hi Sebastian, any special requirements on Cflow or gnuplot version? for png output I get only:
$ ./flow-histogram -network x.x.x.0/24 \ -read ft-v05.2006-02-15.221539+0100 -write histogram.png Illegal division by zero at ./flow-histogram line 729. csv output works apparently correctly, though. cheers, Kresimir On Wed, Feb 15, 2006 at 11:08:34PM +0100, Sebastian Krieger wrote: > Hi, > > here is my reverge for all the great support I got from the list in the > past ;-) Maybe it is usefull for someone. > > I wrote a little perl script to create histograms for netflow data. > Either you can plot the data to a png or you write it in csv format. It > is possible to define several networks as local for a graph. E.g. for > representing the traffic of a whole country even if the subnets are > completely different. The graphs look similar to the output from > Flowscan module JKFlow, because I was really impressed by it. But you do > not need to pre-define sites and services etc. and you also do not need > to store tons of data in rrd files or a database after scanning incoming > netflow logs in realtime. If you notice you need a special histogram at > any time you only filter the logs you want and process it by this > script. Also you can set the interval between checkpoints to adjust the > sampling for your graph at execution time. Unfortunately it is not > possible to read flow data from stdin, because it is needed to read the > data twice to prevent the script from being a memory eater. At first it > makes service detection and collects top statistics. After that it > evaluates the flow data based on this. > > The script is still dirty code but for me it works fine. Please get in > contact with me for update issues if someone will use this script. > > I temporary placed the script on... > http://www.freewebs.com/skrieger/ > > There you can also find a sample graph with the inbound/outbound traffic > on a 2 Mbit line with several subnets behind by remoteips-services. I > placed black boxes on the areas where local networks and the remoteips > are shown to protect privacy. > > Bye > Sebastian > > > <<< Perl Modules: >>> > > The following perl modules are used: > > use Cflow; > use Net::Patricia; > use Getopt::Long; > use POSIX qw(ceil); > use Date::Manip; > > > <<< Gnuplot Version: >>> > > In my environment it works great to generate the graphs in png format > with gnuplot version 4.0 patchlevel 0. > In lower versions of gnuplot the syntax is different and this may result > in an error. > It's not needed to use a higher version of gnuplot then 4.0 p0 with the > known stacking options, because the stacking/cumulation is calculated > within the perl script. > > > <<< Filtering Netflow Data: >>> > > You should better pre-filter your netflow logs with e.g. flow-nfilter > because its faster than matching only by Net::Patricia perl module. > > > <<< Usage for flow-histogram: >>> > > Usage: flow-histogram -network <IP/MASK[,IP/MASK]> -read <FILE> -write > <FILE> [ -options ] > > -network <IP/MASK> = Local network(s) with in/out (e.g. > 192.168.1.0/24[,10.1.1.0/24]) > -read <FILE> = Input file with flows (binary flow-tools format) > -write <FILE> = Output file for graph > -interval <SECONDS> = Stat interval for graph in seconds (default: 300) > -top <COUNT> = Show only top rows in graph with others (default: 10) > -unit <UNIT> = Calc values into special unit (default: Kbits/s) > -show <FIELD> = [protocols|services|remoteips|localips] (default: > services) > or combination [remoteips-services|localips-services] > -output <TYPE> = Type of output [plot|csv] (default: plot) > -version = This help > -help = This help > > flow-histogram 1.5, 12.02.2006 by skr > _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
