create monthly overview
Dave Plonka
plonka at doit.wisc.edu
Tue Jun 6 11:57:24 EDT 2006
Hi Robin,
Keep in mind that I'm not even pretending to know anything about argus'
reporting tools. My repsonse is below. (It might be interesting to
compare methods proposed by others as follow-ups.)
On Tue, Jun 06, 2006 at 02:52:27PM +0200, Robin Gruyters wrote:
>
> I'm looking for a way to generate a monthly overview which contains
> total bytes per protocol of each (sub)net range. (ragator, rmon,
> rsort, ... ?!)
>
> Can anyone help me with this?
I can think of a couple ways to do this:
1) You could run write a perl script that uses the Cflow module to
read argus flow files and uses Net::Patricia to maintain a data
structure of subnets for fast lookups. However, this would be more
appropriate to get the report you ask for a given flow file, or small
set. You'd have to find some way to do the aggregation yourself,
otherwise it would take quite some time to produce the report.
http://net.doit.wisc.edu/~plonka/Cflow/
http://net.doit.wisc.edu/~plonka/Net-Patricia/ (also on CPAN)
There are examples of how to use Net::Patricia with Cflow in the
flowdumper documentation - which comes with the Cflow module:
http://net.doit.wisc.edu/~plonka/Cflow/flowdumper_pod.html
2) Another way to do it would be to run FlowScan, with either it's
included SubNetIO report (which reports on subnets) or CUflow, or one
of the other 3rd party FlowScan reports.
The example here doesn't use SubNetIO, but it gives you the gist:
http://net.doit.wisc.edu/~plonka/FlowScan/new/argus/
FlowScan would continually process the argus flow data, and keep
counters in RRD files, like MRTG. Allowing you to report and graph
averages or five-minute maximums for whatever time/date range you'd
like.
The configuration would be the essentially same as if you were
receiving NetFlow data directly from a router and collecting them with
flow-tools, which is a very popular configuration for network
operators. (Whether that is a benefit or a hindrance is up to you.)
Dave
--
plonka at doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
More information about the argus
mailing list