[Flow-tools] Finding useful information from collected data
Craig Weinhold
craig.weinhold at cdw.com
Tue Feb 23 14:28:00 EST 2010
My favorite, rarely-used flow-report is a "peer" report. The report shows each IP and a count of how many other IP's it has communicated with.
ip-destination-address-source-count finds hosts that are very popular. E.g., DNS, SNMP, web proxy, etc
ip-source-address-destination-count finds the same hosts, but also includes those that are unsuccesfully attempting to talk to lots of other hosts. E.g., worms attempting to spread, people doing IP scans, torrent users, etc.
The top IPs from these reports should never be surprising to a network admin (but they often are!)
-Craig
On Tue, 23 Feb 2010, Ed Ravin wrote:
> On Tue, Feb 23, 2010 at 08:15:29AM -0500, Drew Weaver wrote:
> > Does anyone have any scripts or advice for getting useful data out of
> > flow-cat/flow-print, etc?
> >
> >
> > I am just looking for examples for simple things like finding the top
> > 10 IPs doing SMTP, or SSH, or FTP, etc nothing too fancy..
>
> Here's a template you can use to sort by top 10 source IP:
>
> flow-cat $NETFLOW_FILES |
> flow-filter -I $OUTGOING_INTERFACE_OID |
> flow-stat -f9 -S2 |
> head -20
>
> You can skip the line for filtering on interface if it's not needed in
> your environment.
>
> The "old style" tools, flow-filter and flow-stat, can be used for
> quick and dirty reports like the one above. The "new style" tools,
> flow-nfilter and flow-report, are much harder to use but have more
> functionality.
>
> For immediate views with graphing, you should use flow-viewer as Joe
> suggests.
> _______________________________________________
> Flow-tools mailing list
> flow-tools at splintered.net
> http://mailman.splintered.net/mailman/listinfo/flow-tools
>
More information about the Flow-tools
mailing list