Subject: RE: Cflow/FlowScan with OSU flow-tools (was "Re: (from flow-tools list) ...")
From: Andrew Fort (afort@staff.webcentral.com.au)
Date: Mon May 28 2001 - 20:03:51 CDT
Okay, after having a Sunday night I'd rather forget (I'm type-1 Diabetic, got low blood sugar, passed out behind the wheel and wrote off my car almost killing myself and my girlfriend - fortunately everyone is okay in body if not mind..), I've gotten flowscan working with osu flow-tools for netflow pdu v5 data (haven't tested v6,v7 data yet, I'm guessing that's a no-brainer). You must have perl 5.6, otherwise the Cflow-1.036 extensions for OSU flow-tools will not compile correctly. This isn't (as yet) stated in the documentation. It wont compile (for me) with 5.005_03, not sure about other sub-releases. I'm compiling Cflow-1.036 w/OSU-flow-tools extensions, using perl 5.6.0, succesfully. Secondly, I've attached my modified FlowScan.pm - this lets flowscan identify the timestamps in the OSU flow-file format. I'm guessing this is functionally similar to the FlowScan.pm Dave intended to attach to his last post to this list (he posted the wrong file), and it works for me (though I ignore the flow format PDU version identified in the filename, I'm guessing this doesn't matter since Cflow.pm takes care of this). Please excuse the attachment size (i should have posted a diff, agreed :). So Dave - yes - this works for me for version 5 pdu (thank you!), though the documentation about where to extract Cflow-1.036.tar.gz to get OSU support I found a little vague (I understood, but combined with the Perl 5.005_03 incompatibility it threw me). A quick modification to the documentation showing something like.. cd /usr/local/src/flow-tools-0.53/perl tar zxvf /usr/local/src/Cflow-1.036.tar.gz or similar, would make this clearer for the easily confused (like me :). Anyhow, it's running for me, and if you're a flowscan regular you shouldn't find it too hard (though a thorough understanding of what each program does, how flow-tools replaces cflowdmux+cflowd, etc, will help you immensely). And if you're wondering: "why would I use flow-tools instead of the documented method (patched cflowd)?" 1. flow-tools can read Netflow v1, v5, v6, v7 datagrams. If you have a Catalyst switch exporting from the supervisor, you can now read the v7 datagrams (cflowdmux+cflowd cannot handle this). 2. flow-tools is in active development from the looks of things. 3. flow-tools provides a wide suite of utilities to analyse your Netflow data, including powerful (cisco ACL-style) filtering capabilities that can be applied BEFORE the data arrives at flowscan. There are also statistical breakdown tools, data mirroring, archiving, DoS profile detection, etc, tools. Additionally, the code is written in C (not C++), and the flow-stat program (which outputs tabular data) is well laid out, and easy to extend upon to produce the sorts of data many people are after (non-aggregated, true flow accounting data). - andrew fort >-----Original Message----- >From: Andrew Fort >Sent: Sunday, 27 May 2001 4:36 PM >To: 'flowscan@net.doit.wisc.edu' >Subject: RE: Cflow/FlowScan with OSU flow-tools (was "Re: (from >flow-tools list) ...") > > >>In case it's not clear, Andrew is doing some preliminary testing of >>Cflow.pm with the OSU flow-tools collector called >flow-capture (instead >>of cflowd). > >yes, whoops, it would appear the first message of the two I >intended to send >didn't make it to the MTA :-)
This archive was generated by hypermail 2b25 : Mon May 28 2001 - 20:10:34 CDT