Revisión del 23:32 26 jul 2006

Analisis de trafico

NetFlow

Informacion

• http://www.switch.ch/tf-tant/floma/software.html

flowscan

http://www.caida.org/tools/utilities/flowscan/ Reportes de ejemplo:

• http://mrtg.uv.es/flowscan/
• http://wwwstats.net.wisc.edu/
• http://flowscan.frgp.net/

flow-tools vs cflowd

Why use flow-tools instead of cflowd?

• flow-capture preserves the sub-second portion of the NetFlow timestamps that cflowd discards
• flow-tools is easier to build because it is written in portable C. Problems with building cflowd may occur because it requires cutting edge C++ features
• flow-tools is actively maintained, and supports newer NetFlow versions, including those from the popular Cisco Cat6K series platforms

Analisis del trafico por una interface ethernet en un servidor debian

Fuente: http://www.prolixium.com/sitenews.php?id=482

apt-get install fprobe-ng flow-tools flowscan flowscan-cuflow flowscan-cugrapher rrdtool
mkdir -p /var/lib/netflow/ft
mkdir /var/lib/netflow/rrds
mkdir /var/lib/netflow/scoreboard

Dejar /etc/flow-tools/flow-capture.conf solo con:

-w /var/lib/netflow/ft -E 1G -N 0 -n 287 -S 60 -V 5 -z 9 0/0/555

dejar /etc/flowscan/flowscan.cf con

FlowFileGlob /var/lib/netflow/ft/ft-v05.*
ReportClasses CUFlow
WaitSeconds 30
Verbose 1

/etc/flowscan/CUFlow.cf

Subnet 192.168.0.0/24
Network 200.114.249.74/24 Internet
OutputDir /var/lib/netflow/rrds
Multicast
Scoreboard 10 /var/lib/netflow/scoreboard /var/lib/netflow/topten.html
AggregateScore 10 /var/lib/netflow/scoreboard/agg.dat /var/lib/netflow/scoreboard/overall.html
Router 127.0.0.1 geacequ
Service 20-21/tcp ftp
Service 22/tcp ssh
Service 23/tcp telnet
Service 25/tcp smtp
Service 53/udp,53/tcp dns
Service 80/tcp http
Service 110/tcp pop3
Service 119/tcp nntp
Service 143/tcp imap
Service 412/tcp,412/udp dc
Service 443/tcp https
Service 1214/tcp kazaa
Service 4661-4662/tcp,4665/udp edonkey
Service 5190/tcp aim
Service 6346-6347/tcp gnutella
Service 6665-6669/tcp irc
Service 54320/tcp bo2k
Service 7070/tcp,554/tcp,6970-7170/udp real
Protocol 1 icmp
Protocol 4 ipinip
Protocol 6 tcp
Protocol 17 udp
Protocol 47 gre
Protocol 50 esp
Protocol 51 ah
Protocol 57 skip
Protocol 88 eigrp
Protocol 169
Protocol 255
TOS 0 normal
TOS 1-255 other
ASNumber 1 Genuity

Se puede ver la sintaxis aca: http://www.columbia.edu/acis/networks/advanced/CUFlow/CUFlow.html

/etc/flowscan/CUGrapher.cf

OutputDir /var/lib/netflow/rrds
DefaultGraph report=bits;hours=48;imageType=png;width=640;height=320;duration=;router=all;all_all_services=1;legend=1;title=My%20Graph
AggregateScore /var/lib/netflow/scoreboard/overall.html
Scoreboard /var/lib/netflow/topten.html
<pre><nowiki>

/etc/init.d/fprobe-ng
<pre><nowiki>
INTERFACE="eth0"
FLOW_COLLECTOR="localhost:555"
OTHER_ARGS="-p -a 127.0.0.1"

Reiniciar servicios

/etc/init.d/flow-capture restart
/etc/init.d/fprobe-ng restart

Abrir: http://localhost/cgi-bin/CUGrapher.cgi

Errores

Errores al correr flowscan

2006/07/26 18:12:22 working on file /var/lib/netflow/ft/ft-v05.2006-07-26.174716-0300...
/var/lib/netflow/ft/ft-v05.2006-07-26.174716-0300: Invalid index in cflowd flow file: 0xCF100103! Version 5 flow-export is required with *all* fields being saved.

Pasa con la version 0.67-8 - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327367 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=163227;msg=72

Otros

• potion
• Howto: Performance Benchmarks a Web server