Posted on Thursday, 19th February 2009 by sean
As I dig into flow-tools a bit more, I’m finding easier ways of doing things. For example, the same command line variable substitution that I’ve used to filter IP addresses with flow-nfilter can be used to generate different reports with flow-report.
In /etc/flow-tools/cfg/stat.cfg the default report is:
stat-report default
type @{TYPE:-summary-detail}
output
format ascii
sort @{SORT:-+}
fields @{FIELDS:-+}
options @{OPTIONS:-+header,+xheader,+totals}
path |flow-rptfmt @{RPTOPT:--f ascii}
stat-definition default
report default
This is a fairly generic report. But notice that many of the options can be overridden. For example, type @{TYPE:-summary-detail} means that the default is “summary-detail”, but can be overridden on the command line.
The following will produce a report of all the hosts a particular IP talked to:
flow-cat ft* | flow-nfilter -F ip-src-addr -v ADDR=x.x.x.x | flow-report -v TYPE=ip-source/destination-address- flow-cat ft* – displays all the netflow files in the directory
- flow-nfilter -F ip-src-addr -v ADDR=x.x.x.x – filter out everything except the source x.x.x.x
- flow-report -v TYPE=ip-source/destination-address – generates a ip-source/destination-address report (since we’ve only got one IP as an input to this, an ip-destination-address report might have worked just as well
Another one which I’ve just used:
flow-cat ft* | flow-nfilter -F ip-src-net -v ADDR=x.x.x.0/24 | flow-report -v TYPE=ip-source-address -v SORT=+octets- flow-cat ft* – displays all the netflow files in the directory
- flow-nfilter -F ip-src-net -v ADDR=x.x.x.0/24 – filter out everything except stuff coming from x.x.x.0/24 (this filter was created in the previous post)
- flow-report -v TYPE=ip-source-address -v SORT=+octets – summarize on source address, and sort by octets to give the top talkers in the subnet
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
Posted in Network Management | Comments (1)
June 8th, 2009 at 1:04 am
your blog is awesome.