From hardik_indya at rediffmail.com Thu Jun 3 08:40:51 2010 From: hardik_indya at rediffmail.com (hardik thakar) Date: Thu Jun 3 08:46:44 2010 Subject: [Flow-tools] error while installing flowtool-0.68 Message-ID: <20100603124051.37678.qmail@f4mail-234-236.rediffmail.com> Skipped content of type multipart/alternative-------------- next part -------------- [root@cdma flow-tools-0.68]# make Making all in lib make[1]: Entering directory `/home/cdma/flow-tools-0.68/lib' make all-am make[2]: Entering directory `/home/cdma/flow-tools-0.68/lib' source='ftio.c' object='ftio.o' libtool=no \ depfile='.deps/ftio.Po' tmpdepfile='.deps/ftio.TPo' \ depmode=gcc3 /bin/sh ../depcomp \ gcc -I. -I./lib -I. -I. -I. -g -Wall -g -Wall -c `test -f 'ftio.c' || echo './'`ftio.c ftio.c: In function ?readn?: ftio.c:2270: error: invalid lvalue in assignment ftio.c: In function ?writen?: ftio.c:2295: error: invalid lvalue in assignment make[2]: *** [ftio.o] Error 1 make[2]: Leaving directory `/home/cdma/flow-tools-0.68/lib' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/cdma/flow-tools-0.68/lib' make: *** [all-recursive] Error 1 From eravin at panix.com Thu Jun 3 15:30:20 2010 From: eravin at panix.com (Ed Ravin) Date: Thu Jun 3 15:30:23 2010 Subject: [Flow-tools] error while installing flowtool-0.68 In-Reply-To: <20100603124051.37678.qmail@f4mail-234-236.rediffmail.com> References: <20100603124051.37678.qmail@f4mail-234-236.rediffmail.com> Message-ID: <20100603193019.GA17158@panix.com> On Thu, Jun 03, 2010 at 12:40:51PM -0000, hardik thakar wrote: > r/s > pl guide me for the attached file error when installing on linux > platform > regards > hardik Hardik, try the most recent fork of flow-tools at: http://code.google.com/p/flow-tools/ This version has several bug fixes and improvements, including portability fixes. The 0.68 version at splintered.net is no longer current. From matejuh at gmail.com Thu Jun 17 12:19:07 2010 From: matejuh at gmail.com (=?ISO-8859-2?Q?Mat=ECj_Plch?=) Date: Thu Jun 17 12:19:15 2010 Subject: [Flow-tools] layer 4 src port or equivalent Message-ID: <4C1A4AFB.2020206@gmail.com> Hi, we are using flow-tools for capturing and monitoring our traffic. I would like to know what does mean equivalent in Cisco Netflow port specification. I am asking because we captured some flows which were detected like attacks and src port there was 5, protocol 1. According to my knowledge, in Neflow protocol 1, src port can be only 0. Attackers probably modified the header and flow-capture does not strict say that when protocol is ICMP, then src port is 0? How is it with protocols like ESP etc. (not UDP and TCP)? Where can I find some information? Thanks Mat?j. From drew.weaver at thenap.com Fri Jun 18 12:49:35 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri Jun 18 12:49:39 2010 Subject: [Flow-tools] My ASN shows up as 0 in flows Message-ID: Is it normal for your own ASN to show up as 0? # src AS dst AS flows octets packets # 0 RIPE-ASNBLOCK5 1301227 1118182071 12903148 thanks, -Drew From simon.leinen at switch.ch Fri Jun 18 12:52:47 2010 From: simon.leinen at switch.ch (Simon Leinen) Date: Fri Jun 18 12:52:50 2010 Subject: [Flow-tools] My ASN shows up as 0 in flows In-Reply-To: References: Message-ID: <19483.42079.466622.475098@macsl.switch.ch> > Is it normal for your own ASN to show up as 0? Yes, that's the AS value that Netflow exports for addresses whose routes are resolved not through external BGP, but through IGPs etc. -- Simon. > # src AS dst AS flows octets packets > # > 0 RIPE-ASNBLOCK5 1301227 1118182071 12903148 > thanks, > -Drew From sokol at zavolga.net Sat Jun 19 18:39:13 2010 From: sokol at zavolga.net (Sergey V. Sokolov) Date: Sat Jun 19 18:39:17 2010 Subject: [Flow-tools] Min & max time in report Message-ID: <2e93efe72eb49b53084d2367971061c1@zavolga.net> Hi all! I have this report: stat-report srcdst_haggr type ip-source/destination-address output format ascii sort +octets fields +first,+octets,-packets,-duration,-flows stat-definition srcdst_haggr time-series 3600 report srcdst_haggr And i give this table: # first,ip-source-address*,ip-destination-address*,octets ... How i can get MIN(UNIX_SECS) and MAX(UNIX_SECS) for "ip-source/destination-address" group? In SQL it would look like this: SELECT src_ip, dst_ip, MIN(usecs) AS min_usecs, MAX(usecs) AS max_usecs, SUM(octets) AS octets, SUM(packets) AS packets, COUNS(*) AS flows FROM flows_table GROUP BY src_ip, dst_ip I need to know start time of the first and start time of the last flow in the grouping. How? -- Sergey V. Sokolov nic-hdl: SVS141-RIPE X-NCC-RegID: ru.gorizont From drew.weaver at thenap.com Mon Jun 21 10:00:49 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon Jun 21 10:00:53 2010 Subject: [Flow-tools] Does flow-tools compensate for sampling? Message-ID: When you're using a command such as: ./flow-cat /var/netflow/current | ./flow-filter -Sfilter| ./flow-stat -S3 -n -f10 | more does Flow-tools automatically correct for the sampling rate if not how are people doing this? thanks, -Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100621/b40ea0dd/attachment.htm From eravin at panix.com Mon Jun 21 10:17:10 2010 From: eravin at panix.com (Ed Ravin) Date: Mon Jun 21 10:17:12 2010 Subject: [Flow-tools] Min & max time in report In-Reply-To: <2e93efe72eb49b53084d2367971061c1@zavolga.net> References: <2e93efe72eb49b53084d2367971061c1@zavolga.net> Message-ID: <20100621141710.GB13149@panix.com> On Sun, Jun 20, 2010 at 02:39:13AM +0400, Sergey V. Sokolov wrote: > Hi all! > > I have this report: ... > I need to know start time of the first and > start time of the last flow in the grouping. > How? Not exactly what you're looking for, but you can run the "flow-header" command on your input flow stream, which will report that information among other things. From mwlucas at blackhelicopters.org Mon Jun 21 10:18:08 2010 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Mon Jun 21 10:18:11 2010 Subject: [Flow-tools] Does flow-tools compensate for sampling? In-Reply-To: References: Message-ID: <20100621141808.GA1925@bewilderbeast.blackhelicopters.org> On Mon, Jun 21, 2010 at 10:00:49AM -0400, Drew Weaver wrote: > When you're using a command such as: > > ./flow-cat /var/netflow/current | ./flow-filter -Sfilter| ./flow-stat -S3 -n -f10 | more > > does Flow-tools automatically correct for the sampling rate if not how are people doing this? You must multiply your results yourself. If you're using a graphic tool such as FlowViewer or CUFlow, you can enter a sampling value to make those tools multiply for you. ==ml -- Michael W. Lucas mwlucas@BlackHelicopters.org http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ New book: Network Flow Analysis pre-order now! http://www.networkflowanalysis.com/ From drew.weaver at thenap.com Thu Jun 24 11:43:13 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu Jun 24 11:43:17 2010 Subject: [Flow-tools] AS numbers not the 'name' Message-ID: ./flow-cat /var/netflow/ft/ft-v05.2010-06-24* | ./flow-filter -Straff | ./flow-stat -S3 -n -f20 | more Is there anyway to get this output to show the ASN and not the 'name' of the AS? # dst AS flows octets packets # IANA-RSVD 431696 622251299 9965826 IANA-RSVD 631956 540639019 7704045 INFLOW-CO 651084 705932254 7593618 RIPE-ASNBL 737192 660245516 6971603 IANA-RSVD 426068 398393027 6276625 It's somewhat useless when several AS numbers have the exact same name... -Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100624/438fc859/attachment.htm From drew.weaver at thenap.com Thu Jun 24 11:58:20 2010 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu Jun 24 11:58:24 2010 Subject: [Flow-tools] RE: AS numbers not the 'name' In-Reply-To: References: Message-ID: Duh, nevermind figured it out =) From: flow-tools-bounces@list.splintered.net [mailto:flow-tools-bounces@list.splintered.net] On Behalf Of Drew Weaver Sent: Thursday, June 24, 2010 11:43 AM To: flow-tools@list.splintered.net Subject: [Flow-tools] AS numbers not the 'name' ./flow-cat /var/netflow/ft/ft-v05.2010-06-24* | ./flow-filter -Straff | ./flow-stat -S3 -n -f20 | more Is there anyway to get this output to show the ASN and not the 'name' of the AS? # dst AS flows octets packets # IANA-RSVD 431696 622251299 9965826 IANA-RSVD 631956 540639019 7704045 INFLOW-CO 651084 705932254 7593618 RIPE-ASNBL 737192 660245516 6971603 IANA-RSVD 426068 398393027 6276625 It's somewhat useless when several AS numbers have the exact same name... -Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20100624/691f2030/attachment.htm