp);
$year = substr $stamp, 0, 4;
$mon = substr $stamp, 4, 2;
$mon--;
$mday = substr $stamp, 6, 2;
$hour = substr $stamp, 8, 2;
$min = substr $stamp, 10, 2;
$TIMESTAMP = timelocal($sec,$min,$hour,$mday,$mon,$year);
#if ($mday < 14) {print "skip\n"; exit;}
#if ($mday eq 14 && $hour < 5 ) {print "skip\n"; exit;}
# what is -T ?
print "$nfdumpbin -M $datadirs -o pipe -T -r $filestamp -n $numberofasns -s
as/bps\n";
open DATA, "$nfdumpbin -M $datadirs -o pipe -T -r $filestamp -n $numberofasns
-s as/bps | " or die
"Can't open datastream : $!";
while ($line = <DATA>) {
chomp $line;
#print "$line\n";
($i, $tstamp, $i,$i, $i,$i, $asn, $i,$i,$i,$i,$bps) = split /\|/, $line;
$mbps = $bps/1000/1000;
if ($bps < 1000) {next;}
if ($asn eq "0") {next;}
$asn = sprintf "%05d", $asn;
$count++;
if ($count <= 30) {
$bpssum = $bpssum + $bps;
$topten{$asn}=$bps;
$toptenrank{$asn}=$count;
#print "TOP $count: $asn - $mbps\n";
}
if ($asn ne "") {
#print "AS:$asn \tM:$mbps Mbps\n";
rrd_write("$rrddir/rrds/traffic-as$asn.rrd","$TIMESTAMP","$bps");
}
}
close DATA;
open DATA, "./parse-asnlist.pl | " or die "Can't open datastream : $!";
while ($line = <DATA>) {
chomp $line;
($asn, $netname) = split ",", $line;
$asn = sprintf "%05d", $asn;
$asnname{$asn} = $netname;
}
sub rrd_write {
my $rrd = shift(@_);
my $time = shift(@_);
my $data = shift(@_);
# if rdd doesn't exist, create it a new
if (! -e $rrd) {
my $start = $time-1;
create_rrd("$rrd","$start");
}
system "rrdtool update $rrd $time:$data 2> /dev/null";
}
sub create_rrd {
my $rrd = shift(@_);
my $time = shift(@_);
my $fivemin = "RRA:AVERAGE:0.5:1:2000";
my $thirtymin = "RRA:AVERAGE:0.5:6:1500";
my $twohour = "RRA:AVERAGE:0.5:24:1500";
my $sixhour = "RRA:AVERAGE:0.5:72:1800";
my $oneday = "RRA:AVERAGE:0.5:288:1800";
system "rrdtool create $rrd --start $time --step 300 DS:data:GAUGE:600:0:U
$fivemin $thirtymin
$twohour $sixhour $oneday";
}
------------------------------------------------
And since it references parse-asnlist, here's that..
#!/usr/bin/perl
# http://www.cidr-report.org/as2.0/autnums.html
open DATA, "cat autnums.html | " or die "Can't open datastream : $!";
while ($line = <DATA>) {
chomp $line;
# strip html
$line =~ s/<(([^ >]|\n)*)>//g;
$line =~ s/<a href.*>//g;
$line =~ s/^AS//g;
#print "$line\n";
($asn, $blah) = split " ", $line;
$name = substr($line, 6);
if ($asn < 1) {next;}
if ($asn =~ /\./) {next;}
if ($asn =~ /\-/) {next;}
print "$asn,$name\n";
}
Not the prettiest of code, but it does the job.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
