Re: [Nfsen-discuss] AS-AS traffic matric - backend plugin
Netflow visualisation and investigation tool
Brought to you by:
phaag
From: Peter H. <ha...@sw...> - 2006-10-30 07:51:57
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Chelo, - -------- Original Message -------- From: Chelo Malagon <che...@re...> To: ha...@sw... Subject: Re:[Nfsen-discuss] AS-AS traffic matric - backend plugin Date: Fri Oct 27 2006 13:13:21 GMT+0200 (CEST) > Hello Peter, > Which version of nfdump are you using? In nfdump 1.5 the srcas and dstas > aggregated fields are unknown :-( That's correct. You need at least a snapshot > 200606xx. If you want to use this feature, upgrade to the latest available snapshot 20060809. - Peter > > Cheers, > Chelo > > Peter Haag wrote: > >> Hi Maurizio, >> >> An AS-AS matrix can be created more easily as follows: >> >> ./nfdump -M <source_list> -R nfcapd.$tart_tslot:nfcapd.$end_tslot >> -s record/bytes -A srcas,dstas -n 0 -o "fmt:%sas %das %byt" >> >> This generates you a list of all AS to AS relations, with a custom >> output format. You may of course add any additional field in the >> custom output format, you may need for your purpose. This output can >> be easily parsed and used for further processing. >> >> Therefore a single run gives all required information, no need for >> filtering either, and therefore no need for parallel filters, which >> btw. is the way nfprofile handles multiple channels :) >> >> Hope this helps >> >> - Peter >> >> -------- Original Message -------- >> From: Maurizio Molina <mau...@da...> >> To: nfsen-discuss ML <nfs...@li...> >> Subject: [Nfsen-discuss] AS-AS traffic matric - backend plugin >> Date: Tue Oct 24 2006 18:05:16 GMT+0200 (CEST) >> >>> Hi, >>> I'm writing a backend plugin to obtain a daily AS-AS traffic matric in >>> my network, with 38 ASs and 21 sources. >>> The only way I found so far is to get the information with nfdump (1.5) >>> running >>> #nfdump -M <source_list> -R nfcapd.$tart_tslot:nfcapd.$end_tslot -n 50 >>> -s srcas/bytes -o long "src as $src_as and dst as $dst_as" >>> as many times as all the possible AS-AS pairs (38X38), and then parse >>> the output. >>> Note that I use -n 50 but I could vell have used -n 1 (because of the >>> filtering, I always get that there is only one contributing src_as). >>> The problem is that given the number of flows (roughly: 300 k flows per >>> source and per hour, with each AS connected to one, or two, or three >>> sources at most), the processing time is high. >>> I probably won't be able to run the processing every day over all the >>> past 24 hours, but I'll be forced to focus on a limited time slice. >>> Questions: >>> 1) is there another easy way to do? >>> 2) if not, how difficult would it be (and what module should be >>> modified) to let nfdump have prallel filters? The processing bottleneck >>> is clearly the disk access bandwidth (the cpu stays at about 4-5%). >>> Regards, >>> Maurizio >> >> >>> ------------------------------------------------------------------------- >>> Using Tomcat but need to do more? Need to support web services, security? >>> Get stuff done quickly with pre-integrated technology to make your >> job easier >>> Download IBM WebSphere Application Server v.1.0.1 based on Apache >> Geronimo >>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >>> _______________________________________________ >>> Nfsen-discuss mailing list >>> Nfs...@li... >>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >> >> -- >> _______ SWITCH - The Swiss Education and Research Network ______ >> Peter Haag, Security Engineer, Member of SWITCH CERT >> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 >> SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland >> E-mail: pet...@sw... Web: http://www.switch.ch/security > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Nfsen-discuss mailing list > Nfs...@li... > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Nfsen-discuss mailing list > Nfs...@li... > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRUWvEP5AbZRALNr/AQLV2gP+K52KaH9ZonS8nGrLUEVGa0ZqNG7yWaoN sJZp51GlI7DIKcQSJG28wTEoaCMtKzsqbPiM5ogXkK1MyY/KH0iF28eYncvLp+5o NlxQtHRJi3NdLoBiUbemeNjHnO3gIBcjFoUe90LRADq04C7S6KaqCQt53h7LkhqX 32JqSPbs9Fw= =1wMu -----END PGP SIGNATURE----- |