[flow-tools] Re: flow-tools digest, Vol 1 #99 - 14 msgs
Heiko Brey
cico@nbd-net.de
Mon, 13 Jan 2003 14:04:42 +0100 (MET)
unsubscribe wzun8laf cico@pin-net.de
unsubscribe wzun8laf cico@nbd-net.de
end
On Mon, 13 Jan 2003 flow-tools-request@splintered.net wrote:
> Date: Mon, 13 Jan 2003 07:38:16 -0500 (EST)
> From: flow-tools-request@splintered.net
> Reply-To: flow-tools@splintered.net
> To: flow-tools@splintered.net
> Subject: flow-tools digest, Vol 1 #99 - 14 msgs
>=20
> Send flow-tools mailing list submissions to
> =09flow-tools@splintered.net
>=20
> To subscribe or unsubscribe via the World Wide Web, visit
> =09http://www.pairlist.net/mailman/listinfo/flow-tools
> or, via email, send a message with subject or body 'help' to
> =09flow-tools-request@splintered.net
>=20
> You can reach the person managing the list at
> =09flow-tools-admin@splintered.net
>=20
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of flow-tools digest..."
>=20
>=20
> Today's Topics:
>=20
> 1. Re: reports considerations with NAT (Horatio B. Bogbindero)
> 2. Re: reports considerations with NAT (Systems Administrator)
> 3. flow-tools and netflow v9 again ... (Frederic.Loui@equant.com)
> 4. Re: reports considerations with NAT (Systems Administrator)
> 5. flow-report ip-destination-address-source-count broken? (Russell Dw=
arshuis)
> 6. Re: flow-tools and netflow v9 (Bill Fumerola)
> 7. Flow-report output formatting (stefano.belpoliti@katamail.com)
> 8. reporting (=3D?iso-8859-1?Q?J=3DFCrgen_Hoffmann?=3D)
> 9. Re: reporting (Clayton Fiske)
> 10. New User Getting Started on Solaris (Jeffrey G. Fitzwater)
> 11. Filter flows (Mike Hyde)
> 12. Re: Flow-report output formatting (Systems Administrator)
> 13. Re: Flow-report output formatting (Bill Fumerola)
> 14. Re: Flow-report output formatting (Nitzan Tzelniker)
>=20
> --__--__--
>=20
> Message: 1
> Date: Wed, 8 Jan 2003 08:16:25 +0800
> From: "Horatio B. Bogbindero" <wyu@ateneo.edu>
> To: ctc <corban@wirednation.com>
> Cc: flow tools list <flow-tools@splintered.net>
> Subject: Re: [flow-tools] reports considerations with NAT
>=20
> =A4=DE=A5=CE ctc <corban@wirednation.com>:
>=20
> > Is there anything I need to be wary of if I decide to run NAT on the sa=
me=20
> > router I'm collecting flows on? I'm running a cisco 2651. IOS=20
> > 12.0(something).
> > I want to generate reports with the pre-nat address.=20
> > Anyone have experience with this?
> >=20
> just make sure you use either the filter option of flow-report/flow-nfilt=
er or
> flow-filter to filter the interfaces your would like to listen to. that w=
ould
> mean filtering our the interface with NAT attached.
>=20
>=20
> -----------------------------------------------
> William Emmanuel S. Yu
> Ateneo Campus Network Group (AteneoCNG)
> email : wyu at ateneo dot edu
> web : http://CNG.ateneo.net/cng/wyu/
> phone : +63(2)4266001-4186
> GPG : http://CNG.ateneo.net/cng/wyu/wyy.pgp
>=20
>=20
>=20
> --__--__--
>=20
> Message: 2
> From: "Systems Administrator" <sysadmin@sunet.com.au>
> To: "Horatio B. Bogbindero" <wyu@ateneo.edu>,
> =09<flow-tools@splintered.net>
> Subject: Re: [flow-tools] reports considerations with NAT
> Date: Wed, 8 Jan 2003 16:27:25 +1100
>=20
> Not quite as easy as you make it sound. I've just spent 2 weeks bang=
ing
> my head against this, and I think I've finally got it licked, but not sur=
e
> yet.
>=20
> Anyway, NAT happens before Netflow, so it will only record the global
> addresses. What I did to get around this was this:
>=20
> Netflow on ATM1/0.2
>=20
> NAT inside on Loopback0
>=20
> NAT outside on other interfaces
>=20
> route-map nat-loop permit 10
> match ip address 152
> set interface Loopback0
>=20
> And on ATM1/0.2:
> ip policy route-map nat-loop
>=20
> Anyway, it seems to be doing the NAT correctly and recording some flo=
w
> info. But we'll see how it continues.
>=20
> :)
>=20
> Tim Nelson
> Systems Administrator
> Sunet Internet
> Tel: +61 3 5241 1155
> Fax: +61 3 5241 6187
> Web: http://www.sunet.com.au/
> Email: sysadmin@sunet.com.au
> ----- Original Message -----
> From: "Horatio B. Bogbindero" <wyu@ateneo.edu>
> To: "ctc" <corban@wirednation.com>
> Cc: "flow tools list" <flow-tools@splintered.net>
> Sent: Wednesday, January 08, 2003 11:16 AM
> Subject: Re: [flow-tools] reports considerations with NAT
>=20
>=20
> > ctc <corban@wirednation.com>:
> >
> > > Is there anything I need to be wary of if I decide to run NAT on the
> same
> > > router I'm collecting flows on? I'm running a cisco 2651. IOS
> > > 12.0(something).
> > > I want to generate reports with the pre-nat address.
> > > Anyone have experience with this?
> > >
> > just make sure you use either the filter option of
> flow-report/flow-nfilter or
> > flow-filter to filter the interfaces your would like to listen to. that
> would
> > mean filtering our the interface with NAT attached.
> >
> >
> > -----------------------------------------------
> > William Emmanuel S. Yu
> > Ateneo Campus Network Group (AteneoCNG)
> > email : wyu at ateneo dot edu
> > web : http://CNG.ateneo.net/cng/wyu/
> > phone : +63(2)4266001-4186
> > GPG : http://CNG.ateneo.net/cng/wyu/wyy.pgp
> >
> >
> > _______________________________________________
> > flow-tools@splintered.net
> > http://www.splintered.net/sw/flow-tools
> >
>=20
>=20
>=20
> --__--__--
>=20
> Message: 3
> To: flow-tools@splintered.net
> From: Frederic.Loui@equant.com
> Date: Wed, 8 Jan 2003 10:55:58 +0100
> Subject: [flow-tools] flow-tools and netflow v9 again ...
>=20
> First of all...
> Happy new year and my best wishes for 2003 !
>=20
> Actually I donwloaded from www.cisco.com netflow v9 spec and asked cisco
> more information related to v9 implementation.
>=20
> The interesting thing (apart being template based) from the new netflow
> implementation is that it is "MPLS AWARE".
> Pragmatically, it means that netflow will export :
> -MPLS labels (up to 3 level of stacked label and their repective type
> FRR, VPN labels etc...
> -positions of the above label in the stack
> -type of the label
> -IP address associated with the top label
>=20
> These are interesting fields in an MPLS VPN environment.
> especially when you want to build Traffic MATRIX per PE(Provider Edge
> router) and VPN(in the MPLS terminology) for example.
>=20
> I'll try to adapt the code (your code) of flow-tools
> in order to suit cisco v9 spec. ( if you don't mind of course ...)
>=20
> If I can successfully understand and adapt the code of flow-tools,
> I'll test it in our lab and I'll revert to you and provide you the code
> using cvs if you want.
> ( It will take some times for me to take over your code,
> hence you'll be probably quicker and better developer than me ;-) !!)
>=20
> I you have any idea or if you've already begun to study v9 and IPFIX,
> please let me know to what extend I can help you in developing
> flow-tools related to v9 protocol. ( if you feel that you need help of
> course ...)
>=20
> By the way do you have other documentation related to flow-tools except
> the man page and the source code ? ( detailed spec, global spec, diagram
> etc ...)
>=20
> Thanks in advance for your involvement
> in such good product that represent flow-tools
>=20
> Bgrds/Frederic
>=20
> ---------------------------------------------------------
> maf@eng.oar.net wrote,
>=20
> NetFlow V9 and/or IPFIX support will be added when the protocols are
> ready...
>=20
> Are there any specific features of V9 you're looking for?
>=20
> mark
>=20
> On Tue, Dec 31, 2002 at 10:48:12AM +0100, Frederic.Loui@equant.com wrote:
> > Hello all,
> >
> > Congratulation for flow-tools suite !
> > I've just 1 question, will flow-tools will support v9 version ?
> > I've heard that cisco is currently releasing a new (beta ?) IOS versio=
n.
> >
> > Bgrds/Frederic
> >
> >
> >
> > _______________________________________________
> > flow-tools@splintered.net
> > http://www.splintered.net/sw/flow-to
>=20
>=20
>=20
> --__--__--
>=20
> Message: 4
> From: "Systems Administrator" <sysadmin@sunet.com.au>
> To: "Systems Administrator" <sysadmin@sunet.com.au>,
> =09"Horatio B. Bogbindero" <wyu@ateneo.edu>, <flow-tools@splintered.net>
> Subject: Re: [flow-tools] reports considerations with NAT
> Date: Thu, 9 Jan 2003 14:58:48 +1100
>=20
> Looks like I was wrong -- this didn't fix the problem. I've found ab=
out
> 15-20 people asking the same question somewhere on the 'Net or in Google
> Groups, but there were not useful answers. Let us know if you get anythi=
ng.
>=20
> Thanks,
>=20
> Tim Nelson
> Systems Administrator
> Sunet Internet
> Tel: +61 3 5241 1155
> Fax: +61 3 5241 6187
> Web: http://www.sunet.com.au/
> Email: sysadmin@sunet.com.au
>=20
> ----- Original Message -----
> From: "Systems Administrator" <sysadmin@sunet.com.au>
> To: "Horatio B. Bogbindero" <wyu@ateneo.edu>; <flow-tools@splintered.net>
> Sent: Wednesday, January 08, 2003 4:27 PM
> Subject: Re: [flow-tools] reports considerations with NAT
>=20
>=20
> > Not quite as easy as you make it sound. I've just spent 2 weeks
> banging
> > my head against this, and I think I've finally got it licked, but not s=
ure
> > yet.
> >
> > Anyway, NAT happens before Netflow, so it will only record the glob=
al
> > addresses. What I did to get around this was this:
> >
> > Netflow on ATM1/0.2
> >
> > NAT inside on Loopback0
> >
> > NAT outside on other interfaces
> >
> > route-map nat-loop permit 10
> > match ip address 152
> > set interface Loopback0
> >
> > And on ATM1/0.2:
> > ip policy route-map nat-loop
> >
> > Anyway, it seems to be doing the NAT correctly and recording some f=
low
> > info. But we'll see how it continues.
> >
> > :)
> >
> > Tim Nelson
> > Systems Administrator
> > Sunet Internet
> > Tel: +61 3 5241 1155
> > Fax: +61 3 5241 6187
> > Web: http://www.sunet.com.au/
> > Email: sysadmin@sunet.com.au
>=20
>=20
>=20
> --__--__--
>=20
> Message: 5
> Date: Thu, 9 Jan 2003 11:50:51 -0500 (EST)
> From: Russell Dwarshuis <rjd@merit.edu>
> To: flow-tools@splintered.net
> Subject: [flow-tools] flow-report ip-destination-address-source-count bro=
ken?
>=20
> I'm not getting anything useful out of ip-destination-address-source-coun=
t
> from flow-report. With similar configurations (in the same config file) =
I
> get valid reports for all other reports I've tried, including
> ip-source-address-destination-count and ip-destination-address
>=20
> I'm using version 0.63 with the patch at
> http://www.pairlist.net/pipermail/flow-tools/2002-December/000928.html
>=20
> When fed previously tagged flows,
> flow-cat ft-v1005.2003-01-08.* | flow-report -s /tmp/stat.conf -S report0
> gives:
> # recn: ip-destination-address,flows,octets,packets,duration
> 0.0.0.31,939407,895335817,2628906,7736751156
>=20
> /tmp/stat.conf:
> include-filter /tmp/filter.conf
>=20
> stat-report SUBNET-BB_ip-destination-address-source-count
> filter SUBNET-BB_dst
> type ip-destination-address-source-count
> output
> path
> /private2/raw_reports/%Y/%m/%d/SUBNET-BB_ip-destination-address-source-co=
unt
>=20
> stat-definition report0
> report SUBNET-BB_ip-destination-address-source-count
>=20
> /tmp/filter.conf:
> filter-primitive SUBNET-BB
> type tag
> permit 0x100F
>=20
> filter-definition SUBNET-BB_src
> match src-tag SUBNET-BB
> filter-definition SUBNET-BB_dst
> match dst-tag SUBNET-BB
> filter-definition SUBNET-BB
> match src-tag SUBNET-BB
> or
> match dst-tag SUBNET-BB
>=20
>=20
> -----------
> Thanks in advance,
>=20
> -Russell Dwarshuis
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> --__--__--
>=20
> Message: 6
> Date: Thu, 9 Jan 2003 21:14:23 -0800
> From: Bill Fumerola <billf@mu.org>
> To: Mark Fullmer <maf@eng.oar.net>
> Cc: flow-tools@splintered.net
> Subject: Re: [flow-tools] flow-tools and netflow v9
> Reply-To: Bill Fumerola <billf@mu.org>
>=20
> On Sun, Jan 05, 2003 at 12:46:01PM -0500, Mark Fullmer wrote:
> > NetFlow V9 and/or IPFIX support will be added when the protocols are re=
ady...
>=20
> speaking of which, does anyone have traffic capture files (libpcap, etc.)
> of netflow v9 traffic? i'd like to extend the ethereal dissector to read
> v9 but would like some reference packets..
>=20
> thanks,
> --=20
> - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.o=
rg
>=20
>=20
>=20
>=20
> --__--__--
>=20
> Message: 7
> From: "stefano.belpoliti@katamail.com" <stefano.belpoliti@katamail.com>
> To: flow-tools@splintered.net
> Date: Fri, 10 Jan 2003 14:48:12 NFT
> Subject: [flow-tools] Flow-report output formatting
>=20
> Hi everyone in the mailing list,
> It's the first time I write here and I'm just studying flow-tools to have=
good statistics from Cisco Routers.
> Flow-tools is quite simple but really very efficient. I like it. It's a g=
reat tool!
> =20
> Maybe I'm going to ask something stupid, but I'd like to know if it's pos=
sible to have the output produced by flow-report formatted in a different m=
anner:=20
> the values separated by TAB or spaces (just to plot these with gnuplot) i=
nstead of commas.
> =20
> Anyone can help me?
> =20
> Thanks in advance,
> Stefano Belpoliti
> =20
>=20
>=20
> --__--__--
>=20
> Message: 8
> From: =3D?iso-8859-1?Q?J=3DFCrgen_Hoffmann?=3D <jh@byteaction.de>
> To: <flow-tools@splintered.net>
> Date: Fri, 10 Jan 2003 16:01:07 +0100
> Organization: ByteAction GmbH
> Subject: [flow-tools] reporting
>=20
> Hi All,
>=20
> I have setup flow-capture and receive data wonderully thanks to your
> great work. I can get the general reports now problem. Everything is
> working fine. I have a different need for the statistics though. I hava
> setup a mysql Database with my customer networks. Now I want to gather
> TCP Information and present it to my customers. So I thought I setup a
> filter for each customer and the traffic generated by his network on the
> standard tcp ports but cannot get the filter to work.
> After this I want to write the Data back to the DB out of which I
> present the collected data cummulative in a browser. This is all setup
> and will work. Except for the filter =3D3D(
>=20
> Can anyone help me with this?
>=20
> Kind regards
> =3D20
> J=3DFCrgen Hoffmann
> Leiter der Softwareentwicklung
> (cert. Java Programmer)
> (cert. Perl Programmer)
> (cert. Linux Systems Administrator)
> =3D20
> ByteAction GmbH
> Altheimerstr. 47
> 64839 M=3DFCnster
> HRB33271
> mobil: +49 (0) 163 29 83 002
> phone: 0700 byteaction / 0700 29832284
> fax: 0700 29832284
> Email: jh@byteaction.de
> Internet: www.byteaction.de
> ------------------------------------------------------------------------
> --
> This communication is intended only for the party to whom
> it is addressed, and may contain information which is privileged or
> confidential. Any other delivery, distribution, copying or disclosure is
> strictly prohibited and is not a waiver of privilege or confidentiality.
> If you have received this telecommunication in error, please notify the
> sender immediately by return electronic mail and destroy the message.
> ------------------------------------------------------------------------
> --
> =3D20
> =3D20
>=20
>=20
>=20
> --__--__--
>=20
> Message: 9
> Date: Fri, 10 Jan 2003 09:47:41 -0800
> From: Clayton Fiske <clay@bloomcounty.org>
> To: flow-tools@splintered.net
> Subject: Re: [flow-tools] reporting
>=20
> On Fri, Jan 10, 2003 at 04:01:07PM +0100, J?rgen Hoffmann wrote:
> > Hi All,
> >=20
> > I have setup flow-capture and receive data wonderully thanks to your
> > great work. I can get the general reports now problem. Everything is
> > working fine. I have a different need for the statistics though. I hava
> > setup a mysql Database with my customer networks. Now I want to gather
> > TCP Information and present it to my customers. So I thought I setup a
> > filter for each customer and the traffic generated by his network on th=
e
> > standard tcp ports but cannot get the filter to work.
> > After this I want to write the Data back to the DB out of which I
> > present the collected data cummulative in a browser. This is all setup
> > and will work. Except for the filter =3D(
> >=20
> > Can anyone help me with this?
>=20
> Can you show us your current filter?
>=20
> What sort of TCP information do you want? Source port? Destination port?
>=20
> -c
>=20
>=20
>=20
> --__--__--
>=20
> Message: 10
> Date: Fri, 10 Jan 2003 13:53:40 -0500
> From: "Jeffrey G. Fitzwater" <jfitz@Princeton.EDU>
> To: flow-tools <flow-tools@splintered.net>
> Subject: [flow-tools] New User Getting Started on Solaris
>=20
> <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
> <html>
> Hello all,
> <br> I am a member of the Network group at Princeton
> University and have been looking for a product, other than costly CISCO,
> to do netflow analysis. It looks like FLOW-TOOLS is a very
> good product with lots of user support. I would like
> to give it a test drive on my UNIX Solaris box running 2.8. I am
> not sure, after looking at all the info, as to what exactly I need to dow=
nload
> for this paltform. Is the code platform specific or is
> it all written in Perl?
> <br>
> <p>I would appreciate any help in getting started.
> <br>
> <br>
> <br>
> <p>Thank you,
> <br>
> <br>
> <p>Jeff Fitzwater
> <br>OIT Systems & Networking
> <br>Princeton University</html>
>=20
>=20
>=20
> --__--__--
>=20
> Message: 11
> From: Mike Hyde <mhyde@escape.ca>
> To: flow-tools <flow-tools@splintered.net>
> Organization:=20
> Date: 10 Jan 2003 13:55:04 -0600
> Subject: [flow-tools] Filter flows
>=20
> Is there a way to show flows that do not match a filter list? I am
> missing some networks from my filter list and was hoping to make a list
> of everything not found with the filter list.
>=20
>=20
> Mike
>=20
> --=20
> Mike Hyde <mhyde@escape.ca>
>=20
>=20
>=20
> --__--__--
>=20
> Message: 12
> From: "Systems Administrator" <sysadmin@sunet.com.au>
> To: <stefano.belpoliti@katamail.com>, <flow-tools@splintered.net>
> Subject: Re: [flow-tools] Flow-report output formatting
> Date: Mon, 13 Jan 2003 09:08:32 +1100
>=20
> Without looking at the output of flow-report ( :op ), I'd suggest pip=
ing
> it to
>=20
> | perl -pe 's/,/\t/'
>=20
> Wouldn't that work?
>=20
> Tim Nelson
> Systems Administrator
> Sunet Internet
> Tel: +61 3 5241 1155
> Fax: +61 3 5241 6187
> Web: http://www.sunet.com.au/
> Email: sysadmin@sunet.com.au
> ----- Original Message -----
> From: <stefano.belpoliti@katamail.com>
> To: <flow-tools@splintered.net>
> Sent: Saturday, January 11, 2003 1:48 AM
> Subject: [flow-tools] Flow-report output formatting
>=20
>=20
> > Hi everyone in the mailing list,
> > It's the first time I write here and I'm just studying flow-tools to ha=
ve
> good statistics from Cisco Routers.
> > Flow-tools is quite simple but really very efficient. I like it. It's a
> great tool!
> >
> > Maybe I'm going to ask something stupid, but I'd like to know if it's
> possible to have the output produced by flow-report formatted in a differ=
ent
> manner:
> > the values separated by TAB or spaces (just to plot these with gnuplot)
> instead of commas.
> >
> > Anyone can help me?
> >
> > Thanks in advance,
> > Stefano Belpoliti
> >
> >
> > _______________________________________________
> > flow-tools@splintered.net
> > http://www.splintered.net/sw/flow-tools
> >
>=20
>=20
>=20
> --__--__--
>=20
> Message: 13
> Date: Fri, 10 Jan 2003 17:32:09 -0800
> From: Bill Fumerola <billf@mu.org>
> To: "stefano.belpoliti@katamail.com" <stefano.belpoliti@katamail.com>
> Cc: flow-tools@splintered.net
> Subject: Re: [flow-tools] Flow-report output formatting
>=20
> On Fri, Jan 10, 2003 at 02:48:12PM +0000, stefano.belpoliti@katamail.com =
wrote:
>=20
> > Maybe I'm going to ask something stupid, but I'd like to know if it's p=
ossible to have the output produced by flow-report formatted in a different=
manner:=20
> > the values separated by TAB or spaces (just to plot these with gnuplot)=
instead of commas.
>=20
> nothing struck me as immediatly obvious in flow-report(1), but this is
> something that can very easily be accomplished using sed(1) (or perl,
> if thats your thing) before you pass the output to gnuplot.
>=20
> if you need help with the syntax, mail me privately.
>=20
> --=20
> - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.o=
rg
>=20
>=20
>=20
>=20
> --__--__--
>=20
> Message: 14
> From: "Nitzan Tzelniker" <nitzan@tzel.net>
> To: <flow-tools@splintered.net>
> Subject: Re: [flow-tools] Flow-report output formatting
> Date: Sat, 11 Jan 2003 19:19:46 +0200
>=20
> you can't change the output format
> but you can pipe it to a perl script and then make html output , rrd grap=
hs
> or as you want separate the values by tab
>=20
> ----- Original Message -----
> From: <stefano.belpoliti@katamail.com>
> To: <flow-tools@splintered.net>
> Sent: Friday, January 10, 2003 4:48 PM
> Subject: [flow-tools] Flow-report output formatting
>=20
>=20
> > Hi everyone in the mailing list,
> > It's the first time I write here and I'm just studying flow-tools to ha=
ve
> good statistics from Cisco Routers.
> > Flow-tools is quite simple but really very efficient. I like it. It's a
> great tool!
> >
> > Maybe I'm going to ask something stupid, but I'd like to know if it's
> possible to have the output produced by flow-report formatted in a differ=
ent
> manner:
> > the values separated by TAB or spaces (just to plot these with gnuplot)
> instead of commas.
> >
> > Anyone can help me?
> >
> > Thanks in advance,
> > Stefano Belpoliti
> >
> >
> > _______________________________________________
> > flow-tools@splintered.net
> > http://www.splintered.net/sw/flow-tools
>=20
>=20
>=20
>=20
> --__--__--
>=20
> _______________________________________________
> flow-tools mailing list
> flow-tools@splintered.net
> http://www.pairlist.net/mailman/listinfo/flow-tools
>=20
>=20
> End of flow-tools Digest
>=20
----
(Ich verweigere grunds=E4tzlich die Speicherung meiner per-
s=F6nlichen Daten zu Werbezwecken sowie die Weiterleitung
an Dritte ! =A7 14 Abs. 2 Satz 2, =A7 4 Abs. 2, =A7 28 Abs. 3 BDSG)
Gemaess =A7 823 BGB ist die Zusendung von unerwuenschter Werbemail
oder Faxwerbung ein Eingriff in die Persoenlichkeitsrechte und=20
weiterhin laut =A7 1004 BGB eine Verletzung der Eigentumsrechte.