Thread: [Nfsen-discuss] egress traffic
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
nfsen-discuss
|
From: Alban D. <alb...@gm...> - 2008-04-10 22:44:20
|
I have a router that connects to two ISP providers and am interested only in the traffic going out to them I configured "ip flow egress" on the two physical interfaces connected to them. No flow related config in any other interface. otherwise the rest of the config is: mls netflow interface mls flow ip interface-full no mls flow ipv6 mls nde sender version 5 mls sampling packet-based 4096 16000 Nfsen is still reporting a lot of flows with Dst AS 0. This is a cisco ME-C6524GT-8S - Version 12.2(33)SXH1 and I have not found any netflow related bug for it ( so far ). thank you, Alban |
|
From: Peter H. <pet...@sw...> - 2008-04-14 07:23:11
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On April 10, 2008 18:44:26 -0400 Alban Dani <alb...@gm...> wrote:
| I have a router that connects to two ISP providers and am interested only in
| the traffic going out to them
|
| I configured "ip flow egress" on the two physical interfaces connected to
| them.
| No flow related config in any other interface.
|
| otherwise the rest of the config is:
|
| mls netflow interface
| mls flow ip interface-full
| no mls flow ipv6
| mls nde sender version 5
| mls sampling packet-based 4096 16000
|
|
| Nfsen is still reporting a lot of flows with Dst AS 0.
|
| This is a cisco ME-C6524GT-8S - Version 12.2(33)SXH1 and I have not found
| any netflow related bug for it ( so far ).
AS 0 is a question wether you have full routing and BGP information at all in the router. Apart from that, there are some IOS
version having problems with AS 0 but not sure which versions ..
- Peter
|
| thank you,
|
| Alban
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: pet...@sw... Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBSAMGY/5AbZRALNr/AQLirwP/WWqUVTVQqDRenRC+axyHjpJzM2sBC+q0
lLbWKGHY0Wi69aStabJv+MgVnhpHhEJHvZF58FLscsb+2wJrslXVg/4jQgkFW8S0
gbjWNCKrSrOZ/TyK2qb/2vWwsVT8v/9sfzcOzo9AQVDlKMAZZpOIzwdNP1mEPSLK
lFKmRFMf9w0=
=QNGP
-----END PGP SIGNATURE-----
|
|
From: Alban D. <alb...@gm...> - 2008-04-15 20:56:46
|
Peter, thank you. I figured that out after looking at the routing tables too. I am in a bit of a bind right now because many of the routers do not have the capacity to get the full routing table and on the other hand I really need these AS number. Is there any tool (ie script) that would work in conjunction with nfdump to get the AS number based on the ip addresses. and then feed the data back in? thank you again, Alban On Mon, Apr 14, 2008 at 3:23 AM, Peter Haag <pet...@sw...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > - --On April 10, 2008 18:44:26 -0400 Alban Dani <alb...@gm...> > wrote: > > | I have a router that connects to two ISP providers and am interested > only in > | the traffic going out to them > | > | I configured "ip flow egress" on the two physical interfaces connected > to > | them. > | No flow related config in any other interface. > | > | otherwise the rest of the config is: > | > | mls netflow interface > | mls flow ip interface-full > | no mls flow ipv6 > | mls nde sender version 5 > | mls sampling packet-based 4096 16000 > | > | > | Nfsen is still reporting a lot of flows with Dst AS 0. > | > | This is a cisco ME-C6524GT-8S - Version 12.2(33)SXH1 and I have not > found > | any netflow related bug for it ( so far ). > > AS 0 is a question wether you have full routing and BGP information at all > in the router. Apart from that, there are some IOS > version having problems with AS 0 but not sure which versions .. > > - Peter > > | > | thank you, > | > | Alban > > > > - -- > _______ SWITCH - The Swiss Education and Research Network ______ > Peter Haag, Security Engineer, Member of SWITCH CERT > PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 > SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland > E-mail: pet...@sw... Web: http://www.switch.ch/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (Darwin) > > iQCVAwUBSAMGY/5AbZRALNr/AQLirwP/WWqUVTVQqDRenRC+axyHjpJzM2sBC+q0 > lLbWKGHY0Wi69aStabJv+MgVnhpHhEJHvZF58FLscsb+2wJrslXVg/4jQgkFW8S0 > gbjWNCKrSrOZ/TyK2qb/2vWwsVT8v/9sfzcOzo9AQVDlKMAZZpOIzwdNP1mEPSLK > lFKmRFMf9w0= > =QNGP > -----END PGP SIGNATURE----- > > |
|
From: Lambert H. <lam...@cl...> - 2008-04-16 08:52:10
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> Hi Alban,<br> There's a website <a class="moz-txt-link-rfc2396E" href="http://asn.cymru.com/cgi-bin/whois.cgi">"http://asn.cymru.com/cgi-bin/whois.cgi"</a> that looks up AS numbers for given IP addresses.<br> Obviously this is just for one-off queries, but perhaps you can contact them if they can provide the script or more advanced tools.<br> Hope this is of (some) help.<br> <br> Lambert<br> <br> <br> Alban Dani wrote: <blockquote cite="mid:1d6...@ma..." type="cite">Peter, thank you.<br> <br> I figured that out after looking at the routing tables too.<br> <br> I am in a bit of a bind right now because many of the routers do not have the capacity to get the full routing table<br> and on the other hand I really need these AS number.<br> Is there any tool (ie script) that would work in conjunction with nfdump to get the AS number based on the ip addresses.<br> and then feed the data back in?<br> <br> thank you again,<br> <br> Alban<br> <br> <br> <div class="gmail_quote">On Mon, Apr 14, 2008 at 3:23 AM, Peter Haag <a class="moz-txt-link-rfc2396E" href="mailto:pet...@sw..."><pet...@sw...></a> wrote:<br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">-----BEGIN PGP SIGNED MESSAGE-----<br> Hash: SHA1<br> <div> <div class="Wj3C7c"><br> <br> <br> - --On April 10, 2008 18:44:26 -0400 Alban Dani <<a moz-do-not-send="true" href="mailto:alb...@gm...">alb...@gm...</a>> wrote:<br> <br> | I have a router that connects to two ISP providers and am interested only in<br> | the traffic going out to them<br> |<br> | I configured "ip flow egress" on the two physical interfaces connected to<br> | them.<br> | No flow related config in any other interface.<br> |<br> | otherwise the rest of the config is:<br> |<br> | mls netflow interface<br> | mls flow ip interface-full<br> | no mls flow ipv6<br> | mls nde sender version 5<br> | mls sampling packet-based 4096 16000<br> |<br> |<br> | Nfsen is still reporting a lot of flows with Dst AS 0.<br> |<br> | This is a cisco ME-C6524GT-8S - Version 12.2(33)SXH1 and I have not found<br> | any netflow related bug for it ( so far ).<br> <br> </div> </div> AS 0 is a question wether you have full routing and BGP information at all in the router. Apart from that, there are some IOS<br> version having problems with AS 0 but not sure which versions ..<br> <br> - Peter<br> <br> |<br> | thank you,<br> |<br> | Alban<br> <br> <br> <br> - --<br> _______ SWITCH - The Swiss Education and Research Network ______<br> Peter Haag, Security Engineer, Member of SWITCH CERT<br> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7<br> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland<br> E-mail: <a class="moz-txt-link-abbreviated" href="mailto:pet...@sw...">pet...@sw...</a> Web: <a moz-do-not-send="true" href="http://www.switch.ch/" target="_blank">http://www.switch.ch/</a><br> -----BEGIN PGP SIGNATURE-----<br> Version: GnuPG v1.4.3 (Darwin)<br> <br> iQCVAwUBSAMGY/5AbZRALNr/AQLirwP/WWqUVTVQqDRenRC+axyHjpJzM2sBC+q0<br> lLbWKGHY0Wi69aStabJv+MgVnhpHhEJHvZF58FLscsb+2wJrslXVg/4jQgkFW8S0<br> gbjWNCKrSrOZ/TyK2qb/2vWwsVT8v/9sfzcOzo9AQVDlKMAZZpOIzwdNP1mEPSLK<br> lFKmRFMf9w0=<br> =QNGP<br> -----END PGP SIGNATURE-----<br> <br> </blockquote> </div> <br> <pre wrap=""> <hr size="4" width="90%"> ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. <a class="moz-txt-link-freetext" href="http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone">http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone</a></pre> <pre wrap=""> <hr size="4" width="90%"> _______________________________________________ Nfsen-discuss mailing list <a class="moz-txt-link-abbreviated" href="mailto:Nfs...@li...">Nfs...@li...</a> <a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/nfsen-discuss">https://lists.sourceforge.net/lists/listinfo/nfsen-discuss</a> </pre> </blockquote> <br> </body> </html> |
|
From: Adrian P. <adr...@gm...> - 2008-04-16 10:43:59
|
Or you can do it yourself: adrianp@frost:~$ whois -h whois.radb.net 92.80.0.0/24 | grep 'origin:' | head -1 | awk '{print $2; }' | sed -s 's/AS//g' 9050 You can write bash/perl/php/python wrappers that process your netflow output and convert ip classes to AS-es. Note that this is done by querying RADB (and it will be slow for large amounts of data). On Wed, Apr 16, 2008 at 11:49 AM, Lambert Hoogeveen <lam...@cl...> wrote: > Hi Alban, > There's a website "http://asn.cymru.com/cgi-bin/whois.cgi"<http://asn.cymru.com/cgi-bin/whois.cgi>that looks up AS numbers for given IP addresses. > Obviously this is just for one-off queries, but perhaps you can contact > them if they can provide the script or more advanced tools. > Hope this is of (some) help. > > Lambert > > > Alban Dani wrote: > > Peter, thank you. > > I figured that out after looking at the routing tables too. > > I am in a bit of a bind right now because many of the routers do not have > the capacity to get the full routing table > and on the other hand I really need these AS number. > Is there any tool (ie script) that would work in conjunction with nfdump > to get the AS number based on the ip addresses. > and then feed the data back in? > > thank you again, > > Alban > > > On Mon, Apr 14, 2008 at 3:23 AM, Peter Haag <pet...@sw...><pet...@sw...>wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > - --On April 10, 2008 18:44:26 -0400 Alban Dani <alb...@gm...> > > wrote: > > > > | I have a router that connects to two ISP providers and am interested > > only in > > | the traffic going out to them > > | > > | I configured "ip flow egress" on the two physical interfaces connected > > to > > | them. > > | No flow related config in any other interface. > > | > > | otherwise the rest of the config is: > > | > > | mls netflow interface > > | mls flow ip interface-full > > | no mls flow ipv6 > > | mls nde sender version 5 > > | mls sampling packet-based 4096 16000 > > | > > | > > | Nfsen is still reporting a lot of flows with Dst AS 0. > > | > > | This is a cisco ME-C6524GT-8S - Version 12.2(33)SXH1 and I have not > > found > > | any netflow related bug for it ( so far ). > > > > AS 0 is a question wether you have full routing and BGP information at > > all in the router. Apart from that, there are some IOS > > version having problems with AS 0 but not sure which versions .. > > > > - Peter > > > > | > > | thank you, > > | > > | Alban > > > > > > > > - -- > > _______ SWITCH - The Swiss Education and Research Network ______ > > Peter Haag, Security Engineer, Member of SWITCH CERT > > PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 > > SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland > > E-mail: pet...@sw... Web: http://www.switch.ch/ > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.3 (Darwin) > > > > iQCVAwUBSAMGY/5AbZRALNr/AQLirwP/WWqUVTVQqDRenRC+axyHjpJzM2sBC+q0 > > lLbWKGHY0Wi69aStabJv+MgVnhpHhEJHvZF58FLscsb+2wJrslXVg/4jQgkFW8S0 > > gbjWNCKrSrOZ/TyK2qb/2vWwsVT8v/9sfzcOzo9AQVDlKMAZZpOIzwdNP1mEPSLK > > lFKmRFMf9w0= > > =QNGP > > -----END PGP SIGNATURE----- > > > > > ------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > ------------------------------ > > _______________________________________________ > Nfsen-discuss mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Nfsen-discuss mailing list > Nfs...@li... > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > |
|
From: Alban D. <alb...@gm...> - 2008-04-16 13:56:15
|
Thank you all. We are using cumry.com at the moment to get AS numbers through some other web access logs. I thought that there was already something written to work in conjunction with nfdump. I guess will have to write something ourselves. The idea I had was to go through the nfdump files, find the AS number where 0, replace it and rewrite back the file in nfdump format. Will see what turns out. thanks again, Alban On Wed, Apr 16, 2008 at 6:44 AM, Adrian Popa <adr...@gm...> wrote: > Or you can do it yourself: > > adrianp@frost:~$ whois -h whois.radb.net 92.80.0.0/24 | grep 'origin:' | > head -1 | awk '{print $2; }' | sed -s 's/AS//g' > 9050 > > You can write bash/perl/php/python wrappers that process your netflow > output and convert ip classes to AS-es. Note that this is done by querying > RADB (and it will be slow for large amounts of data). > > > On Wed, Apr 16, 2008 at 11:49 AM, Lambert Hoogeveen <lam...@cl...> > wrote: > > > Hi Alban, > > There's a website "http://asn.cymru.com/cgi-bin/whois.cgi"<http://asn.cymru.com/cgi-bin/whois.cgi>that looks up AS numbers for given IP addresses. > > Obviously this is just for one-off queries, but perhaps you can contact > > them if they can provide the script or more advanced tools. > > Hope this is of (some) help. > > > > Lambert > > > > > > Alban Dani wrote: > > > > Peter, thank you. > > > > I figured that out after looking at the routing tables too. > > > > I am in a bit of a bind right now because many of the routers do not > > have the capacity to get the full routing table > > and on the other hand I really need these AS number. > > Is there any tool (ie script) that would work in conjunction with nfdump > > to get the AS number based on the ip addresses. > > and then feed the data back in? > > > > thank you again, > > > > Alban > > > > > > On Mon, Apr 14, 2008 at 3:23 AM, Peter Haag <pet...@sw...><pet...@sw...>wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > > > > > > > - --On April 10, 2008 18:44:26 -0400 Alban Dani <alb...@gm...> > > > wrote: > > > > > > | I have a router that connects to two ISP providers and am interested > > > only in > > > | the traffic going out to them > > > | > > > | I configured "ip flow egress" on the two physical interfaces > > > connected to > > > | them. > > > | No flow related config in any other interface. > > > | > > > | otherwise the rest of the config is: > > > | > > > | mls netflow interface > > > | mls flow ip interface-full > > > | no mls flow ipv6 > > > | mls nde sender version 5 > > > | mls sampling packet-based 4096 16000 > > > | > > > | > > > | Nfsen is still reporting a lot of flows with Dst AS 0. > > > | > > > | This is a cisco ME-C6524GT-8S - Version 12.2(33)SXH1 and I have not > > > found > > > | any netflow related bug for it ( so far ). > > > > > > AS 0 is a question wether you have full routing and BGP information > > > at all in the router. Apart from that, there are some IOS > > > version having problems with AS 0 but not sure which versions .. > > > > > > - Peter > > > > > > | > > > | thank you, > > > | > > > | Alban > > > > > > > > > > > > - -- > > > _______ SWITCH - The Swiss Education and Research Network ______ > > > Peter Haag, Security Engineer, Member of SWITCH CERT > > > PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 > > > SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland > > > E-mail: pet...@sw... Web: http://www.switch.ch/ > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v1.4.3 (Darwin) > > > > > > iQCVAwUBSAMGY/5AbZRALNr/AQLirwP/WWqUVTVQqDRenRC+axyHjpJzM2sBC+q0 > > > lLbWKGHY0Wi69aStabJv+MgVnhpHhEJHvZF58FLscsb+2wJrslXVg/4jQgkFW8S0 > > > gbjWNCKrSrOZ/TyK2qb/2vWwsVT8v/9sfzcOzo9AQVDlKMAZZpOIzwdNP1mEPSLK > > > lFKmRFMf9w0= > > > =QNGP > > > -----END PGP SIGNATURE----- > > > > > > > > ------------------------------ > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Don't miss this year's exciting event. There's still time to save $100. > > Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > > > ------------------------------ > > > > _______________________________________________ > > Nfsen-discuss mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > > > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Don't miss this year's exciting event. There's still time to save $100. > > Use priority code J8TL2D2. > > > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > _______________________________________________ > > Nfsen-discuss mailing list > > Nfs...@li... > > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > > > > |
Thanks for helping keep SourceForge clean.
X