I have done similar, however used a different approach. using flowcat, flowfilter etc generated the output I needed. From the analysis of this data, I created a list of most frequent used ports (ssh, telnet, ftp, rdp etc)
make sure you have a totaldata variable somewhere, to have a reference on the data found. create a job to update these specific ports. add rrd db for tcp, udp and icmp create a graph where the data of all ports is stacked using different colors. On top, the line with totaldata and color the difference. In the same graph, multiplied by -1, create a graph for tcp, udp and icmp For me, this has given a great insight in traffic patterns and analysis if things were different than normal. Additionally, I created a small job to display the top50 from netflow in a table on a webserver - combined with the rrd graph, the tooling to defend. hth paul On Thu, 19 May 2005 15:41:54 -0500 "Vial, Sylvain" <[EMAIL PROTECTED]> wrote: > Hello, > > I'm actually working on a perl script to provide the top ten for source > ip addresses and destination ports for the tcp/udp protocols. > I use the netflow tools (flow-cat, flow-report) to generate top ten and > I've created rrd files to generate graph as you can find on the honeynet > brazilian project > (http://www.honeypots-alliance.org.br/stats/flows/tcp-udp/). > My problem is that I generate rrd for each ip address and each port I > detect in my ft files (flow capture). > Each file takes 3MB of hard disk space, so it takes finally a huge space > on my pc. > I'm like a rookie with rrdtool and perl, so if someone could explain me > why it takes so much space and if it exits a better way to realize the > same thing as brazilian.br, it will be great. > Thanks for your help. > > Sylvain VIAL > -- > Unsubscribe mailto:[EMAIL PROTECTED] > Help mailto:[EMAIL PROTECTED] > Archive http://lists.ee.ethz.ch/rrd-users > WebAdmin http://lists.ee.ethz.ch/lsg2.cgi > > -- Unsubscribe mailto:[EMAIL PROTECTED] Help mailto:[EMAIL PROTECTED] Archive http://lists.ee.ethz.ch/rrd-users WebAdmin http://lists.ee.ethz.ch/lsg2.cgi
