Subject: RE: /var/netflow directory getting full
From: Robert S. Galloway (securityguy@ikano.com)
Date: Tue Sep 02 2003 - 18:00:04 CDT
Hi Paul,
I've got no ideas, so I'm going to go ahead and forward this to the list for
help.
Thanks,
Robert S. Galloway
Chief Network Security Engineer
IKANO Communications
...the Internet branding company
Official Data Networking Services Provider for the
Salt Lake Olympic Winter Games of 2002
securityguy@ikano.com
801-415-8089
-----Original Message-----
From: Paul Suela [mailto:pds@skyinet.net]
Sent: Sunday, August 31, 2003 7:18 PM
To: Robert S. Galloway
Subject: Re: /var/netflow directory getting full
Robert,
I re-read the FlowScan install guide and found how to debug flowscan's
startup
(http://net.doit.wisc.edu/~plonka/FlowScan/INSTALL.html#Testing_FlowScan)...
once i did this the following error came up.. something about Perl 5.004
and i've also attached the Perl versions on my Server. I once did an
up2date upgrade which included some bug in Perl.
Could the Perl upgrade have something to do with the mess? Is there a
way to make flowscan.pm use my current perl-5.8.0-55?
I've theorized the reason for the flow*.* files piling up in
/var/netflow.. (since i'm not big on Perl programming)
1. the router exports flows so that flow-capture can record it under
/var/netflow/ft
2. the processing of the ft*.* files somehow isn't able to complete
because flowscan is having trouble (with UNIVERSAL:can) hence the files
get queued.
3. since these files aren't fully processed, there is no *.rrd files
generated and no files for CUGrapher.pl to work with under the
/var/netflow/rrds.
[root@SERVER ft]# perl -d /var/netflow/bin/flowscan
Loading DB routines from perl5db.pl version 1.19
Editor support available.
Enter h or `h h' for help, or `man perldebug' for more help.
main::(/var/netflow/bin/flowscan:23):
23: require 5.004; # for UNIVERSAL::can method
---------------------------------------------------
[root@SERVER ft]# rpm -qa | grep perl
perl-5.8.0-55
perl-CPAN-1.61-55
perl-DBI-1.30-1
perl-CGI-2.81-55
perl-Filter-1.28-9
perl-URI-1.21-3
perl-DB_File-1.804-55
mod_perl-1.99_05-3
perl-DBD-MySQL-2.1017-3
Robert S. Galloway wrote:
>Hi Paul,
>
>To tell you the truth, I'm stumped. FlowScan should be deleting the file
>when it's done processing it. How much disk space are you allowing
>flow-capture to have for keeping the old flows in /var/netflow/ft? Is it
>those files that are taking too much room, or are they the exported files
in
>/var/netflow?
>
>Let me know and I will try to help you get to the bottom of this.
>
>Also, I've attached an updated version of my document. It uses a slightly
>different approach to the exporting, so it may also be a solution for you.
>
>Thanks,
>
>Robert S. Galloway
>Network Security Engineer
>IKANO Communications
>...the Internet branding company
>Official Data Networking Services Provider for the
>Salt Lake Olympic Winter Games of 2002
>securityguy@ikano.com
>801-415-8089
>
>
>-----Original Message-----
>From: owner-cuflow-users@columbia.edu
>[mailto:owner-cuflow-users@columbia.edu] On Behalf Of Paul Suela
>Sent: Wednesday, August 27, 2003 12:15 AM
>To: Robert S. Galloway
>Cc: cuflow-users@columbia.edu
>Subject: Re: /var/netflow directory getting full
>
>Robert,
>
>yes flowscan is running
>
>my setup is as follows:
>- flow-tools 0.66
>- CUFlow 1.4
>- Intel P4 1.8Ghz
>- 128 Mb RAM
>
>Robert S. Galloway wrote:
>
>
>
>>Is FlowScan running? Normally FlowScan should be deleting those files...
>>
>>Robert S. Galloway
>>Chief Network Security Engineer
>>IKANO Communications
>>...the Internet branding company
>>Official Data Networking Services Provider for the
>>Salt Lake Olympic Winter Games of 2002
>>securityguy@ikano.com
>>801-415-8089
>>
>>-----Original Message-----
>>From: owner-cuflow-users@columbia.edu
>>[mailto:owner-cuflow-users@columbia.edu] On Behalf Of Paul Suela
>>Sent: Tuesday, August 26, 2003 10:28 PM
>>To: cuflow-users@columbia.edu
>>Subject: /var/netflow directory getting full
>>
>>Hello List!
>>
>>am using flowscan + CUFlow to graph the traffic stats and used the
>>http://www.linuxgeek.org/netflow-howto.php guide to set this up... I've
>>noticed that the /var/netflow directory seems to be getting full with
>>flows.2003082*.* files and my flow-collector server seems to be very
>>sluggish.
>>
>>I deleted the flows.2003082*.* files from /var/netflow and rebooted the
>>machine and it's recovered. But now.. the flows.2003082*.* files are
>>starting to pile up again with a timestamp difference of 5 minuts.
>>
>>any clue on what is causing this?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
>
> How to build detailed Network Usage Reports using RRDTool,
> flow-tools, FlowScan, and CUFlow
>
>
> Preface
>
>
> What this document covers
>
> This document is aimed at providing step by step instructions to build
> useful documentation and reports from NetFlow "flows" on Cisco
> routers. Other vendors have their own implementations of NetFlow. You
> should be able to use this document to build reports from those
> devices, but I am a Cisco expert, so this document assumes that you
> are using Cisco products.
>
> Here's a list of what you will be able to do with this application:
>
> * Build graphs showing network utilization, including break downs
> by router, protocol, service, and network/host groups.
> * Build "top talker" reports for your network
> * Impress the boss with colorful graphs! :-)
>
>
> Assumptions and Support
>
> This document assumes that you are familiar with getting around a
> Unix/Linux system and a Cisco Router. I am a RedHat Linux person, so
> this will also assume that you are using RedHat. I do not claim to be
> all-knowing when it comes to Linux. I am sure that the way I do things
> is not the only way they can be done. This is simply the way I have
> done things and it works for me. You don't need to be a CCIE or an
> RHCE to make this work, but you will be compiling packages and
> modifying configuration files from the command line, so be prepared.
> Just to warn you, you should also be prepared to spend at least a
> couple of hours to complete this. However, once it's up and running,
> you shouldn't have to touch it except to update the CUFlow configuration.
>
> These instructions come with no warranty or guarantee. If you blow
> something up and lose business because of it, that's your problem. I
> do not provide support for these packages or instructions. There are
> mailing lists for each one of the packages I use, please use them if
> you need additional help. I participate on several of them, so please
> do not e-mail me directly. I cannot promise that I will get back to
> you if you do. A list of these mailing lists is provided in the appendix.
>
> I am not aware of any commercial support offered for RRDTool,
> flow-tools, FlowScan or CUFlow. If you know of any, please let me know
> at rgalloway <mailto:rgalloway%20at%20stageman%20dot%20com> and I will
> update this document.
>
>
> Acknowledgements
>
> This document is primarily an abridgement of the documentation
> provided by the authors of the packages we will be using. It is not
> meant to replace the documentation that comes with those packages. I
> have given credit to those individuals who have contributed to this
> document. If you feel that I have not given appropriate credit to
> someone, please let me know and I will correct my error.
>
> ------------------------------------------------------------------------
>
>
> Getting Started
>
>
> Routers Support
>
> Most Cisco routers, all the way down to the 806, support NetFlow
> exporting. To see if your router and IOS version supports NetFlow,
> please visit http://www.cisco.com/go/fn and search for "NetFlow".
> Again, many other networking vendors have their own implementation of
> NetFlow. Please visit their respective sites for more information.
>
> When using FlowScan with Cisco routers, generally you will want to use
> NetFlow version 5. The flow-tools collector is capable of handling
> newer version of NetFlow and storing them in its single unified file
> format that FlowScan can understand. This is useful, for instance,
> when collecting flows from a Cisco Catalyst 65xx. Please consult the
> FlowScan and flow-tools mailing lists listed in the appendix for more
> information. Setting up FlowScan to use versions of NetFlow other than
> version 5 are outside of the scope of this document.
>
> ------------------------------------------------------------------------
>
>
> Flow Collector
>
> The Flow Collector can be any Unix/Linux based system. I have found
> that it is best to have a dedicated server because the report
> generation can take a lot of processing time.
>
> Currently, I have two NetFlow Reporting systems setup. One is at our
> Main Network Operations Center, the other is at one of our remote
> locations that supports dialup clients. This section should give you
> some idea of how this will scale.
>
> The main NOC system produces reports for two Cisco 7513 routers and
> one 7206 router. Each router has one Internet DS-3. During peak hours
> of traffic, we push about 60-75 Mb per second total in each direction
> (to and from the Internet). This creates about xxx flows every five
> minute for a file size of xxx. The collector is a Pentium 4 1.8 with
> 384 MB of RAM and an IDE disk drive. It takes about xxx seconds to
> process the flows and create the reports. (Note, the graphs are
> produced on the fly when someone accesses them. This is a feature of
> RRDTool.)
>
> The second location produces reports for a single Cisco 3660 router
> that has 3 independent T1 Internet backbones. During peak hours, we
> can reach up to the full 4.5 Mb per second inbound and about 2.5 Mb
> per second outbound. This creates about xxx flows every five minute
> for a file size of xxx. The collector is a Pentium III 500 with 256 MB
> of RAM and an IDE disk drive. It takes about xxx seconds to process
> the flows and create the reports.
>
> Another example is my system at home. (Yes I know, this proves beyond
> a doubt that I am a geek.) I have a Cisco 831 connected to a Cable
> Broadband connection. Normally I see about 250 flows every five
> minutes. This creates flow files that are about 4KB. It takes a
> Pentium III 750 with a gig of RAM less than 1 second to process the
> flow file and create the reports. The largest flow files I've seen
> have been while downloading NNTP content. I can pull about 1.6 Mb per
> second and this creates flow files that are about 15KB. It still takes
> less than a second to process.
>
>
> Software Packages
>
> Here is the list of packages you will need. I suggest that you
> download them all before proceeding any further. It does not matter
> where you download them to, just don't misplace them. Also, the
> version numbers may change. Be sure to grab the latest stable versions
> when you download the packages.
>
> * *Apache* - You will need a web server to view the graphs and
> reports from this application. Any web server that supports CGI
> scripting will be fine. If you do not already have a web server
> installed, I suggest Apache. It can be downloaded from
> http://httpd.apache.org. The default install will work just
> fine. For detailed instructions, please see the documentation on
> the Apache site. If you did not install the Web Server packages
> when you installed RedHat, you can install them using the
> up2date utility. (You have to register for a RedHat Network
> account and up2date will walk you through that the first time
> you run it.) To install apache on RedHat 8.0/9.0 use:
> o up2date -i httpd
> * *Perl5* - This is installed by default in most builds of Linux.
> If you don't have it, please visit www.perl.com
> <http://www.perl.com> or www.cpan.org <http://www.cpan.org>, or
> simply rebuild the machine and make sure that you install the
> Perl packages. (Installing the packages during install is the
> preferred method.) If you don't already have Perl, or don't know
> what it is, this application is probably not for you.
> * *RRDTool* - This package can be downloaded from www.rrdtool.org
> <http://www.rrdtool.org>. It is recommended that you install
> from the source tarball. When you configure and compile the
> package be sure to use the --enable-shared option. I install it
> using these commands:
> o tar -zxvf rrdtool-1.0.45.tar.gz
> o cd rrdtool-1.0.45
> o ./configure --enable-shared --prefix=/usr/local/rrdtool
> o make install site-perl-install
> * *flow-tools* - This is the collection of programs that includes
> the collector application I prefer. It can be downloaded from:
> http://www.splintered.net/sw/flow-tools/. You can install it
> using these commands:
> o tar -zxvf flow-tools-0.66.tar.gz
> o cd flow-tools-0.66
> o ./configure
> o make
> o make install
>
> This will install flow-tools to /usr/local/netflow.
>
> * *Perl Modules* - In addition to Perl5, you will need the modules
> listed below. To install all of them, except Cflow which is
> packaged with flow-tools:
> o perl -MCPAN -e shell
> o install HTML::Table
> o install Net::Patricia
> o install Boulder::Stream (I had to do a "force install"
> last time I installed this. If you have errors, try that.)
> o If you are running RedHat 7.2 or earlier, this should
> work. install ConfigReader::DirectiveStyle
> o If this command returns errors, do the following.
> + Go to http://www.cpan.org
> + Search for ConfigReader
> + Choose ConfigReader-0.5
> + Download the tarball and unpack it (tar -zxvf
> ConfigReader-0.5.tar.gz)
> + cd ConfigReader-0.5.tar.gz
> + mkdir -p /usr/lib/perl5/site_perl/5.8.0/ConfigReader
> + cp * /usr/lib/perl5/site_perl/5.8.0/ConfigReader
> o Update the path to match your version of Perl. The above
> is from RedHat 8.0 with Perl 5.8.0.
>
> Notes: If you are running the CPAN shell for the first time, you
> will be asked to configure it. To Auto-Configure it (I recommend
> it) enter "no". Once it is configured it will download a
> database file. This may take several minutes. Also, take care to
> note that everything Perl is case sensitive. Lastly, you must be
> root to install the packages.
>
> CFlow is included in the current distribution of flow-tools so
> you do not need to download it separately. Please install it by
> doing the following:
>
> o cd flow-tools-0.66
> o cd contrib
> o tar -zxvf Cflow-1.051.tar.gz
> o cd Cflow-1.051
> o perl Makefile.PL
> o make
> o make install
>
> Please note that in order for this module to compile with the
> proper support, you need to run it from a directory under the
> flow-tools distribution files. The instructions above build it
> properly. Please read the README file included in the
> Cflow-1.051 for more information.
>
> * *Korn Shell* - This is required by CUFlow. pdksh works just as
> well. On a RedHat box, simply type "up2date -i pdksh" and RedHat
> will install this for you. You can also download the source from
> http://web.cs.mun.ca/~michael/pdksh/
> <http://web.cs.mun.ca/%7Emichael/pdksh/>.
> * *FlowScan* - This is the report generating application by Dave
> Plonka. It can be downloaded from:
> http://net.doit.wisc.edu/~plonka/FlowScan/
> <http://net.doit.wisc.edu/%7Eplonka/FlowScan/>.
> * *CUFlow* - This is the report module and graph generator written
> by Columbia University for FlowScan. It can be downloaded from:
> http://www.columbia.edu/acis/networks/advanced/CUFlow/.
>
> ------------------------------------------------------------------------
>
>
> Configure your routers
>
>
> *Disclaimer: Make the changes to your routers at your own
> risk. I recommend that you establish a baseline for
> processor and memory utilization before making changes to
> your routers and reexamine the baseline after making the
> changes. If you have a support contract with Cisco, I
> suggest opening a case with TAC to have them look at your
> configuration and determine if these are the best commands
> for your routers.
>
> The following commands are the commands that I used to configure my
> 7513's (and my 806 at home).
>
> * These are the global configuration mode commands:
> o ip flow-export version 5 peer-as
> o ip flow-export source-interface xxx
> + Choose the interface closest to your collector. This
> simply ensures that there is no confusion as to the
> source address that will be listed in the flows.
> o ip flow-export destination x.x.xx y
> + x.x.xx is the collector's ip address, y is the port
> you will specify in the flow-capture command line.
> You may choose any port, just remember what it is
> and avoid the obvious registered ports like 80. (The
> flow packets are UDP.)
> o ip flow-cache timeout active 1
> + This syntax is for IOS 12.2 and later. If you are
> running an 11.x or 12.0/12.1 code, the syntax would
> be: "ip flow-cache active-timeout 1". This command
> ensures the timely delivery of flows to the collector.
> * In the interface configuration mode of *each major* interface:
> (major as opposed to sub-interface)
> o ip route-cache flow
>
> I have found that if you do not run NetFlow on every major
> interface, it does strange things to the flow reports. /*Again,
> consult with Cisco before changing the configuration on a
> production router.*/
>
> A good note from Dave Plonka:
>
> "NetFlow isn't really a switching mode any more, its just a means of
> reporting traffic. CEF is used when NetFlow is configured. NetFlow is
> just configured in this way for historical reasons as it was once
> proposed and implemented to be a forwarding enhancement."
>
> ------------------------------------------------------------------------
>
>
> House Keeping Stuff
>
> You are going to need to add RRDTool to the path variable of your
> collector. Now is a good time to do it because it requires a reboot.
> (If any one knows a way to add these to the path without rebooting,
> please e-mail me.)
>
> To add RRDTool to the path on RedHat do the following: (I also add
> flow-tools to the PATH for easy access.)
>
> * Open /etc/profile with your favorite editor
> * Add the following lines below "pathmunge /usr/local/sbin"
> * pathmunge /usr/local/rrdtool/bin
> * pathmunge /usr/local/netflow/bin
> * Save and Exit
>
> So, the file should look like this when you are done. (As far as I
> know the "tabs" at the beginning of the pathmunge lines are optional,
> but it's always good to make it look nice and readable.)
>
> # Path manipulation
> if [ `id -u` = 0 ]; then
> pathmunge /sbin
> pathmunge /usr/sbin
> pathmunge /usr/local/sbin
> pathmunge /usr/local/rrdtool/bin
> pathmunge /usr/local/netflow/bin
> fi
>
> Once you have added to the path, go ahead and reboot your collector.
>
> ------------------------------------------------------------------------
>
>
> Configure flow-tools
>
> I will not try to explain all the flow-tools programs here. There is
> plenty of documentation that comes with the package and on their web
> site. The only program we are concerned with right now is
> "flow-capture". Everything you need to configure with flow-capture is
> part of the command line, that's why I like to use it over cflowd.
>
> There is one important consideration when planning your installation
> that we need to discuss before proceeding. If you are not using a
> dedicated server to collect your flows, you should strongly consider
> using a separate file system (not /var) for the NetFlow folders. If
> you are running on a shared server, the flow files could potentially
> cause issues for other packages by using too much space. Here are a
> couple of suggestions if you are running on a shared server. 1. Mount
> /var/netflow on a separate hard drive. Even though this will appear
> under the same file system in the file tree, it will limit
> /var/netflow to the amount of space on the new drive. 2. Implement a
> disk quota to keep /var/netflow from taking over the entire disk.
> Consult the documentation for your operating system for more
> information on limiting disk usage. The flow-capture tool also manages
> the size of the directory that it writes the flow files to. If you
> follow this document to the "T", you shouldn't have to worry about
> this, but it is good to keep disk space in mind anyway.
>
> Before we start flow-capture, we need to add a script that will create
> a symbolic link to the current flow file for FlowScan to process.
> Using your favorite editor, create the following file:
> /usr/local/netflow/bin/linkme
>
> Put the following script in this file:
>
> #!/usr/bin/perl
>
> $base = "/var/netflow";
>
> if ($ARGV[0] =~ /.*[\/]*(ft-v05[^\/]*$)/) {
> $fileName = $1;
> } else {
> print "Must specify file\n";
> exit 1;
> }
>
> unless ( symlink("$base/ft/$fileName","$base/$fileName") ) {
> print "Unable to create symbolic link: $base/$fileName\n";
> exit 1;
> }
>
> By using this script, flow-capture can maintain the size of the
> directory /var/netflow/ft. You will need to make sure this file is
> executable. You can do with the following command:
>
> * chmod a+x /usr/local/netflow/bin/linkme
>
> Now, let's get to the install. First, you need to create a folder to
> store your flow files. I use /var/netflow for the base directory. This
> will also be the prefix when you install FlowScan. You will need to
> create the following directory tree for the raw flow-tools files, rrd
> files and the toptalkers HTML files.
>
> mkdir -p /var/netflow/
> mkdir -p /var/netflow/ft
> mkdir -p /var/netflow/rrds
> mkdir -p /var/netflow/scoreboard
>
> Here is the command to start flow-capture. I have found that it works
> best to save this command to a file and call it from an init script.
>
> /usr/local/netflow/bin/flow-capture -w /var/netflow/ft 0/0/2055 -S5
> -V5 -E1G -n 287 -N 0 -R /usr/local/netflow/bin/linkme
>
> Please see the flow-capture man pages for details on what each option
> is. The main ones that you may want to change are:
>
> * -w /var/netflow/ft - This is where flow-capture will store the
> flow files. You may want to change this for several reasons that
> we have already discussed.
> * 0/0/2055 - This specifies the localip, remoteip, and port in
> that order. 0 in the local and remote IP spaces represents any
> IP. You may want to put the router's source interface IP here to
> make sure that no one can pollute the flows from somewhere else.
> * E1G - This is the expire size setting. Basically it means how
> much data you want to save. 1G represents 1 Gigabyte. 20M would
> represent 20 Megabytes.
> * The other option here that gets lots of questions is -n. What
> does the 287 mean? It means that flow-capture will rotate the
> file 287 times in 24 hours. For those that don't want to do the
> math, this is every five minutes starting at 00:00 and ending
> with 23:55. A good note to make here is that CUFlow doesn't
> currently play nice with flow files that do not represent five
> minutes of data. So use this setting unless you know exactly
> what you are doing.
>
> Once flow-capture is running there are several things you can do to
> verify that it is receiving packets from the router. First, use
> tcpdump to see the incoming packets. If you do not have tcpdump (it is
> not installed by default), you can again use up2date to install it:
>
> * up2date -i tcpdump
>
> The command to run tcpdump and see only UDP port 2055 is:
>
> tcpdump -n udp port 2055
>
> The output will look something like this:
>
> 03:30:13.928242 192.168.10.1.57218 > 192.168.5.3.2055: udp 264
> 03:30:16.392830 192.168.5.1.51892 > 192.168.5.7.2055: udp 456
> 03:30:25.920687 192.168.10.1.57218 > 192.168.5.3.2055: udp 312
> 03:30:28.393009 192.168.5.1.51892 > 192.168.5.7.2055: udp 456
>
> Then use netstat -lnp to see if flow-capture is listening to port
> 2055. If you don't see either, check /var/log/messages for errors.
>
> The last thing to verify is, look in /var/netflow/ft and see if there
> has been a tmp file created. If there is, you are good to go.
>
> To verify that the "linkme" script is working correctly, let
> flow-capture run for a few minutes then look in /var/netflow/ for a
> new symbolic link to be created. If it is there, everything is
> working. These links point to the real files. Once FlowScan has
> processed the real file, it will delete the link. Remember that
> flow-capture will manage the size of the /var/netflow/ft directory, so
> you shouldn't have to worry about using up all of your disk space.
>
> Here is the init script to start flow-capture.
>
> Go ahead and start this and let it run while we finish ("service
> flow-capture start" or "/etc/init.d/flow-capture start" will do the
> trick). This way when you get done with the install, you will have
> live data to process and verify that things are working!
>
>
>
> ------------------------------------------------------------------------
>
>
> Install FlowScan
>
> Before proceeding with installing FlowScan, be sure that you have
> downloaded and installed the needed Perl Modules listed previously. If
> you have, here are the commands to install FlowScan:
>
> As Dave Plonka notes, "A good way to avoid doing something dumb here
> is to not run FlowScan's configure nor make as root."
>
> ./configure --prefix=/var/netflow
> make
> make -n install
> make install
> cd cf
> cp flowscan.cf /var/netflow/bin
>
> The last two steps copy the FlowScan config file to /var/netflow/bin.
>
> You will need to download a patched FlowScan.pm and copy it to
> /var/netflow/bin as well. You can download the file from either of the
> following locations, then just copy it to /var/netflow/bin and replace
> the one that is there.
>
> *
http://net.doit.wisc.edu/~plonka/list/flowscan/archive/att-0848/01-FlowScan.
pm
>
<http://net.doit.wisc.edu/%7Eplonka/list/flowscan/archive/att-0848/01-FlowSc
an.pm>
> * http://www.linuxgeek.org/netflow/FlowScan.pm
>
> Also from Dave Plonka's notes, "By the way, in the above commands, all
> is OK if make says ``Nothing to be done for `target'''. As long as
> make completes without an error, all is OK." I normally see this
> message when I install FlowScan. These commands should have installed
> FlowScan to /var/netflow/bin/. This is where the application and the
> configuration files reside. You should also verify when you copy the
> new module that it is executable. The easiest way to make sure is do
> an "ll" while in /var/netflow/bin. You should see something like this:
> (Normally the file name will also be green if you have a color
> terminal setup.)
>
> total 180
> -rwxr-xr-x 1 root root 3318 Jul 31 02:51 add_ds.pl
> -rwxr-xr-x 1 root root 2520 Jul 31 02:51 add_txrx
> -rwxr-xr-x 1 root root 70096 Jul 31 02:51 CampusIO.pm
> -rw-r--r-- 1 root root 1692 Jul 31 02:56 CUFlow.cf
> -rw-r--r-- 1 root root 43533 Jul 31 02:53 CUFlow.pm
> -rwxr-xr-x 1 root root 834 Jul 31 02:51 event2vrule
> -rwxr-xr-x 1 root root 5098 Jul 31 02:51 flowscan
> -r--r--r-- 1 root root 630 Jul 31 02:54 flowscan.cf
> -rwxr-xr-x 1 root root 8695 Jul 31 02:52 FlowScan.pm
> -rwxr-xr-x 1 root root 2407 Jul 31 02:51 ip2hostname
> -rwxr-xr-x 1 root root 1442 Jul 31 02:51 locker
> -rwxr-xr-x 1 root root 9130 Jul 31 02:51 SubNetIO.pm
>
> If you do not see the "x" attribute, use "chmod a+x FlowScan.pm" to
> correct the attributes.
>
> One last thing to talk about since we have a log file here. I suggest
> you setup a logrotate process to rotate the /var/log/flowscan log
> file. Here is what you'll need to do to rotate it daily and keep 8
> days of logs (current log plus the 7 past logs).
>
> ...
>
>
>
> ------------------------------------------------------------------------
>
>
> Install CUFlow
>
> Unpack the file you downloaded previously (tar -zxvf
> CUFlow-1.4.tar.gz) and then move the files CUFlow.pm and CUFlow.cf to
> /var/netflow/bin/. Now, go to /var/netflow/bin and edit FlowScan.cf.
> You need to comment out any existing "ReportClasses" lines and add the
> following line:
>
> ReportClasses CUFlow
>
> You will also want to verify the folder listed in the "FlowFileGlob"
> variable. If you execute FlowScan from the folder that the flow files
> are stored in, you can simple use "FlowFileGlob ft-v05.*". The
> FlowScan script that I have included later in this document will do
> this for you. You may also want to specify the absolute path to the
> files. (i.e. /var/netflow/ft-v05.*)
>
> *NOTE:* You do not need to modify any of the other FlowScan files,
> such as CampusIO.cf. We are not using those reports in this setup. If
> you want to use the built in FlowScan reports, please read the
> FlowScan documentation at:
> http://net.doit.wisc.edu/~plonka/FlowScan/INSTALL.html
> <http://net.doit.wisc.edu/%7Eplonka/FlowScan/INSTALL.html> for
> instructions on installing and configuring them.
>
> ------------------------------------------------------------------------
>
>
> Configure CUFlow
>
> The most detailed documentation on CUFlow can be found at:
> http://www.columbia.edu/acis/networks/advanced/CUFlow/CUFlow.html. I
> highly suggest reading this document in its entirety. It goes into far
> greater detail then I will.
>
> There are several things that you will need to change in the CUFlow.cf
> file before running any reports. First, are your subnets. These are
> used to determine what is local and what isn't. These can be as
> general as you want, but you'll want to make sure all of your local
> subnets are configured here. Use a separate line for each block. The
> syntax is "Subnet x.x.xx/y label". x.x.xx/y represents your network
> block in CIDR format. Example:
>
> Subnet 172.16.0.0/16
>
> Second, you need to list any network groups that you want to get
> separate usage reports for. These are OPTIONAL settings. These groups
> only record the amount of traffic, not the detailed protocol and
> service break downs, but are useful non-the-less. A good example of
> how they can be useful can be seen here.
>
<http://ohioflows.ikano.com/cgi-bin/CUGrapher.pl?report=bits&hours=48&imageT
ype=png&width=640&height=320&duration=&router=all&all_network=Athens_LAN&all
_network=Athens_Modem_Pool&all_network=Circleville_LAN&all_network=Circlevil
le_Modem_Pool&all_network=Coolville_LAN&all_network=Coolville_Modem_Pool&all
_network=Jackson_LAN&all_network=Jackson_Modem_Pool&all_network=Logan_DSL&al
l_network=Logan_LAN&all_network=Logan_Modem_Pool&all_network=McArthur_LAN&al
l_network=McArthur_Modem_Pool&all_network=Nelsonville_LAN&all_network=Nelson
ville_Modem_Pool&all_network=Pomeroy_LAN&all_network=Pomeroy_Modem_Pool&all_
total=1&router=Logan_3660&=Generate%2Bgraph>
> This graph shows how much bandwidth each of the dialup locations that
> backhaul thru the local router are using.
>
> The syntax here is similar to the subnet syntax. "Network x.x.xx/y
> label". You can specify as many network blocks as needed, separated by
> commas. Examples:
>
> Network 172.16.1.0/24 routers
> Network 172.16.2.0/24,172.16.3.0/24 data_center
>
> Next, you must change the OutputDir variable. I use /var/netflow/rrds/.
>
> OutputDir /var/netflow/rrds
>
> *NOTE* - Remember this directory. You will use it again in
> CUGrapher.pl.
>
> To add the Top Talker reports, AKA Scoreboard, you'll want the
> scoreboard and aggregatescore lines to look something like this:
>
> Scoreboard 25 /var/netflow/scoreboard
> /var/netflow/scoreboard/toptalkers.html
> AggregateScore 25 /var/netflow/rrds/agg.dat
> /var/netflow/scoreboard/overall.html
>
> Then, I add a symbolic link to /var/netflow/scoreboard/ in my apache
> document root. (ln -s /var/netflow/scoreboard toptalkers). Then you
> can access the reports by going to http://yourserver/toptalkers/. (You
> may also want to add a Directory section in your apache configuration
> file for /var/netflow/scoreboard. The default options will work just
> fine. This just gives you extra control.)
>
> You can add new services, and protocols as you wish. For more
> information on these features, please consult the CUFlow documentation
> at http://www.columbia.edu/acis/networks/advanced/CUFlow/CUFlow.html
> or the file comes with the package.
>
> *Some extra notes about the config file. *
>
> 1. Be sure to capitalize the variable names. If you do not, CUFlow
> will not recognize them. (i.e. Subnet, not subnet)
> 2. You cannot have any spaces in the labels. This will cause
> FlowScan to error out.
> 3. The CUFlow.cf file that is included with the package has many
> settings that are specific to the author's network. Be sure to
> comment out or delete these lines. The latest version of the
> config file has been changed to not include information specific
> to their network, but make sure you comment out what's there
> either wya.
> 4. Make sure that you do not use the same directory as the RRDs, or
> a subdirectory of RRDs, for the scoreboard reports. It causes
> strange issues with CUGrapher.
>
> ------------------------------------------------------------------------
>
>
> Starting FlowScan
>
> Now that the configuration file is complete, you should be able to
> start FlowScan. I use the following script to start it automatically
> at startup.
>
>
> *#!/bin/sh
> # description: Start FlowScan
>
> case "$1" in
> 'start')
> cd /var/netflow/ ; bin/flowscan >>/var/log/flowscan 2>&1 </dev/null &
> >/dev/null
> touch /var/lock/subsys/flowscan.1
> ;;
> 'stop')
> killall -9 flowscan**
> rm -f /var/lock/subsys/flowscan.1
> ;;
> *)
> echo "Usage: $0 { start | stop }"
> ;;
> esac
> exit 0*
>
> This script will send all messages generated by FlowScan to
> /var/log/flowscan. If you use this script to start FlowScan, you can
> monitor whether or not it is working by tailing the log. (tail -f
> /var/log/flowscan)
>
> If everything is working correctly, you should see logs like this:
>
> *sleep 30...
> sleep 30...
> 2002/06/24 03:05:09 working on file flows.20020624_03:00:00...
> 2002/06/24 03:05:53 FlowScan-1.020 CUFlow: Cflow::find took 44
> wallclock secs (43.57 usr + 0.11 sys = 43.68 CPU) for 8729930 flow
> file bytes, flow hit ratio: 156224/158726
> 2002/06/24 03:05:56 FlowScan-1.020 CUFlow: report took 3 wallclock
> secs ( 0.00 usr 0.03 sys + 1.47 cusr 1.30 csys = 2.80 CPU)
> sleep 30...
> sleep 30...
> sleep 30...
> sleep 30...
> sleep 30...
> sleep 30...
> sleep 30...
> sleep 30...
> sleep 30...
> 2002/06/24 03:10:28 working on file flows.20020624_03:05:00...
> 2002/06/24 03:11:10 FlowScan-1.020 CUFlow: Cflow::find took 42
> wallclock secs (42.72 usr + 0.08 sys = 42.80 CPU) for 8568285 flow
> file bytes, flow hit ratio: 153537/155787
> 2002/06/24 03:11:13 FlowScan-1.020 CUFlow: report took 3 wallclock
> secs ( 0.00 usr 0.03 sys + 1.64 cusr 1.26 csys = 2.93 CPU)
> sleep 30...
> sleep 30...
> sleep 30...
> sleep 30...*
>
> If you see nothing, try starting FlowScan without the script. Most
> error messages that FlowScan generates are self-explanatory.
>
> ------------------------------------------------------------------------
>
>
> CUGrapher.pl
>
> Now, copy the CUGrapher.pl to your cgi-bin directory. You will need to
> change at least two things here before running it. First is the
> $rrddir variable. If you followed this document, that is
> /var/netflow/rrds. The other is $organization. This variable is shown
> at the top of each generated graph.
>
> If you installed Apache from the RPM, the cgi-bin directory is
> /var/www/cgi-bin/. If you installed Apache from the tarball, the
> default is /usr/local/apache/cgi-bin/. If your server is already up
> and running, you can see the grapher by opening
> http://yourserver/cgi-bin/CUGrapher.pl.
>
> You can use the URLs created by CUGrapher.pl in IMG SRC tags if you
> want to build any summary HTML pages. You can also link to them in a
> web page. The next version of CUGrapher will have the option to not
> have a legend. This will make the graphs fit on summary pages more
> easily.
>
> ------------------------------------------------------------------------
>
> To see an example web site and reports generated by CUFlow and
> FlowScan, please visit Dave Plonka's sample graphs at:
> http://wwwstats.net.wisc.edu. You can also look at
> http://flows.ikano.com and http://ohioflows.ikano.com to see working
> servers built with this document.
>
> ------------------------------------------------------------------------
>
>
> Mailing Lists
>
> Here are the mailing lists and instructions for subscribing to them.
>
> *FlowScan*
>
> There are two mailing lists having to do with FlowScan:
>
> * *flowscan* -- a general mailing list for FlowScan users.
> * *flowscan-announce* -- a low-volume, restricted post mailing
> list to keep FlowScan users informed of news regarding FlowScan.
>
> The lists' respective archives are available at:
> http://net.doit.wisc.edu/~plonka/list/flowscan
> <http://net.doit.wisc.edu/%7Eplonka/list/flowscan> and
> http://net.doit.wisc.edu/~plonka/list/flowscan-announce
> <http://net.doit.wisc.edu/%7Eplonka/list/flowscan-announce>
>
> Announcements will be ``cross-posted'' to both lists, so there's no
> need to join both. These lists are hosted by the Division of
> Information Technology's Network Engineering Technology group at the
> University of Wisconsin - Madison. To subscribe to either of them,
> send email to: majordomo@net.doit.wisc.edu
> <mailto:majordomo@net.doit.wisc.edu> containing either: *subscribe
> flowscan *OR *subscribe flowscan-announce.*
>
> You should receive an automatic response that will request that you
> verify your request to become a member of the list, to which you must
> reply with the authentication information there-in. Then, in response
> to your reply, you should receive a welcome message.
>
> *CUFlow*
>
> There is a mailing list having to do with CUFlow:
>
> * *cuflow-users* -- a general mailing list for CUFlow users.
>
> The list's archives are available at:
> https://www1.columbia.edu/sec/bboard/mj/cuflow-users/
>
> This list is hosted by the Academic Information Systems department at
> Columbia University. To subscribe to the list, send email to:
> majordomo@columbia.edu <mailto:majordomo@columbia.edu> containing:
> *subscribe cuflow-users.*
>
> You should receive an automatic response that will request that you
> verify your request to become a member of the list, to which you must
> reply with the authentication information there-in. Then, in response
> to your reply, you should receive a welcome message.
>
> *flow-tools*
>
> The flow-tools home page lists the following for the mailing list. At
> this time, I was not able to access it. I will update this again
> later. http://www.pairlist.net/mailman/listinfo/flow-tools.
>
> *RRDTool*
>
> I've never had a reason to subscribe to RRDTool's mailing lists, but
> here is the page with their information.
> http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/mailinglists.html
> <http://people.ee.ethz.ch/%7Eoetiker/webtools/rrdtool/mailinglists.html>
>
> ------------------------------------------------------------------------
>
>
> Appendix
>
> Here are is a list of links that you will find useful if you need more
> information:
>
> 1. http://www.cisco.com/go/fn - This is the Cisco Feature Navigator
> 2. http://httpd.apache.org/ - This is the home page for Apache.
> This is the web server that I recommend.
> 3. http://www.rrdtool.org/ - This is the RRDTool home page.
> 4. http://www.splintered.net/sw/flow-tools/ - This is the
> flow-tools home page.
> 5. http://net.doit.wisc.edu/~plonka/FlowScan/
> <http://net.doit.wisc.edu/%7Eplonka/FlowScan/> - This is the
> FlowScan home page.
> 6. http://www.columbia.edu/acis/networks/advanced/CUFlow/ - This is
> the CUFlow home page.
> 7. http://net.doit.wisc.edu/~plonka/list/flowscan/
> <http://net.doit.wisc.edu/%7Eplonka/list/flowscan/> - This is
> the FlowScan mailing list home page.
> 8. http://wwwstats.net.wisc.edu - Examples of FlowScan and CUFlow.
> 9. http://flows.ikano.com - Another example web site.
> 10. https://www1.columbia.edu/sec/bboard/mj/cuflow-users/ - CUFlow
> mailing list archive. The mailing list is cuflow-users@columbia.edu.
>
> ------------------------------------------------------------------------
>
>
> Change Log
>
> Version 1.3 -- July 29, 2003
>
> * Changed document to not use the "export" script to convert flow
> files. Instead, we now use the patched FlowScan.pm that can
> process the flow-tools files natively.
> * Updated version numbers
> * Added specific instructions for adding to the RedHat path.
> * Corrected error in the CUFlow configuration section. Thanks to
> Thomas Wiebe for pointing out my error.
> * Added a killall to the flowscan startup script. Thanks to
> Velimir Kalik for the suggestion.
>
> Version 1.2 -- January 16, 2003
>
> * Minor spelling/grammar corrections.
>
> Version 1.1 -- December 1, 2002
>
> * Numerous updates made to the document to correct
> spelling/grammar and update to RedHat 8.0.
> * Added instructions to add RRDTool to the path on a RedHat
> 7.x/8.x system.
> * Added instructions to get the ConfigReader::DirectiveStyle
> module installed correctly on RedHat 7.2+ with Perl 5.6.1+.
> * Added pdksh to the list of needed applications. (Needed by CUFlow.)
> * Added --prefix option to RRDTool install to make updating
> RRDTool less painful.
>
> Version 1.0 -- July 24, 2002
>
> This is a new document. No changes have been made yet.
>
> ------------------------------------------------------------------------
>
> Version 1.3 beta 1
> C copyright 2003 by Robert S. Galloway <rgalloway
> <mailto:rgalloway%20at%20stageman%20dot%20com>>
> All Rights Reserved. The author believes that appropriate credit has
> been given. If anyone has been missed, please alert me
> <mailto:rgalloway%20at%20stageman%20dot%20com>.
>
> This document may be reproduced and distributed in its entirety
> (including this authorship, copyright, and permission notice),
> provided that no charge is made for the document itself.
>
--
Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body
Unsubscribe mailto:majordomo@net.doit.wisc.edu and say
"unsubscribe flowscan" in message body
Archive http://net.doit.wisc.edu/~plonka/list/flowscan/archive/
This archive was generated by hypermail 2b25 : Tue Sep 02 2003 - 18:01:27 CDT