閱讀文章 - 精華區 FreeBSD

看板FreeBSD

標題[doc] fprobe+flow-tools+nctu_netflow

發信站台大電機 Maxwell BBS (Wed Aug 20 00:44:31 2003)

轉信站ptt!ctu-reader!ctu-peer!news.nctu!freebsd.ntu!bbs.ee.ntu!Maxwell

[前言] 一直在找好用的網路流量分析工具。 mrtg 雖然好用，可是如果不自己寫 snmp mibs 或是 scripts，只能抓total的流量。 ntop 又太肥，又不能限制存取，還有安全上的問題。就在有一天問 Google 的時候，找到了下面的軟體: fprobe 還有 flow-tools。 [說明] 其實 flow-tools 原本是設計來抓 netflow 的資料用的。 netflow 是 Cisco Router 7 系列的一個功能。現在 fprobe 就是讓 FreeBSD box 也可以送出 netflow data 給 collector。 [安裝] # cd /usr/ports/net/fprobe; make install clean # cd /usr/ports/net/flow-tools; make install clean 裝好之後，先啟動 flow-capture: # flow-capture -z 6 -n 143 -e 1500 -w /netflow 127.0.0.1/127.0.0.1/9991 -z 壓縮比例 -n 每日留存幾份 -e 總共留存幾份在硬碟 -w 存在哪裡 localip/remoteip/port 再啟動 fprobe: # fprobe localhost:9991 這樣就完成了擷取流量的程式建置。用 flow-print 可以印出蒐集到的資料。接下來剩下的就是如何分析它了。這裡我們用的是交大寫的 script: http://netflow.nctu.edu.tw/public/isp.tgz 下載回來後，用 tar 解開，按照 http://netflow.nctu.edu.tw/netflow.html 修改需要修改的內容。不過要注意的是，因為這個 script 是為舊版本的 flow-capture 設計的，所以在檔案名稱還有紀錄格式上稍有不同，要記得改程式碼。 --- isp-daily.pl.old Sun Oct 11 03:02:30 1998 +++ isp-daily.pl Wed Aug 20 00:35:17 2003 @@ -1,10 +1,11 @@ -#!/usr/local/bin/perl5 +#!/usr/bin/perl # # 86400 was decreased because we are calculating yesterday's data. # ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) ocaltime(time-86400); $mon++; +$year+00; # # 1. check in-interface and out-interface to make sure if we need this flow @@ -25,15 +26,15 @@ # $outputdir is where the output files should be # $rawdir /home/netflow/raw"; -$flowprint /home/netflow/bin/flow-print"; +$flowprint /usr/local/bin/flow-print"; $outputdir /usr/local/www/data/netflow/daily"; -$htmldir printf ("%s/html/%02d%02d%02d", $outputdir, $year, $mon, $mday); +$htmldir printf ("%s/html/%04d%02d%02d", $outputdir, $year, $mon, $mday); $textdir printf ("%s/text", $outputdir); $rawoutput printf ("%s/raw", $outputdir); $TopN 0; $protfile $dir/protocols"; $servfile $dir/services"; @@ -49,14 +50,23 @@ &init_serv( $servfile ); &init_InNet( $intranet ); -$file printf ("%02d-%02d-%02d", $mon, $mday, $year); +# modified by [email protected], 2003/07/13 -for ($i $i<144; $i++) { -# print "now: $file.$i\n"; - open FLOWDATA, "$flowprint -f0 < $rawdir/$file.$i |" || die $!; +$dir printf ("%04d/%04d-%02d/%04d-%02d-%02d", + $year, $year, $mon, $year, $mon, $mday); + +opendir DIRREF, "$rawdir/$dir" || die $!; + +@flowfiles rep /^ft/, readdir DIRREF; + +closedir DIRREF; + + +#for ($i $i<24; $i++) { +foreach (@flowfiles) { + open FLOWDATA, "$flowprint -f0 < $rawdir/$dir/$_ |" || die $!; while (<FLOWDATA>) { -#while (<STDIN>) { chomp; # @@ -72,16 +82,11 @@ # The reason we use substr and index instead of split is due to the # consideration of efficiency. # + ($sif, $src, $dif, $dst, $proto, $sp, $dp, $pkts, $size) plit /\s+/ , $_; - $sif ubstr($_, 0, index($_, ' ', 0)); - $src ubstr($_, 4, index($_, ' ', 4) - 4); - $dif ubstr($_, 21, index($_, ' ', 21) - 21); - $dst ubstr($_, 25, index($_, ' ', 25) - 25); - $proto ubstr($_, 41, index($_, ' ', 41) - 41); - $sp ubstr($_, 44, index($_, ' ', 44) - 44); - $dp ubstr($_, 51, index($_, ' ', 51) - 51); - $pkts ubstr($_, 58, index($_, ' ', 58) - 58); - $size ubstr($_, 69, index($_, ' ', 69) - 69); + $proto媖($proto); + $sp媖($sp); + $dp媖($dp); # # the unit of $pkts is Kilo @@ -172,7 +177,7 @@ # Such as the summation of each kind of traffic. # sub daily_summary { - my($net) ISP"; + my($net) ericlin.cabin.idv.tw"; my($io, $sd, $port, $ip); foreach $io ("IN", "OUT") { foreach $sd ("SRC", "DST") { @@ -267,19 +272,19 @@ } sub daily_summary_html { - my($net) ISP"; + my($net) ericlin.cabin.idv.tw"; open FILE, ">$htmldir/summary.html" or die $!; printf FILE ("<html>\n<body bgcolor#ffffff\">\n"); - printf FILE ("<title>%02d-%02d-%02d Statistics </title>\n", $year, $mon, $mday); + printf FILE ("<title>%04d-%02d-%02d Statistics </title>\n", $year, $mon, $mday); print FILE "<center>\n"; - printf FILE ("%02d-%02d-%02d Traffic Statistics\n", $year, $mon, $mday); + printf FILE ("%04d-%02d-%02d Traffic Statistics\n", $year, $mon, $mday); printf FILE ("<br>\n"); print FILE "<table>\n"; print FILE "<table borderwidth耥>\n"; - print FILE "<tr bgcoloroletred><td alignght>Direction<td alignght>Flows<td alignght>KPackets<td alignght>MBytes</tr>\n"; + print FILE "<tr bgcolorghtskyblue><td alignght>Direction<td alignght>Flows<td alignght>KPackets<td alignght>MBytes</tr>\n"; foreach $io ("IN", "OUT") { @@ -310,7 +315,7 @@ print FILE "<table>\n"; print FILE "<table borderwidth耥>\n"; print FILE "<caption>$description Traffic</caption>\n"; - print FILE "<tr bgcoloroletred><td alignght>Application<td alignght>F lows<td alignght>%<td alignght>KPackets<td alignght>%<td alignght>MBytes<td alignght>%</tr>\n"; + print FILE "<tr bgcolorghtskyblue><td alignght>Application<td aligngh t>Flows<td alignght>%<td alignght>KPackets<td alignght>%<td alignght>MBytes<td alignght>%</tr>\n"; for ($i $i<20; $i++) { if (${$net.$io.SUM.$sorted[$i].SIZE}) { printf FILE ("<tr><td alignght bgcolorghtyellow>%s<td alignght> %11d<td alignght>%7.3f%%<td alignght> %11.3f<td alignght>%7.3f%%<td alignght> %11.3f<td alignght>%7.3f%%</tr>\n", @@ -348,16 +353,16 @@ $iosd OUTSRC"; $description Outgoing"; } - my($file) printf ("%02d%02d%02d-%s", $year, $mon, $mday, $io); - my($raw) printf ("%02d%02d%02d-%s", $year, $mon, $mday, $io); + my($file) printf ("%04d%02d%02d-%s", $year, $mon, $mday, $io); + my($raw) printf ("%04d%02d%02d-%s", $year, $mon, $mday, $io); my($html) printf ("classc-%s.html", $io); open FILE, ">$textdir/$file" or die $!; open RAW, ">$rawoutput/$raw" or die $!; open HTML, ">$htmldir/$html" or die $!; printf HTML ("<html>\n<body bgcolor#ffffff\">\n", $year, $mon, $mday); - printf HTML ("<title>%02d-%02d-%02d Statistics of CLASSC Traffic</title>\n", $year, $mon, $mday); + printf HTML ("<title>%04d-%02d-%02d Statistics of CLASSC Traffic</title>\n", $year, $mon, $mday); print HTML "<center>\n"; - printf HTML ("%02d-%02d-%02d Statistics of <font color笹>CLASSC %s</font> Traffic\n", $year, $mon, $mday, $io); + printf HTML ("%04d-%02d-%02d Statistics of <font color笹>CLASSC %s</font> Traffic\n", $year, $mon, $mday, $io); printf HTML ("<br>\n"); print HTML "<table>\n"; print HTML "<table borderwidth耥>\n"; @@ -397,7 +402,7 @@ ${$iosd.SUM}{$port}{$ip} {$net.$iosd.$port.SIZEC}{$ip}; if (${$iosd.SUM}{total}{$ip}) { if ($port eq "total") { - $perc ${$iosd.SUM}{total}{$ip}/${ISP.$io.SUM.total.SIZE})*100; + $perc ${$iosd.SUM}{total}{$ip}/${$net.$io.SUM.total.SIZE})*100; printf FILE ("%12s %8.2f %6.2f ", $ip, ${$iosd.SUM}{total}{$ip}, $perc); printf HTML ("<tr bgcolorghtblue><td bgcolornk>%12s <td>%8.2f <td>%6.2f ", $ip, ${$iosd.SUM}{total}{$ip}, $perc); } @@ -425,7 +430,7 @@ sub daily_classc_fps_text_output { my($i,$j); - my($file) printf ("%02d%02d%02d", $year, $mon, $mday); + my($file) printf ("%04d%02d%02d", $year, $mon, $mday); open FILE, ">$textdir/$file" or die $!; print FILE " Subnet InFlow InKPkts InMBytes OutFlow OutKPkts OutMBytes\n"; foreach $i (@output_network) { @@ -477,20 +482,20 @@ open FILE, ">$file" or die $!; printf FILE ("<html>\n<body bgcolor#ffffff\">\n", $year, $mon, $mday, $port); - printf FILE ("<title>%02d-%02d-%02d Statistics of %s Traffic</title>\n", $year, $mon, $mday, $service{$port}); + printf FILE ("<title>%04d-%02d-%02d Statistics of %s Traffic</title>\n", $year, $mon, $mday, $service{$port}); print FILE "<center>\n"; - printf FILE ("%02d-%02d-%02d Statistics of <font color笹>%s</font> Traffic\n", $year, $mon, $mday, $service{$port}); + printf FILE ("%04d-%02d-%02d Statistics of <font color笹>%s</font> Traffic\n", $year, $mon, $mday, $service{$port}); printf FILE ("<br>\n"); print FILE "<table>\n"; print FILE "<table borderwidth耥>\n"; if ($sd eq "SRC") { - print FILE "<tr bgcoloroletred><td alignght>Source<td alignght>Flows<td alignght>%<td alignght>KPackets<td alignght>%<td alignght>MBytes<td alignght>%</tr>\n"; + print FILE "<tr bgcolorghtskyblue><td alignght>Source<td alignght>Flows< td alignght>%<td alignght>KPackets<td alignght>%<td alignght>MBytes<td alignght>%</tr>\n"; } else { - print FILE "<tr bgcoloroletred><td alignght>Destination<td alignght>Flow s<td alignght>%<td alignght>KPackets<td alignght>%<td alignght>MBytes<td alignght>%</tr>\n"; + print FILE "<tr bgcolorghtskyblue><td alignght>Destination<td alignght>F lows<td alignght>%<td alignght>KPackets<td alignght>%<td alignght>MBytes<td alignght>%</tr>\n"; } # first, print the "type" to "total" ratio @@ -537,20 +542,20 @@ my($file) printf ("%s/%s-%s-%s-%s-CLASSC.html", $htmldir, $net, $service{$port}, $io, $sd); open FILE, ">$file" or die $!; printf FILE ("<html>\n<body bgcolor#ffffff\">\n", $year, $mon, $mday, $port); - printf FILE ("<title>%02d-%02d-%02d Statistics of %s Traffic</title>\n", $year, $mon, $mday, $service{$port}); + printf FILE ("<title>%04d-%02d-%02d Statistics of %s Traffic</title>\n", $year, $mon, $mday, $service{$port}); print FILE "<center>\n"; - printf FILE ("%02d-%02d-%02d Statistics of <font color笹>%s</font> Traffic\n", $year, $mon, $mday, $service{$port}); + printf FILE ("%04d-%02d-%02d Statistics of <font color笹>%s</font> Traffic\n", $year, $mon, $mday, $service{$port}); printf FILE ("<br>\n"); print FILE "<table>\n"; print FILE "<table borderwidth耥>\n"; if ($sd eq "SRC") { - print FILE "<tr bgcoloroletred><td alignght>Source<td alignght>Flows<td alignght>%<td alignght>KPackets<td alignght>%<td alignght>MBytes<td alignght>%</tr>\n"; + print FILE "<tr bgcolorghtskyblue><td alignght>Source<td alignght>Flows< td alignght>%<td alignght>KPackets<td alignght>%<td alignght>MBytes<td alignght>%</tr>\n"; } else { - print FILE "<tr bgcoloroletred><td alignght>Destination<td alignght>Flow s<td alignght>%<td alignght>KPackets<td alignght>%<td alignght>MBytes<td alignght>%</tr>\n"; + print FILE "<tr bgcolorghtskyblue><td alignght>Destination<td alignght>F lows<td alignght>%<td alignght>KPackets<td alignght>%<td alignght>MBytes<td alignght>%</tr>\n"; } # first, print the "type" to "total" ratio 改完之後放到 /etc/daily.local 跑就可以了。 -- ※ Origin: 臺大電機 Maxwell 站 ◆ From: u109-82.u61-71.giga.net.tw