Diferencia entre revisiones de «Análisis de tráfico»

De gacq wiki
Saltar a: navegación, buscar
(NetFlow)
(Analisis de trafico)
 
(No se muestran 8 ediciones intermedias de 2 usuarios)
Línea 1: Línea 1:
 +
=Herramientas=
 +
*[[Flowscan]]
 +
 +
 
=Analisis de trafico=
 
=Analisis de trafico=
==NetFlow==
+
Guias
Informacion
+
*http://www.gulag.org.mx/doc_netflow.php
*http://net.doit.wisc.edu/~plonka/lisa/FlowScan/
+
*http://www.dynamicnetworks.us/netflow/
*http://www.switch.ch/tf-tant/floma/software.html
+
 
 +
==ntop==
 +
ntop --set-admin-password
 +
*http://www.ntop.org
 +
http://localhost:3000/
 +
 
  
==flowscan==
 
http://www.caida.org/tools/utilities/flowscan/
 
Reportes de ejemplo:
 
*http://mrtg.uv.es/flowscan/
 
*http://wwwstats.net.wisc.edu/
 
*http://flowscan.frgp.net/
 
  
 
==flow-tools vs cflowd==
 
==flow-tools vs cflowd==
Línea 18: Línea 21:
 
*flow-tools is actively maintained, and supports newer NetFlow versions, including those from the popular Cisco Cat6K series platforms
 
*flow-tools is actively maintained, and supports newer NetFlow versions, including those from the popular Cisco Cat6K series platforms
  
== Analisis del trafico por una interface ethernet en un servidor debian ==
 
Fuente: http://www.prolixium.com/sitenews.php?id=482
 
 
<pre><nowiki>
 
apt-get install fprobe-ng flow-tools flowscan flowscan-cuflow flowscan-cugrapher rrdtool
 
mkdir -p /var/lib/netflow/ft
 
mkdir /var/lib/netflow/rrds
 
mkdir /var/lib/netflow/scoreboard
 
</nowiki></pre>
 
 
====/etc/flow-tools/flow-capture.conf====
 
<pre><nowiki>
 
-w /var/lib/netflow/ft -E 1G -N 0 -n 287 -S 60 -V 5 -z 9 0/0/555
 
</nowiki></pre>
 
 
====/etc/flowscan/flowscan.cf====
 
<pre><nowiki>
 
FlowFileGlob /var/lib/netflow/ft/ft-v05.*
 
ReportClasses CUFlow
 
WaitSeconds 30
 
Verbose 1
 
</nowiki></pre>
 
 
====/etc/flowscan/CUFlow.cf====
 
<pre><nowiki>
 
Subnet 192.168.0.0/24
 
Network 200.114.249.74/24 Internet
 
OutputDir /var/lib/netflow/rrds
 
Multicast
 
Scoreboard 10 /var/lib/netflow/scoreboard /var/lib/netflow/topten.html
 
AggregateScore 10 /var/lib/netflow/scoreboard/agg.dat /var/lib/netflow/scoreboard/overall.html
 
Router 127.0.0.1 geacequ
 
Service 20-21/tcp ftp
 
Service 22/tcp ssh
 
Service 23/tcp telnet
 
Service 25/tcp smtp
 
Service 53/udp,53/tcp dns
 
Service 80/tcp http
 
Service 110/tcp pop3
 
Service 119/tcp nntp
 
Service 143/tcp imap
 
Service 412/tcp,412/udp dc
 
Service 443/tcp https
 
Service 1214/tcp kazaa
 
Service 4661-4662/tcp,4665/udp edonkey
 
Service 5190/tcp aim
 
Service 6346-6347/tcp gnutella
 
Service 6665-6669/tcp irc
 
Service 54320/tcp bo2k
 
Service 7070/tcp,554/tcp,6970-7170/udp real
 
Protocol 1 icmp
 
Protocol 4 ipinip
 
Protocol 6 tcp
 
Protocol 17 udp
 
Protocol 47 gre
 
Protocol 50 esp
 
Protocol 51 ah
 
Protocol 57 skip
 
Protocol 88 eigrp
 
Protocol 169
 
Protocol 255
 
TOS 0 normal
 
TOS 1-255 other
 
ASNumber 1 Genuity
 
</nowiki></pre>
 
Se puede ver la sintaxis aca: http://www.columbia.edu/acis/networks/advanced/CUFlow/CUFlow.html
 
 
====/etc/flowscan/CUGrapher.cf====
 
<pre><nowiki>
 
OutputDir /var/lib/netflow/rrds
 
DefaultGraph report=bits;hours=48;imageType=png;width=640;height=320;duration=;router=all;all_all_services=1;legend=1;title=My%20Graph
 
AggregateScore /var/lib/netflow/scoreboard/overall.html
 
Scoreboard /var/lib/netflow/topten.html
 
</nowiki></pre>
 
 
====/etc/init.d/fprobe-ng====
 
<pre><nowiki>
 
INTERFACE="eth0"
 
FLOW_COLLECTOR="localhost:555"
 
OTHER_ARGS="-p -a 127.0.0.1"
 
</nowiki></pre>
 
 
====Configurar para el el flowscan inicie automaticamente ====
 
<pre><nowiki>
 
zcat /usr/share/doc/flowscan/examples/rc/flowscan.gz > /etc/init.d/flowscan
 
chmod 755 /etc/init.d/flowscan
 
chown root.root /etc/init.d/flowscan
 
ln -s /etc/init.d/flowscan /etc/rc2.d/S98flowscan
 
</nowiki></pre>
 
 
 
====Reiniciar servicios====
 
<pre><nowiki>
 
/etc/init.d/flow-capture restart
 
/etc/init.d/fprobe-ng restart
 
/etc/init.d/flowscan start
 
</nowiki></pre>
 
 
Abrir: http://localhost/cgi-bin/CUGrapher.cgi
 
  
===Errores===
 
  
 
== Otros ==
 
== Otros ==
 
* potion
 
* potion
 
* [http://www.cyberciti.biz/tips/howto-performance-benchmarks-a-web-server.html Howto: Performance Benchmarks a Web server]
 
* [http://www.cyberciti.biz/tips/howto-performance-benchmarks-a-web-server.html Howto: Performance Benchmarks a Web server]

Revisión actual del 11:57 24 ago 2006

Herramientas


Analisis de trafico

Guias

ntop

ntop --set-admin-password

http://localhost:3000/


flow-tools vs cflowd

Why use flow-tools instead of cflowd?

  • flow-capture preserves the sub-second portion of the NetFlow timestamps that cflowd discards
  • flow-tools is easier to build because it is written in portable C. Problems with building cflowd may occur because it requires cutting edge C++ features
  • flow-tools is actively maintained, and supports newer NetFlow versions, including those from the popular Cisco Cat6K series platforms


Otros

Obtenido de «https://wiki.gacq.com/index.php?title=Análisis_de_tráfico&oldid=1875»