[Flow-tools] incoming/outging/all difference...i dont understand

Thu, 10 Feb 2005 02:29:46 -0800 

Hi,

I trying to make all kinds of scripts for our company to measure the
backbone traffice.
Before i start, i must first understand netflow and the way it measures.
I've attached an PNG file with our network and the places where i put 'ip
route-cache flow' command on.
Green dots are interface to measure outbound and red dots are interfaces to
measure inbound.

First i made 2 scripts to determin the incomming/outging, becuase i
want to be sure that the scripts and filters i make are correct, i check
those against all data.


all data:

flow-cat /data/2005-02-09/ft-v05.2005-02-09.123722+0100 | flow-stat -f15 

        # Octets                Packets MBytes
        #
        20934728442     39051555        20934.728

incoming-data:

flow-cat /data/2005-02-09/ft-v05.2005-02-09.123722+0100 | flow-nfilter -f
nfilter-file -F all-incoming-traffic | flow-stat -f15 

        # Octets        Packets             MBytes
        #
        12443827147     20067449            12443.827

outgoing-data:

flow-cat /data/2005-02-09/ft-v05.2005-02-09.123722+0100 | flow-nfilter -f
nfilter-file -F all-outgoing-traffic | flow-stat -f15 

        # Octets        Packets MBytes
        #
        7216875959      16302298        7216.876


The total of 12443.827 + 7216.876 = 19660.703 MB
But the 'real' total from the flow-stat without filter was 20934.728, so i
have short 1274.025 MB in 5 minutes!!!

So i thougth the total is also included with 'inter-core' (traffic between
core routers). That's why i made the inter-backbone filter.

flow-cat /data/2005-02-09/ft-v05.2005-02-09.123722+0100 | flow-nfilter -f
nfilter-file -F inter-backbone | flow-stat -f15 

        # Octets        Packets MBytes
        #
        3071929966      4910315 3071.930

This is way to much......so i'm desperate now....i can't find where the
difference is comming from and it stops me from going on with
make an nice application for my company. 

Please can somebody think with me on this!! That would be great!!

Greetz,

Jeroen Wolff
Netherlands


nfilter-file:

filter-primitive asd7ro1
  type ip-address
  permit 195.7.128.252

filter-primitive asd7ro3
  type ip-address
  permit 195.7.128.251

filter-primitive asd10ro1
  type ip-address
  permit 195.7.128.250

filter-primitive telia-if-asd7ro3
  type ifindex
  permit 4

filter-primitive amsix-if-asd7ro3
  type ifindex
  permit 3

filter-primitive carrier1-if-asd7ro1
  type ifindex
  permit 5

filter-primitive tsystems-if-asd7ro1
  type ifindex
  permit 2

filter-primitive amsix-if-asd10ro1
  type ifindex
  permit 9

filter-primitive carrier1-if-asd10ro1
  type ifindex
  permit 1

filter-primitive globalx-if-asd10ro1
  type ifindex
  permit 6

filter-primitive po1-0-asd7ro3
  type ifindex
  permit 1

filter-primitive fa2-0-asd7ro3
  type ifindex
  permit 5

filter-primitive po10-1-0-asd10ro1
  type ifindex
  permit 1

filter-primitive fa5-0-0-asd7ro1
  type ifindex
  permit 4


filter-definition all-outgoing-traffic
  match ip-exporter-address asd7ro3
  match output-interface telia-if-asd7ro3
  or
  match ip-exporter-address asd7ro3
  match output-interface amsix-if-asd7ro3 
  or
  match ip-exporter-address asd10ro1
  match output-interface carrier1-if-asd10ro1
  or
  match ip-exporter-address asd10ro1
  match output-interface globalx-if-asd10ro1
  or
  match ip-exporter-address asd7ro1
  match output-interface tsystems-if-asd7ro1
  or
  match ip-exporter-address asd7ro1
  match output-interface carrier1-if-asd7ro1

filter-definition all-incoming-traffic
  match ip-exporter-address asd7ro3
  match input-interface telia-if-asd7ro3
  or
  match ip-exporter-address asd7ro3
  match input-interface amsix-if-asd7ro3 
  or
  match ip-exporter-address asd10ro1
  match input-interface carrier1-if-asd10ro1
  or
  match ip-exporter-address asd10ro1
  match input-interface globalx-if-asd10ro1
  or
  match ip-exporter-address asd7ro1
  match input-interface tsystems-if-asd7ro1
  or
  match ip-exporter-address asd7ro1
  match input-interface carrier1-if-asd7ro1

filter-definition inter-backbone
  match ip-exporter-address asd7ro1
  match output-interface fa5-0-0-asd7ro1
  or
  match ip-exporter-address asd7ro3
  match output-interface fa2-0-asd7ro3
  or
  match ip-exporter-address asd7ro3
  match output-interface po1-0-asd7ro3
  or
  match ip-exporter-address asd10ro1
  match output-interface po10-1-0-asd10ro1

 <<flow-export.png>> 



#***************************************************************************
# 
# Dit e-mailbericht met eventuele attachments is uitsluitend bestemd voor de
# geadresseerde(n) en bevat mogelijk vertrouwelijke gegevens en/of is
# beschermd door intellectuele eigendomsrechten. Bent u niet de
# geadresseerde, neemt u dan zo spoedig mogelijk contact op met de afzender
# en verzoeken wij u het e-mailbericht en eventuele attachments van uw
# computer te verwijderen. Elk gebruik van de inhoud van dit e-mailbericht
# en eventuele attachments (waaronder verveelvoudiging, verspreiding of het
# anderzins openbaar maken in welke vorm dan ook) door andere personen dan
# de bedoelde geadresseerden is verboden. De weergegeven mening is puur
# persoonlijk en hoeft niet noodzakelijk over een te komen met die van
# Enertel. Enertel is niet aansprakelijk voor de inhoud van dit
# e-mailbericht en eventuele attachments.

Attachment: flow-export.png
Description: Binary data

_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to