We'll peer with one company, which will announce us about 100
prefixes(I know the AS-set they will announce us). I made a
"peering.acl" file, which contains lines:
ip access-list standard peer permit I.I.P.P M.A.S.K
..where I.I.P.P is a network address and M.A.S.K is a wildcard mask.
"peering.acl" will end with:
ip access-list standard peer deny any
Once the ACL is ready, I'm able to find the amount of octets
sent/received from the networks in "peering.acl":
$ sum=0; for num in `flow-cat
/usr/local/netflow/dat/ft/router/2011/2011-11/2011-11-14/ft-v05.2011-11-14.100001+0200
| flow-filter -f peering.acl -Dpeer | flow-print | awk '{print $6}' |
egrep "[0-9]{1,}"`; do sum=$(($sum + $num)); done; echo $sum
17436720
$
This oneliner will open "ft-v05.2011-11-14.100001+0200" file, filter
out only those prefixes which are present in "peering.acl" file, print
out the octets column(awk '{print $6}') and finally will sum all the
numbers and print out the total summary.
As a next step I executed similar oneliner, but now I didn't filter
out those network in "peering.acl" file, but instead summarised all
the octets in "ft-v05.2011-11-14.100001+0200" file:
$ sum=0; for num in `flow-cat
/usr/local/netflow/dat/ft/router/2011/2011-11/2011-11-14/ft-v05.2011-11-14.100001+0200
| flow-print | awk '{print $6}' | egrep "[0-9]{1,}"`; do sum=$(($sum +
$num)); done; echo $sum
155329013
$
So in ft-v05.2011-11-14.100001+0200 flowdump file the traffic from
networks in "peering.acl" file would be 11% of total traffic. I guess
it would be smart to repeat this test with multiple flowdump files as
one flowdump file covers only 6min.
Anybody used similar method for traffic analysation? Any mistakes or
comments to this? Or is there a more rational way to find our how much
traffic will one expect from upcoming peering when networks announced
from peering partner are know?
regards,
martin
_______________________________________________
Flow-tools mailing list
[email protected]
http://mailman.splintered.net/mailman/listinfo/flow-tools
