Jeremy Saunders wrote:
> Has anyone ported this, or got some form of Netflow
> application running on a Windows 2000/2003 server?
>
> I'm not clever enough to port it myself, and I'm not very
> good with Linux.
>
> Any advice would be greatly appreciated.
I don't run flow-tools on windows/cygwin any more. Flow-tools is now
running on a grunty AIX box, as my post-collection perl scripts were
getting a little too CPU intensive. However I just retested on my
WinXP/Cygwin box and it seems to work fine. You don't say what went
wrong so I presume it means you can't compile. The only other gotcha I
am aware of is that you must use the -m flag when running flow-cat.
Here's an tidied up version of the installation I just performed on
WinXP SP1 with "CYGWIN_NT-5.1 D0034111 1.5.12(0.116/4/2) 2004-11-10
08:34 i686".
Follow the installation instructions as for a normal install
tar -zxf flow-tools-0.66.tar.gz
cd flow-tools-0.66
./configure
We can't run make yet. First edit the file lib/ftlib.h and insert the
following structure at line 473 (before the struct ftnet declaration).
struct cmsghdr {
u_int32 cmsg_len; /* data byte count, including
hdr */
int cmsg_level; /* originating protocol */
int cmsg_type; /* protocol-specific type */
};
This tweak came from a similar error in this email.
http://www.pairlist.net/pipermail/flow-tools/2002-February/000150.html
Return to the normal installation processes. There are several warnings
about deprecated syntax, but it compiled happily from this point.
make
make install
All the binaries are now in /usr/local/netflow/bin. You can either add
that to your path or as I prefer, Just make an environment variable.
export NF=/usr/local/netflow/bin
Choose somewhere to put your flow files and turn on collection (I use
UDP 9996 for my flows and use the V7 structure)
mkdir -p /flow/v7
cd /flow/v7
$NF/flow-capture -N0 -z0 -V7 -n 288 -w /flow/v7 0/0/9996
Check that the process is running
ps --all | grep flow
I got
800 1 800 800 ? 500 19:17:17
/usr/local/netflow/bin/flow-capture
Then check for the existence of tmp* files in the capture directory
ls -l /flow/v7
Generate some noise flow data in the /flow/v7 directory
$NF/flow-gen.exe -V7 | $NF/flow-send 0/127.0.0.1/9996
Wait 5 minutes for tmp* to turn into ft* then export the flow files to
CSV
$ $NF/flow-cat -m /flow/v7/f* | $NF/flow-export -f2 | more
#:unix_secs,unix_nsecs,sysuptime,exaddr,dpkts,doctets,first,last,engine_
type,engine_id,srcaddr,dst
addr,nexthop,input,output,srcport,dstport,prot,tos,tcp_flags,src_mask,ds
t_mask,src_as,dst_as,route
r_sc
0,0,0,127.0.0.1,1,1,0,4294901760,0,0,0.0.0.0,255.255.0.0,0.0.0.0,0,65280
,0,65280,17,0,0,0,0,0,6528
0,0.0.0.0
0,0,0,127.0.0.1,2,2,1,4294901761,0,0,0.0.0.1,255.255.0.1,0.0.0.0,1,65281
,1,65281,17,0,0,0,0,1,6528
1,0.0.0.1
Flow-filter et al are left as an exercise to the reader. :-)
HTH,
Alistair
**********************************************************************
Registered Office:
Marks and Spencer plc
Waterside House
35 North Wharf Road
London
W2 1NW
Registered No. 214436 in England and Wales.
Telephone (020) 7935 4422
Facsimile (020) 7487 2670
<<www.marksandspencer.com>>
Please note that electronic mail may be monitored.
This e-mail is confidential. If you received it by mistake, please let us know
and then delete it from your system; you should not copy, disclose, or
distribute its contents to anyone nor act in reliance on this e-mail, as this
is prohibited and may be unlawful.
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
