Read Me

Contents:
---------
  1. Introduction
  2. Perfomance
  3. Other tools


1. Introduction
---------------

nfcount: Network flows ruled counters

  nfcount is tool for count network traffic by using
rules. Rule can be defined by source or destenation IP
address, timeranges. Accounting result may be simple
counter or hystogram. Key features:
  - In rule definition file You can use variables for
    addresses and timeranges.
  - Many rules can update one counter/hystogram.
  - Many formats of data file: argus files, IP Accounting text.
  - Many formats of output result (perl, binary).
  - In rule You can use list of addresses/networks.
  - State files for incremental counting.
  - "Wizard" for first time configuration.

  nfcounthyst is tool for plotting hystograms in graphics
form.

  nfcountcgi is a set of cgi scripts for show result,
generated by nfcount in form of html reports with graphs
(by using nfcounthyst).


2. Perfomance
---------------

  On my Pentium III 700 MHz, in DEBUG variant it parse
1500 flows/sec for text flow files. For bzip2-ed argus
flow files it process more than 3500 flows/sec.
  In Release variant for uncompressed argus flow files
speed is approximately 220000 flows/sec. Monthly traffic
of my network (approx 70 hosts) it parses in 10 seconds.
Bz2 compressed argus output is parsed at speed 26000
flows/sec but it is more time of uncompress than parsing.


3. Other tools
----------------

http://www.auckland.ac.nz/net/NeTraMet/
NeTraMet++ is a new, high-performance version of NeTraMet.
It uses stream caching, i.e. each packet is matched with a stream
before being matched with a flow.  The stream data structure
remembers the flows corresponding to each stream, so that flow
matches are cached in the streams.  Rulesets that only test
or save `5-tuple' attributes (SourcePeerType, SourcePeerAddress,
SourceTransAddress, DestPeerAddress or DestTransAddress) can be
cached; production tests show a cache hit rate of 85% or more.


http://www.rpd.univ.kiev.ua/~roman/soft/flowc/
   The flowc package intend for gathering, storing and analyzing traffic
accounting for CISCO routers with NetFlow (version 5) enabled switching.
The author express gratitude to Sergey Korsak (skif@1plus1.net) and
Alexand Sudakov (saa@mail.univ.kiev.ua) for valuable ideas and remarks.
Questions, notes, wishes, beer please send to roman@uninet.kiev.ua.

http://glade.nmd.msu.ru/~pooh/netfltools/

http://www.caida.org/tools/measurement/cflowd/
cflowd - flow analysis tool currently used for analyzing Cisco's
NetFlow enabled switching method.
Анализатор потоков для Cisco's NetFlow. Состоит из трех
модулей: сбора данных, хранения и анализа накопленной статистики.

http://ipa-system.sourceforge.net/
IPA is a highly configurable IP accounting software.  It allows to
make IP accounting (network accounting) based on FreeBSD IPv4/v6 Firewall
(IPFW2 as well) rules, OpenBSD Packet Filter and/or IP Filter accounting
rules on FreeBSD, NetBSD and OpenBSD.

http://www.netams.com
NeTAMS collects traffic information, for instance, by capturing packets
going via network interface (libpcap), divert socket (ipfw divert),
NetFlow flow or any other module. After data processing and summarizing
information is stored in database from which statistics might be
retrieved by direct query or web interface. At the same time access
control, quotas, user rights can be accomplished. The program controlled
by telnet connection to given TCP server port or command line utility.
Statistics can be displayed by web interface or e-mail reports.

http://bpft.by.ru
TCP and UDP traffic logging system.