Extracted from flow-tools-0.68/debian/control:
==============================================
flow-tools - collects and processes NetFlow data
Flow-tools is library and a collection of programs used to collect,
send, process, and generate reports from NetFlow data. The tools can be
used together on a single server or distributed to multiple servers for
large deployments. The flow-toools library provides an API for
development of custom applications for NetFlow export versions 1,5,6 and
the 14 currently defined version 8 subversions. A Perl and Python
interface have been contributed and are included in the package.
A NetFlow is network traffic information exported (via UDP) to an external
machine. The external machine processes such information to produce network
traffic accounting, network billing, network monitoring, etc.
Homepage http://www.splintered.net/sw/flow-tools/
flow-tools-dev - development files for flow-tools
Flow-tools is library and a collection of programs used to collect,
send, process, and generate reports from NetFlow data. The tools can be
used together on a single server or distributed to multiple servers for
large deployments. The flow-toools library provides an API for
development of custom applications for NetFlow export versions 1,5,6 and
the 14 currently defined version 8 subversions. A Perl and Python
interface have been contributed and are included in the package.
This package contains the flow-tools libraries and headers.
Homepage http://www.splintered.net/sw/flow-tools/
libcflow-perl - perl module for analyzing raw IP flow files written by cflowd
This Perl module implements an API for analyzing flows in raw IP flow files
written by cflowd, a package used to collect Cisco NetFlow data.
Homepage: http://net.doit.wisc.edu/~plonka/Cflow/
Extracted from flow-tools-0.68/debian/changelog:
================================================
flow-tools (1:0.68-8.1) unstable; urgency=low
* NMU
* Backported to sarge, changed libpq-dev to postgresql-dev
-- Russell Stuart <russell-debian@NOSPAM> Tue, 20 Dec 2005 17:58:43 +1000
flow-tools (1:0.68-8) unstable; urgency=low
* Postgresql fixes in flow-export
* Clarifies the -m argument in the flow-export manpage
and fixes an example given for it (closes: #340493)
* New maintainers address
-- Radu Spineanu <radu@NOSPAM> Mon, 28 Nov 2005 23:07:55 +0200
flow-tools-0.68/debian/copyright:
=================================
Debian package created by Anibal Monsalve Salazar <anibal@NOSPAM>
It was downloaded from:
ftp://ftp.eng.oar.net/pub/flow-tools/
Web page on 19 December 2003:
http://www.splintered.net/sw/flow-tools/
Upstream Author:
Mark Fullmer <maf@NOSPAM>
Copyright (c) 2001 Mark Fullmer and The Ohio State University
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
Upstream Author of Cflow:
Dave Plonka <plonka@NOSPAM>
Copyright (C) 1998-2002 Dave Plonka
You are free to distribute this software under the terms of the GNU General
Public License. On Debian systems, the complete text of the GNU General
Public License can be found in /usr/share/common-licenses/GPL file.
flow-tools-0.68/debian/README.Debian:
=====================================
README
======
flow-tools is a set of programs for processing and managing NetFlow exports
from Cisco and Juniper routers. The software was originally written by
Mark Fullmer while working at Ohio State University. Steve Romig and the
OSU network security group have added documentation, functionality, and
provided feedback. OARnet and the Ohio ITEC have recently funded my
time to add version 8 PDU support and various other features.
If you are using flow-tools please subscribe to the mailing list by
sending a message to flow-tools-request@NOSPAM
flow-tools is currently available at http://www.splintered.net/sw/flow-tools
Mark Fullmer
maf@NOSPAM
Flow-capture configuration
--------------------------
The flow capturing utility of flow-tools, flow-capture, needs some
configuration in /etc/flow-tools/flow-capture.conf. I cannot at this moment
guess what you want in there, so you will have to edit that file manually.
Comments in the file will help you on your way.
After editing /etc/flow-tools/flow-capture.conf you can start
receiving flows by running '/etc/init.d/flow-capture start'.
You may also need to edit the files in /etc/flow-tools/{cfg,sym}.
CONFIGURING THE ROUTER
----------------------------
! enable cef
ip cef
ip cef distributed
!Turn on flow accounting for each input interface with the interface command
interface Fddi3/0
ip route-cache flow
interface atm3/0/0
ip route-cache flow
...
Verify the router is generating flow stats with the command
'show ip cache flow'. Note that for routers with distributed switching
(GSR's, 75XX's) the RP cli will only show flows that made it up to the RP.
To see flows on the individual linecards use the 'attach' or 'if-con' command
and issue the 'sh ip ca fl' on each LC.
IP packet size distribution (36242M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.002 .340 .084 .021 .020 .012 .009 .009 .008 .007 .006 .007 .004 .003 .004
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.002 .004 .035 .077 .338 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
4139 active, 61397 inactive, 712344771 added
871670181 ager polls, 0 flow alloc failures
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 1572735 0.3 58 127 21.4 27.0 14.8
TCP-FTP 6193502 1.4 24 746 35.3 3.6 9.0
TCP-FTPD 1458042 0.3 1534 833 520.9 42.4 4.2
TCP-WWW 93403998 21.7 19 633 432.9 4.9 6.3
TCP-SMTP 16123540 3.7 15 431 59.1 3.4 6.4
TCP-X 687228 0.1 238 276 38.1 20.8 14.3
TCP-BGP 1116819 0.2 3 45 0.7 5.3 16.0
TCP-NNTP 1455156 0.3 1102 176 373.4 106.1 11.9
TCP-Frag 3244 0.0 4 636 0.0 2.8 16.3
TCP-other 188162587 43.8 118 733 5204.5 11.1 6.9
UDP-DNS 38042100 8.8 3 84 27.3 3.8 16.4
UDP-NTP 18760129 4.3 1 76 5.3 1.3 16.3
UDP-TFTP 665 0.0 4 76 0.0 7.9 16.4
UDP-Frag 13111 0.0 2121 1108 6.4 366.8 13.5
UDP-other 195556237 45.5 35 343 1632.5 5.8 16.3
ICMP 149285440 34.7 2 64 72.9 0.9 16.5
IGMP 15315 0.0 167 32 0.5 1660.6 3.9
IPINIP 15112 0.0 35 52 0.1 275.3 14.2
GRE 127489 0.0 3 109 0.1 16.9 16.1
IP-other 348604 0.0 56 447 4.5 21.5 16.2
Total: 712341053 165.8 50 620 8436.8 6.2 12.2
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
AT4/0.1 128.146.225.194 AT1/0.2 128.194.203.23 06 0019 2CAF 15
AT2/0.10 129.22.250.148 AT1/0.2 129.2.226.43 06 04BA 1A20 1266
AT2/0.11 130.108.110.48 AT1/0.2 170.140.89.100 06 0923 10A3 436
AT1/0.2 170.140.89.100 AT2/0.11 130.108.110.48 06 10A3 0923 462
! Enable the exports of flows with the global commands
ip flow-export version 5 origin-as
ip flow-export 10.0.0.1 9990
! Enable the AS aggregation cache and export the aggregated flows to
! 10.0.0.1 port 9991
ip flow-aggregation cache as
export destination 10.0.0.1 9991
enabled
! Create a loopback interface if one does not exist
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
! Configure NetFlow export source address
!
ip flow-export source Loopback0
If you have tcpdump installed on or near the host you're using to capture
flows, the exports can be verified.
shattered:~% tcpdump -n udp port 9991
tcpdump: listening on le0
12:11:29.953100 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.962551 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.975115 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.984444 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.993956 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.003252 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.015483 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.024852 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.034182 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.043545 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.053239 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
flow-receive can be used to verify your host is receiving flows:
./flow-receive 0/0/9990 | ./flow-print
or
./flow-receive 0/0/9991 | ./flow-print
% ./flow-receive 0/0/9990 | ./flow-print | head -10
Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets
60 206.204.84.9 00 10.0.135.63 06 15 5f0 2 88
00 10.0.135.63 60 206.204.84.9 06 5f0 15 16 787
60 206.204.84.9 00 10.0.135.63 06 15 5f0 13 1742
00 10.0.155.25 60 204.62.245.167 06 50 bae5 15 948
60 204.62.245.167 00 10.0.155.25 06 bae5 50 13 681
60 206.204.84.20 00 10.0.135.63 06 50 5ed 7 3494
60 206.204.84.20 00 10.0.135.63 06 50 5ef 6 401
60 206.204.84.20 00 10.0.135.63 06 50 5eb 11 9413
00 10.0.135.63 60 206.204.84.20 06 5ed 50 9 637
To store the flow exports on disk, use flow capture. The following will
store 15 minute compressed exports in /netflow/oar/krc3.v5 and begin
removing the oldest files after 3Gig of storage has been used.
mkdir -p /var/netflow/oar/krc3.v5
./flow-capture -w /var/netflow/oar/krc3.v5 -E3G 0/10.1.1.1/9990
The completed exports will begin with 'ft'. The current export file will
begin with 'tmp'. The 'ft' files can now be used with the other tools, ie
./flow-print < /var/netflow/oar/krc3.v8.1/ft-v08m01.2001-02-09.111502
flow-cat, flow-stat, and flow-filter can be combined to produce various
reports such as total bytes in the export period, source/destination
matrixes, per interface totals, etc.
flow-tools-0.68/README:
=======================
flow-tools is a set of programs for processing and managing NetFlow exports
from Cisco and Juniper routers. The software was originally written by
Mark Fullmer while working at Ohio State University. Steve Romig and the
OSU network security group have added documentation, functionality, and
provided feedback. OARnet and the Ohio ITEC have recently funded my
time to add version 8 PDU support and various other features.
For installation notes and a quick start please see INSTALL.
If you are using flow-tools please subscribe to the mailing list by
sending a message to flow-tools-request@NOSPAM
flow-tools is currently available at http://www.splintered.net/sw/flow-tools
Mark Fullmer
maf@NOSPAM
Name Last modified Size
![[DIR]](/icons/back.gif)
Parent Directory -
![[ ]](/icons/unknown.gif)
Contents-i386 09-Oct-2008 07:08 6.6K
Contents-i386.bz2 09-Oct-2008 07:08 771
![[ ]](/icons/compressed.gif)
Contents-i386.gz 09-Oct-2008 07:08 719
flow-tools-dev_0.68-8.1_i386.deb 22-Dec-2005 00:26 200K
flow-tools_0.68-8.1.diff.gz 22-Dec-2005 00:25 15K
flow-tools_0.68-8.1.dsc 22-Dec-2005 00:26 815
flow-tools_0.68-8.1_i386.changes 22-Dec-2005 00:26 1.3K
flow-tools_0.68-8.1_i386.deb 22-Dec-2005 00:26 1.1M
flow-tools_0.68.orig.tar.gz 25-May-2005 21:02 964K
libcflow-perl_0.68-8.1_i386.deb 22-Dec-2005 00:26 78K
override 22-Dec-2005 00:26 85
Packages 09-Oct-2008 07:08 2.7K
Packages.bz2 09-Oct-2008 07:08 1.2K
Packages.gz 09-Oct-2008 07:08 1.0K
Release 09-Oct-2008 07:08 847
Release.gpg 09-Oct-2008 18:41 189
Sources 09-Oct-2008 07:08 654
Sources.bz2 09-Oct-2008 07:08 478
Sources.gz 09-Oct-2008 07:08 441