[Flow-tools] ipflowsearch,
a quick way to grab flow data by IP address
Ed Ravin
eravin at panix.com
Mon Feb 1 12:19:29 EST 2010
Attached is the shell script "ipflowsearch", which lets you pull out
flow data from your flow-tools tree by IP address or subnet with a
minimum of intellectual effort.
Feel free to toss this into the contrib section of the current flow-tools
distribution, or anywhere else it might be useful.
-- Ed
-------------- next part --------------
#!/bin/sh
set -u
set -e
USAGE="Usage: $0 flowdir-top ip-address[/mask] [...]"
# EDIT THIS LINE - use a default dir with lots of free space
export flowtemp=${TMPDIR:-/logs/tmp}
# ipflowsearch - run flow-cat and flow-filter on a flow-tools data
# tree, filtering out traffic for the requested IP address(es).
# ipflowsearch was written by Ed Ravin <eravin at panix.com>, and is
# made available to the public by courtesy of PANIX Public Access Networks
# ( http://www.panix.com ). License is GPL.
export TMPDIR=$flowtemp # so mktemp will work properly
if [ ! -d $flowtemp ]
then
echo "$0: no such directory: $flowtemp"
exit 23
fi
if [ "${DEBUG:-no}" = YES ]
then
set -x
fi
convert_ip_slash() {
slashpart=${1##*/}
if [ "$slashpart" != $1 ]
then
ippart=${1%%/*}
case $slashpart in
32) wildcard=;;
31) wildcard=0.0.0.1;;
30) wildcard=0.0.0.3;;
29) wildcard=0.0.0.7;;
28) wildcard=0.0.0.15;;
27) wildcard=0.0.0.31;;
26) wildcard=0.0.0.63;;
25) wildcard=0.0.0.127;;
24) wildcard=0.0.0.255;;
23) wildcard=0.0.1.255;;
22) wildcard=0.0.3.255;;
21) wildcard=0.0.7.255;;
20) wildcard=0.0.15.255;;
19) wildcard=0.0.31.255;;
18) wildcard=0.0.63.255;;
17) wildcard=0.0.127.255;;
16) wildcard=0.0.255.255;;
15) wildcard=0.1.255.255;;
14) wildcard=0.3.255.255;;
13) wildcard=0.7.255.255;;
12) wildcard=0.15.255.255;;
11) wildcard=0.31.255.255;;
10) wildcard=0.63.255.255;;
9) wildcard=0.127.255.255;;
8) wildcard=0.255.255.255;;
7) wildcard=1.255.255.255;;
6) wildcard=3.255.255.255;;
5) wildcard=7.255.255.255;;
4) wildcard=15.255.255.255;;
3) wildcard=31.255.255.255;;
2) wildcard=63.255.255.255;;
1) wildcard=127.255.255.255;;
*) echo "Unrecognized/unsupported mask: $slashpart" 1>&2; exit 1;;
esac
echo $ippart $wildcard
else
echo $1
fi
}
# search flow logs for all traffic from specified IP address(es)
flowdirtop=${1:?$USAGE}
shift
ipaddresses=${*:?$USAGE}
# create the flow-filter
tempacl=$(mktemp -t ipsearch.acl)
if [ ! -f $tempacl ]
then
echo "$0: cannot create temp ACL file $tempacl"
exit 24
fi
trap 'rm -f $tempacl' 0
# datestamp for output file
now=$(date +%Y%m%d-%H%M%S)
filestr=$(echo "$*" | sed -e 's,[ /],_,g')
for ip in $ipaddresses
do
ipacl=$(convert_ip_slash $ip)
echo "ip access-list standard ipwanted permit $ipacl"
done > $tempacl
outputfile=$flowtemp/ipsearch-$filestr-$now.flow
flow-cat $flowdirtop |
flow-filter -f $tempacl -S ipwanted -o -D ipwanted \
> $outputfile
echo "$0: output file is $outputfile"
More information about the Flow-tools
mailing list