Re: [Nfdump-discuss] nfdump and AS data
netflow collecting and processing tools
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfdump-discuss] nfdump and AS data
|
From: Peter H. <ha...@sw...> - 2006-03-16 13:33:43
|
-----BEGIN PGP SIGNED MESSAGE-----
Hi Brian,
- --On March 15, 2006 15:56:58 -0800 Brian Jones <wor...@gm...> wrote:
| Hello Folks,
|
|
| I'm new to nfdump but love it coupled with nfsen so far.
|
| I've managed to collect a fair amount of data in the last 4 days. My primary
| goal is to be able to bill for specific outbound traffic.
|
| That being said, I thought it would also be nice to be able to determine
| "where" most of our traffic is going from an AS point of view.
|
| When I tried to run some reports on destination AS I realized that we don't
| seem to be capturing that data.
|
| Specifically a command like this:
First make sure, you have nfdump-1.5. up to and including nfdump-1.4.1, there is a bug
in AS aggregation, which may result in '0' AS.
|
| nfdump -n 50 -s dstas -o extended -t -300 -R
| /var/nfsen/profiles/live/sanfrancisco
Maybe for most traffic based on dst AS '-s dstas/bytes -n 0' would be more suitable,
otherwise your AS list is sorted according the number of flows to that AS. '-n 0'
gives you not only the first 50 but all ASes found in your traffic.
|
| Returns data with all "Dst AS" column always 0.
|
| Initially we were running our Cisco routers with V5 exports. We have since
| changed to V9, but still aren't able to report on AS.
Make sure your netflow data contains AS information at all. You can check this by simply
listing your flows using '-o raw'. Depending on your routing setup the AS infomation
may not available to your router, exporting the flows - another source for AS '0'.
As far as I know - but I'm not an Cisco expert - there is no difference in exporting
AS information between v5 or v9. If you feel lucky with what you had, using v5 - use v5.
|
| Is this possible without using the AS aggregation features, as I think we
| need the detail level data for our billing?
There is another approach by filtering according your output interface, where
traffic is leaving your network::
nfdump -s record/bytes -o extended 'out if x'
which results in a detailed list of your talkers causing your outgoing traffic.
If AS information is vital in the list consider using a user defined ouput format such as:
- -o "fmt:%ts %td %pr %sap -> %dap %flg %tos %sas %das %pkt %byt %pps %bps %bpp %fl"
which is format 'extended' plus AS information included.
Hope this helps
- Peter
|
| Regards,
|
| Brian
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
E-mail: pet...@sw... Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iQCVAwUBRBlpIv5AbZRALNr/AQEgYgP+JvBILdJfhHAD0UOBq2D7TYg5aKvH6R1B
pa0QF4oVjlrE3Y3wMlukN8fMDzlKWivmYff5IrFztGwoJS+B5Syp6vIB+7tIENAH
iDLppG2qREDGwWNhFo5F+DdsHekOsnYO6AXjI4FqDlrBg3fDOpiVQwrRnq6wAk2z
OEYr35ODNx0=
=Pyzy
-----END PGP SIGNATURE-----
|
