Tree @debian/1.5.7-4 (Download .tar.gz)
- debian
- AUTHORS
- bookkeeper.c
- bookkeeper.h
- BSD-license.txt
- ChangeLog
- config.h.in
- configure
- configure.in
- CreateSubHierarchy.pl
- expire.c
- expire.h
- flist.c
- flist.h
- ft2nfdump.1
- ft2nfdump.c
- fts_compat.c
- fts_compat.h
- grammar.y
- inline.c
- INSTALL
- install-sh
- ipconv.c
- ipconv.h
- launch.c
- launch.h
- lzoconf.h
- lzodefs.h
- Makefile.in
- minilzo.c
- minilzo.h
- netflow_v5_v7.c
- netflow_v5_v7.h
- netflow_v9.c
- netflow_v9.h
- nf_common.c
- nf_common.h
- nfcapd.1
- nfcapd.c
- nfdump.1
- nfdump.c
- nfdump.h
- nfdump.test.out
- nfexpire.1
- nfexpire.c
- nffile.c
- nffile.h
- nfgen.c
- nfnet.c
- nfnet.h
- nfprof.c
- nfprof.h
- nfprofile.1
- nfprofile.c
- nfreplay.1
- nfreplay.c
- nfstat.c
- nfstat.h
- nfstatfile.c
- nfstatfile.h
- nftest.c
- nftree.c
- nftree.h
- panonymizer.c
- panonymizer.h
- profile.c
- profile.h
- rbtree.h
- README
- rijndael.c
- rijndael.h
- scanner.l
- sfcapd.1
- sfcapd.c
- sflow.c
- sflow.h
- sflow_proto.h
- test.sh
- ToDo
- util.c
- util.h
- version.h
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 | This is a small description, what the nfdump tools do and how they work. Nfdump is distributed under the BSD license - see BSD-license.txt The nfdump tools collect and process netflow data on the command line. They are part of the NFSEN project which is explained more detailed at http://www.terena.nl/tech/task-forces/tf-csirt/meeting12/nfsen-Haag.pdf The Web interface mentioned is not part of nfdump and is available at http://nfsen.sourceforge.net *NOTE* This version no longer builds nfprofile by default! nfdump tools overview: ---------------------- nfcapd - netflow collector daemon. Reads the netflow data from the network and stores the data into files. Automatically rotate files every n minutes. ( typically ever 5 min ) nfcapd reads netflow v5, v7 and v9 flows transparently. You need one nfcapd process for each netflow stream. nfdump - netflow dump. Reads the netflow data from the files stored by nfcapd. It's syntax is similar to tcpdump. If you like tcpdump you will like nfdump. Displays netflow data and creates top N statistics of flow, bytes, packets and IP addresses. nfreplay - netflow replay Reads the netflow data from the files stored by nfcapd and sends it over the network to another host. nfexpire - expire old netflow data Manages data expiration. Sets appropriate limits. Optional binaries: nfprofile - netflow profiler. Required by NfSen Reads the netflow data from the files stored by nfcapd. Filters the netflow data according to the specified filter sets ( profiles ) and stores the filtered data into files for later use. ft2nfdump - read flow-tools format - Optional tool ft2nfdump acts as a pipe converter for flow-tools data. It allows to read any flow-tools data and process and save it in nfdump format. sfcapd - sflow collector daemon scfapd collects sflow data and stores it into nfcapd comaptible files. "sfcapd includes sFlow(TM), freely available from http://www.inmon.com/". Note for sflow users: sfcapd and nfcapd can be used concurrently to collect netflow and sflow data at the same time. Generic command line options apply to both collectors likewise. Due to lack of availability of sflow devices, I could not test the correct output of IPv6 records. Users are requested to send feedback to the list or directly to me. As of this first version, sfcapd supports the same fields as nfcapd does for netflow v9, which is a subset of all available sflow fields in an sflow record. More fields will be integrated in future versions of sfcapd. Converting current nfcapd flat directory layout to any sub hierarchy layout: If you switch from flat directory layout to any sub directory hierarchy, the helper script CreateSubHierarchy.pl supports you in creating the desired sub directory structure and moves already existing nfcapd files into the new layout. Use the same -S option for CreateSubHierarchy.pl as you will use with nfcapd. Compression ----------- As of nfdump 1.5.6, the binary data files can optionally be compressed using the fast LZO1X-1 compression. For more details on this algorithm see, http://www.oberhumer.com/opensource/lzo. LZO1X-1 is very fast, so that compression can be used in real time by the collector. LZO1X-1 reduces the file size around 50%. You can check the compression speed for your system by doing ./nftest <path/to/an/existing/netflow/file>. Principle of Operation: ----------------------- The goal of the design is to able to analyze netflow data from the past as well as to track interesting traffic patterns continuously. The amount of time back in the past is limited only by the disk storage available for all the netflow data. The tools are optimized for speed for efficient filtering. The filter rules should look familiar to the syntax of tcpdump ( pcap compatible ). All data is stored to disk, before it gets analyzed. This separates the process of storing and analyzing the data. The data is organized in a time based fashion. Every n minutes - typically 5 min - nfcapd rotates and renames the output file with the timestamp nfcapd.YYYYMMddhhmm of the interval e.g. nfcapd.200407110845 contains data from July 11th 2004 08:45 onward. Based on a 5min time interval, this results in 288 files per day. Analyzing the data can be done for a single file, or by concatenating several files for a single output. The output is either ASCII text or binary data, when saved into a file, ready to be processed again with the same tools. You may have several netflow sources - let's say 'router1' 'router2' and so on. The data is organized as follows: /flow_base_dir/router1 /flow_base_dir/router2 which means router1 and router2 are subdirs of the flow_base_dir. For each of the netflow sources you have to start an nfcpad process: nfcapd -w -D -l /flow_base_dir/router1 -p 23456 nfcapd -w -D -l /flow_base_dir/router2 -p 23457 Security: none of the tools requires root privileges, unless you have a port < 1024. However, there is no access control mechanism in nfcapd. It is assumed, that host level security is in place to filter the proper IP addresses. See the manual pages or use the -h switch for details on using each of the programs. For any questions send email to haag@switch.ch Configure your router to export netflow. See the relevant documentation for your model. A generic Cisco sample configuration enabling NetFlow on an interface: interface fastethernet 0/0 ip route-cache flow To tell the router where to send the NetFlow data, enter the following global configuration command: ip flow-export <ip-address> <udp-port> ip flow-export version 5 ip flow-cache timeout active 5 This breaks up long-lived flows into 5-minute segments. You can choose any number of minutes between 1 and 60; See the relevant documentation for a full description of netflow commands Note: Netflow version v5 and v7 have 32 bit counter values. The number of packets or bytes may overflow this value, within the flow-cache timeout on very busy routers. To prevent overflow, you may consider to reduce the flow-cache timeout to lower values. All nfdump tools use 64 bit counters internally, which means, all aggregated values are correctly reported. The binary format of the data files is netflow version independant. For speed reasons the binary format is machine architecture dependent, and as such can not be exchanged between little and big endian systems. Internally nfdump does all processing IP protocol independant, which means everything works for IPv4 as well as IPv6 addresses. See the nfdump(1) man page for details. netflow version 9: Even if netflow v9 is support, not all in netflow v9 defined elements are store in the data files. As of version 1.5 nfdump supports the fol- lowing fields: NF9_LAST_SWITCHED NF9_FIRST_SWITCHED NF9_IN_BYTES NF9_IN_PACKETS NF9_FLOWS NF9_IN_PROTOCOL NF9_SRC_TOS NF9_TCP_FLAGS NF9_IPV4_SRC_ADDR NF9_IPV6_SRC_ADDR NF9_IPV4_DST_ADDR NF9_IPV6_DST_ADDR NF9_L4_SRC_PORT NF9_L4_DST_PORT NF9_INPUT_SNMP NF9_OUTPUT_SNMP NF9_SRC_AS NF9_DST_AS 32 and 64 bit counters are supported for Bytes and Packets. More fields may be supported in future. nfcapd can listen on IPv6 or IPv4. Furthermore multicast is supported. Flow-tools compatibility ------------------------ When building with configure option --enable-ftconv, the flow-tools converter is included. Using this converter, any flow-tools created data can be read and processed and stored by nfdump. Example: flow-cat [options] | ft2nfdump | nfdump [options] See the INSTALL file for installation details. |
Commit History @debian/1.5.7-4
0
»»
- Created debian/changelog for release (1.5.7-4) Erik Wenzel 15 years ago
- git-active-patches: removed testing patch names Erik Wenzel 15 years ago
- debian.source: added. As documentation on building the packages Erik Wenzel 15 years ago
- removed patch target Erik Wenzel 15 years ago
- added feature "refresh patches" which creates patches from git feature branches actived in debian/git-active-patches Erik Wenzel 15 years ago
- remove uninteresting file .hgtags Erik Wenzel 15 years ago
- Created debian/changelog for release (1.5.7-3) Erik Wenzel 15 years ago
- bumped Standards-Version Erik Wenzel 15 years ago
- Revert "Release" ... commited to early Erik Wenzel 15 years ago
- Release Erik Wenzel 15 years ago
- Closes: #484519 Erik Wenzel 15 years ago
- Imported Debian patch 1.5.7-2 Erik Wenzel 15 years ago
- Imported Debian patch 1.5.7-1 Erik Wenzel 15 years ago
- Imported Debian patch 1.5.6-1 Erik Wenzel 15 years ago
- Imported Debian patch 1.5.2-3 Erik Wenzel 15 years ago
- Imported Debian patch 1.5.2-2 Erik Wenzel 15 years ago
- Imported Debian patch 1.5.2-1 Erik Wenzel 15 years ago
- Imported Debian patch 1.4.1-1 Erik Wenzel 15 years ago
- Imported Upstream version 1.4.1 Erik Wenzel 15 years ago
0
»»