Posted on Monday, 29th December 2008 by sean
The last article used flow-nfilter and some variable substitution to pull out all flows to a particular address.
The next useful thing would be to pull out all flows to or from a particular network. To do so, we’ll have to define a new primitive that is a variable network/netmask, and then a filter specifying a match on stuff to or from that netmask.
flow-nfilter provides two primitives, the ip-address-mask and ip-address-prefix. The mask expects a traditional netmask (255.255.255.0), while the prefix expects CIDR notation (/24). I like the latter.
The primitive is copied from others:
filter-primitive VAR_PREFIX
type ip-address-prefix
permit @{ADDR}
The filter is then
filter-definition ip-addr
match ip-destination-address VAR_PREFIX
or
match ip-source-address VAR_PREFIX
The "or" keyword means that either condition can be matched.
This filter will let you
The flow-report tool reads in a report definition from /etc/flow-tools/cfg/stat.cfg, and sends out a summary of the results. This tool can also summarize based on time. Here's a report of all the conversations per 10 minute interval, sorted by number of octets:
stat-report talkers
type ip-source/destination-address
output
sort +octets
fields +other
path /tmp/talkers
stat-definition talkers
time-series 600
report talkers
The command line is then
flow-cat /var/flow-tools/ft-v05.2008-12-28.* | flow-nfilter -F ip-addr -v ADDR=172.16.128.0/17 | flow-report -S talkers
This will summarize the conversations for traffic to or from the 172.16.128.0/17 network into /tmp/talkers. A report like this could be fed into another script to generate data to be graphed, or inspected by hand to find out who was talking during the desired period.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
Posted in Network Management | Comments (0)
