Re: [Nfsen-discuss] AS-AS traffic matric - backend plugin
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfsen-discuss] AS-AS traffic matric - backend plugin
|
From: Peter H. <ha...@sw...> - 2006-10-27 09:29:24
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Maurizio, An AS-AS matrix can be created more easily as follows: ./nfdump -M <source_list> -R nfcapd.$tart_tslot:nfcapd.$end_tslot - -s record/bytes -A srcas,dstas -n 0 -o "fmt:%sas %das %byt" This generates you a list of all AS to AS relations, with a custom output format. You may of course add any additional field in the custom output format, you may need for your purpose. This output can be easily parsed and used for further processing. Therefore a single run gives all required information, no need for filtering either, and therefore no need for parallel filters, which btw. is the way nfprofile handles multiple channels :) Hope this helps - Peter - -------- Original Message -------- From: Maurizio Molina <mau...@da...> To: nfsen-discuss ML <nfs...@li...> Subject: [Nfsen-discuss] AS-AS traffic matric - backend plugin Date: Tue Oct 24 2006 18:05:16 GMT+0200 (CEST) > Hi, > I'm writing a backend plugin to obtain a daily AS-AS traffic matric in > my network, with 38 ASs and 21 sources. > The only way I found so far is to get the information with nfdump (1.5) > running > > #nfdump -M <source_list> -R nfcapd.$tart_tslot:nfcapd.$end_tslot -n 50 > -s srcas/bytes -o long "src as $src_as and dst as $dst_as" > > as many times as all the possible AS-AS pairs (38X38), and then parse > the output. > Note that I use -n 50 but I could vell have used -n 1 (because of the > filtering, I always get that there is only one contributing src_as). > The problem is that given the number of flows (roughly: 300 k flows per > source and per hour, with each AS connected to one, or two, or three > sources at most), the processing time is high. > I probably won't be able to run the processing every day over all the > past 24 hours, but I'll be forced to focus on a limited time slice. > Questions: > 1) is there another easy way to do? > 2) if not, how difficult would it be (and what module should be > modified) to let nfdump have prallel filters? The processing bottleneck > is clearly the disk access bandwidth (the cpu stays at about 4-5%). > > Regards, > Maurizio > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Nfsen-discuss mailing list > Nfs...@li... > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland E-mail: pet...@sw... Web: http://www.switch.ch/security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRUHRZf5AbZRALNr/AQIuhwP/bK++3ZNpcx+DIeSmn43lSANCxSkcuF// ydm3oUy1GnxI6rLA8Rq9lZ+JFxpzBHBgnP7ALGH+CVnDov1cxnQMm/+/rIVbB29C xy9N1fusHQo4Bw2LAQB7j/SXoaaBWV/o73l9MZWcfSNXo1C1XqGxZqlMU/otnpL7 +ZJX5adDCAY= =AXT6 -----END PGP SIGNATURE----- |