oreilly.comSafari Books Online.Conferences.


Visualizing Network Traffic with Netflow and FlowScan
Pages: 1, 2, 3

Configuring CUFlow

Grab CUFlow, extract the tarball, and copy and to /usr/local/var/db/flows/bin. You can leave the Perl module unchanged, but you must edit to fit your environment.

The Subnet statement indicates which networks belong to you. CUFlow will use this variable to decide if traffic is inbound or outbound.

Subnet 192.168.2/23

Network statements include things that you want to process separately. You can have any number of Network statements. Each Network statement will show up as an option in a drop-down CGI script. As you see from the example here, Network statements can overlap.

Network,,      webservers
Network,                   mailservers
Network                            infrastructure
Network              dmz
Network                            administration
Network              development

Tell CUFlow where to store its records with the OutputDir directive. Do not store your records in a web-accessible location or in your flow-capture log directory.

OutputDir /var/log/cuflow

CUFlow also computes the most active sites and presents a "scoreboard" of the IP addresses that have passed the most traffic in the previous five minutes. Control this with the Scoreboard option. Scoreboard takes three arguments: the number of IPs in your "most active" list, a directory to store old "most active" lists, and the filename of the current list. The following line tells CUFlow to make a Top 10 list, storing the records under /usr/local/www/data/scoreboard, and that /usr/local/www/data/scoreboard/topten.html should always contain the current list.

Scoreboard 10 /usr/local/www/data/scoreboard \

While the biggest talkers in a given five-minute period is useful for troubleshooting purposes, it's also nice to be able to grant an award for Most Busy Host Overall. The AggregateScore option allows you to do that. AggregateScore also takes three arguments: the number of hosts in your list, a log file to store the accumulated data, and a location to post the overall Top Talker list.

AggregateScore 10 /var/log/cuflow/agg.dat /usr/local/www/data/overall.html

If you have a complicated network, you might have multiple Netflow sensors. CUFlow can separate data from separate sensors so that you can get a handle on where different sorts of traffic are going. Each router listed becomes a separate drop-down item in the CUFlow CGI.

Router    fred
Router    barney

Use Services statements to define TCP/IP ports that you wish to track separately. The Services statement allows you to make definitive statements such as "80 percent of our internet traffic is outbound web browsing." As Netflow tracks each service, increasing the number of services increases the amount of processing power Netflow requires. Don't just copy /etc/services here! I always eliminate unnecessary protocols; for example, nobody on my hosting network can use Gnutella, so I don't bother trying to track it. Here are some example Service statements:

Service 20-21/tcp ftp
Service 22/tcp ssh
Service 23/tcp telnet

The Protocol statement is very similar to Services, except for Layer 3 instead of Layer 4. I recommend tracking Protocol 1 (ICMP), Protocol 6 (UDP), and Protocol 17 (TCP), at a bare minimum. If you have lots of VPN users, you might wish to track IPSec and GRE as well.

Protocol 1 icmp
Protocol 6 tcp
Protocol 17 udp

As Netflow originated with Cisco, it's not surprising that many Netflow sensors include BGP information. CUFlow can report on traffic to and from various AS numbers using the ASNumber option, but softflowd doesn't provide that information and most of the readers out there have only a single internet feed. Comment out the ASNumber option when using softflowd.

Pages: 1, 2, 3

Next Pagearrow

Sponsored by: