using flow-tools for ad hoc flow reports (was "Re: toptalkers over a longer timespan")

Dave Plonka plonka at doit.wisc.edu
Mon Feb 10 13:20:14 EST 2003 

FlowScan users,
[Argus users, please forgive the cross-post.
 I think you'll find it pertinent towards the end though.]

Over the past years, a number of you have asked for additional FlowScan
reports, such as this:

   On Wed, Jan 08, 2003 at 10:43:39AM -0500, Matthew Deatherage wrote:
   > Any suggestions on generating a TopTalkers report for a given time 
   > span?  I'd be interested in a report on the top talker for a week or month.

Such ad hoc reports can be generated fairly easily using the flow-stat
reporting utility supplied with Mark Fullmer's excellent flow-tools
package.  The flow-tools package is available here:

   http://www.splintered.net/sw/flow-tools/

For instance, to produce a "Top Talkers" report for a whole day,
sorted, descending by bytes, one can run:

   ft_flows$ flow-cat ft-v05.2003-02-10.*0 | flow-stat -f9 -S2 >/tmp/flow-stat_2003-02-10.txt

I've attached the first 22 lines of that output file as a sample which
show the "Top Ten Talkers" (anonymized IP addresses), please check it out.

flow-stat's "-f9" option selects a report by source IP address, and
"-S2" causes it to sort descending by column 2, which is bytes for this
report.  Do "man flow-stat" to see all of the reports and options.

ARGUS AND CFLOWD USERS:

You can use flow-tools' flow-stat reports *even if* you are using
cflowd or argus rather than flow-tools' flow-capture as your flow
collector.  With my flowdumper utility, supplied with the Cflow
package:

   http://net.doit.wisc.edu/~plonka/Cflow/

you can convert argus records to cflowd's v5 format, and with Mark
Fullmer's flow-import tool (included with flow-tools) can convert from
cflowd's raw file format to flow-tools, enabling you to convert amongst
the various flow file formats and even to use the utilities in a
pipeline:

   cflowd_flows$ cat flows.20030210_*0 |flow-import -V5 -f0 | flow-stat -f9 -S2 ...

   argus_flows$ flowdumper -r argus.20030210.* |flow-import -V5 -f0 | flow-stat -f9 -S2 ...

Anyway, my point is, if you're doing *anything* with flow records, its
quite useful to have flow-tools installed on the localhost.  Otherwise
it's like running a Un*x box without having installed commands such
sed, awk, and grep.

Hope this helps,
Dave

P.S. sorry for the delay Matt ;^)

-- 
plonka at doit.wisc.edu  http://net.doit.wisc.edu/~plonka  ARS:N9HZF  Madison, WI
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: flow-stat-f9-S2_head-22.txt
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20030210/a652b344/attachment.txt>

More information about the argus mailing list