-
Notifications
You must be signed in to change notification settings - Fork 0
/
INSTALL
154 lines (121 loc) · 6.47 KB
/
INSTALL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
COMPILING THE TOOLKIT
---------------------------
To compile the toolkit, you'll first need to install zlib1.0.4 or greater
tcp_wrappers 7.6, and gnu make
zlib - ftp://ftp.freesoftware.com/pub/infozip/zlib/
tcp_wrappers ftp://ftp.win.tue.nl pub/security/tcp_wrappers_7.6.tar.gz
gnu_make ftp://ftp.gnu.org/pub/gnu/make/make-3.79.1.tar.gz
Then
./configure
gmake
gmake install
CONFIGURING THE ROUTER
----------------------------
! enable cef
ip cef
ip cef distributed
!Turn on flow accounting for each input interface with the interface command
interface Fddi3/0
ip route-cache flow
interface atm3/0/0
ip route-cache flow
...
Verify the router is generating flow stats with the command
'show ip cache flow'. Note that for routers with distributed switching
(GSR's, 75XX's) the RP cli will only show flows that made it up to the RP.
To see flows on the individual linecards use the 'attach' or 'if-con' command
and issue the 'sh ip ca fl' on each LC.
IP packet size distribution (36242M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.002 .340 .084 .021 .020 .012 .009 .009 .008 .007 .006 .007 .004 .003 .004
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.002 .004 .035 .077 .338 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
4139 active, 61397 inactive, 712344771 added
871670181 ager polls, 0 flow alloc failures
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 1572735 0.3 58 127 21.4 27.0 14.8
TCP-FTP 6193502 1.4 24 746 35.3 3.6 9.0
TCP-FTPD 1458042 0.3 1534 833 520.9 42.4 4.2
TCP-WWW 93403998 21.7 19 633 432.9 4.9 6.3
TCP-SMTP 16123540 3.7 15 431 59.1 3.4 6.4
TCP-X 687228 0.1 238 276 38.1 20.8 14.3
TCP-BGP 1116819 0.2 3 45 0.7 5.3 16.0
TCP-NNTP 1455156 0.3 1102 176 373.4 106.1 11.9
TCP-Frag 3244 0.0 4 636 0.0 2.8 16.3
TCP-other 188162587 43.8 118 733 5204.5 11.1 6.9
UDP-DNS 38042100 8.8 3 84 27.3 3.8 16.4
UDP-NTP 18760129 4.3 1 76 5.3 1.3 16.3
UDP-TFTP 665 0.0 4 76 0.0 7.9 16.4
UDP-Frag 13111 0.0 2121 1108 6.4 366.8 13.5
UDP-other 195556237 45.5 35 343 1632.5 5.8 16.3
ICMP 149285440 34.7 2 64 72.9 0.9 16.5
IGMP 15315 0.0 167 32 0.5 1660.6 3.9
IPINIP 15112 0.0 35 52 0.1 275.3 14.2
GRE 127489 0.0 3 109 0.1 16.9 16.1
IP-other 348604 0.0 56 447 4.5 21.5 16.2
Total: 712341053 165.8 50 620 8436.8 6.2 12.2
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
AT4/0.1 128.146.225.194 AT1/0.2 128.194.203.23 06 0019 2CAF 15
AT2/0.10 129.22.250.148 AT1/0.2 129.2.226.43 06 04BA 1A20 1266
AT2/0.11 130.108.110.48 AT1/0.2 170.140.89.100 06 0923 10A3 436
AT1/0.2 170.140.89.100 AT2/0.11 130.108.110.48 06 10A3 0923 462
! Enable the exports of flows with the global commands
ip flow-export version 5 origin-as
ip flow-export 10.0.0.1 9990
! Enable the AS aggregation cache and export the aggregated flows to
! 10.0.0.1 port 9991
ip flow-aggregation cache as
export destination 10.0.0.1 9991
enabled
! Create a loopback interface if one does not exist
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
! Configure NetFlow export source address
!
ip flow-export source Loopback0
If you have tcpdump installed on or near the host you're using to capture
flows, the exports can be verified.
shattered:~% /usr/local/etc/tcpdump -n udp port 9991
/usr/local/etc/tcpdump: listening on le0
12:11:29.953100 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.962551 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.975115 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.984444 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.993956 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.003252 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.015483 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.024852 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.034182 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.043545 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.053239 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
flow-receive can be used to verify your host is receiving flows:
./flow-receive 0/0/9990 | ./flow-print
or
./flow-receive 0/0/9991 | ./flow-print
% ./flow-receive 0/0/9990 | ./flow-print | head -10
Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets
60 206.204.84.9 00 10.0.135.63 06 15 5f0 2 88
00 10.0.135.63 60 206.204.84.9 06 5f0 15 16 787
60 206.204.84.9 00 10.0.135.63 06 15 5f0 13 1742
00 10.0.155.25 60 204.62.245.167 06 50 bae5 15 948
60 204.62.245.167 00 10.0.155.25 06 bae5 50 13 681
60 206.204.84.20 00 10.0.135.63 06 50 5ed 7 3494
60 206.204.84.20 00 10.0.135.63 06 50 5ef 6 401
60 206.204.84.20 00 10.0.135.63 06 50 5eb 11 9413
00 10.0.135.63 60 206.204.84.20 06 5ed 50 9 637
To store the flow exports on disk, use flow capture. The following will
store 15 minute compressed exports in /netflow/oar/krc3.v5 and begin
removing the oldest files after 3Gig of storage has been used.
mkdir -p /netflow/oar/krc3.v5
./flow-capture -w /netflow/oar/krc3.v5 -E3G 0/10.1.1.1/9990
The completed exports will begin with 'ft'. The current export file will
begin with 'tmp'. The 'ft' files can now be used with the other tools, ie
./flow-print < /netflow/oar/krc3.v8.1/ft-v08m01.2001-02-09.111502
flow-cat, flow-stat, and flow-filter can be combined to produce various
reports such as total bytes in the export period, source/destination
matrixes, per interface totals, etc.