[Flow-tools] Filtering flows by packet rate
Chris Foote
chris at inetd.com.au
Mon Feb 25 00:11:10 EST 2008
Every couple of months I get bad netflow packets thrown at my flow-capture
process which put my data totals through the roof - e.g.:
Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets
0425.00:00:16.1389 0414.08:47:58.1018 239 217.73.99.162 60667 255 203.28.113.2 27020 6 3 153 1145004070
0414.11:13:21.796 0414.11:13:24.888 240 217.73.19.225 47327 255 203.28.113.2 80 17 0 153 1410591446
I thought it might be possible to get rid of these junk flows by looking
for flows with an extremely high packet rate, but I can't work out the
filter-primitive syntax needed - I tried:
filter-primitive allowable-packet-rate
type counter
permit lt 10000
filter-definition mycustomer-in
match ip-destination-address CUSTOMER-HOSTS
match pps allowable-packet-rate
i.e. limit output to flows which have a packet-per-second rate of less
than 10000.
But my guess at the config syntax is invalid:
flow-nfilter: Primitive "pps" incompatible with match in filter-definition "mycustomer-in".
flow-nfilter: resolve_primitives(): failed
The flow-nfilter docs list 'double' as the accepted filter-primitive
for the 'pps' match type, but that doesn't make sense to me (a double
isn't listed as a filter primitive).
Can anyone suggest a config that will do what I need ?
Best regards,
Chris
More information about the Flow-tools
mailing list