On Thursday 19 May 2005 16:56, Robert S. Galloway wrote: > Here are some graphs. Everything was good until Tuesday morning then it > just all blew up. >
Unfortunately, the graphs only tell part of the story. SMTP, HTTP, and "other services" seem to be the bulk of the flows, but where are they coming from and going to? Have you tried flow-print or flow-stat to find out source and destination addresses and ports? They will be far more useful in tracking down the actual cause. For example: flow-stat -f9 -S1 < ft-v05.2005-05-19.172500-0400 would give you the source of the most flows for that period. flow-stat -f5 -S1 < ft-v05xxxxxxx flow-stat -f6 -S1 < ft-v05xxxxxxx would list the destination and source ports. See the man page for other options. You can also use flow-cat for a longer time span. Once you've identified the IP's and ports involved you can do a flow-print -f5 on the file(s) and awk or grep for the particulars. Or better yet, use flow-nfilter and/or flow-report. They require a little more work to set up. Zoltan _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
