[Flow-tools] Netflow V9 workaround

Thu, 12 Mar 2009 21:46:10 -0700 

Damien Miller's flowd collector (http://www.mindrot.org/projects/flowd)
can collect Netflow v1/v5/v7/v9 and export in a form compatible with
flow-tools' flow-import. 

It's a quick way to get V9 collection working with all your existing
flow-tools reports, tagging, filters, etc. Naturally it only supports for
V5 fields (use 'record netflow-original' when setting up Cisco flexible
netflow). Below is a crontab script to automate the flowd->flow-tools
move.

As a side note, Cisco IOS 12.4(22)T finally supports native V5 export
from flexible netflow.

As another side note, flowd also supports multicast listening, 

-Craig



#!/usr/bin/perl
# "flowd2ft" crontab script to move flowd capture files into flow-tools

# -- flow-tools variables
our $ftImport = "/usr/local/netflow/bin/flow-import";   # where ft's 
flow-import is
our $ftDir = "/var/log/flow-tools-capture";             # where ft's capture 
files go
our $ftTZ = "-0500";                                    # timezone for ft 
capture files
our $ftPeriod = 300;                                    # seconds per ft 
capture file and cron interval

# -- flowd variables
our $flowdReader = "/usr/local/bin/flowd-reader";       # where flowd-reader is
our $flowdConf = "/usr/local/etc/flowd.conf";           # where flowd.conf is
our $flowdHup = "10";                                   # SIGUSR1
our ($flowdPid, $flowdLog);

our ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time - 
$ftPeriod);
our $ftFile = sprintf("ft-v05.%04d-%02d-%02d.%02d%02d%02d$ftTZ", $year + 1900, 
$mon + 1, $mday, $hour, $min, $sec);

open(IN, $flowdConf) || die "Could not read $flowdConf";
while ( <IN> ) {
        if (/^\s*logfile ["]?([^"\s]+)/) { $flowdLog = $1; }
        if (/^\s*pidfile ["]?([^"\s]+)/) { $flowdPid = $1; }
}
close(IN);

exit if (! -f $flowdLog); # exit silently on empty file

die "$flowdPid does not exist: $!" if (! -f $flowdPid);
my $pid = `cat $flowdPid`;
`mv $flowdLog $flowdLog.tmp`;
die "$flowdPid ($pid) invalid: $!" if (! kill $flowdHup, $pid);
`$flowdReader -c $flowdLog.tmp | $flowImport -f 2 -V 5 -z 1 > $ftDir/$ftFile`;
unlink("$flowdLog.tmp");

_______________________________________________
Flow-tools mailing list
[email protected]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to