CUFlow, extract the tarball, and copy CUFlow.pm and CUFlow.cf to /usr/local/var/db/flows/bin. You can leave the Perl module unchanged, but you must edit cuflow.cf to fit your environment.
Subnet statement indicates which networks belong to you.
CUFlow will use this variable to decide if traffic is inbound or outbound.
Network statements include things that you want to process separately. You can have any number of
Network statements. Each
Network statement will show up as an option in a drop-down CGI script. As you see from the example here,
Network statements can overlap.
Network 192.168.2.3,192.168.2.5,192.168.3.80 webservers Network 192.168.2.9,192.168.3.1 mailservers Network 192.168.2.0/25 infrastructure Network 192.168.2.128/25 dmz Network 192.168.3.0/25 administration Network 192.168.3.128/25 development
CUFlow where to store its records with the
OutputDir directive. Do not store your records in a web-accessible location or in your flow-capture log directory.
CUFlow also computes the most active sites and presents a "scoreboard" of the IP addresses that have passed the most traffic in the previous five minutes. Control this with the
Scoreboard takes three arguments: the number of IPs in your "most active" list, a directory to store old "most active" lists, and the filename of the current list. The following line tells
CUFlow to make a Top 10 list, storing the records under /usr/local/www/data/scoreboard, and that /usr/local/www/data/scoreboard/topten.html should always contain the current list.
Scoreboard 10 /usr/local/www/data/scoreboard \ /usr/local/www/data/scoreboard/topten.html
While the biggest talkers in a given five-minute period is useful for troubleshooting purposes, it's also nice to be able to grant an award for Most Busy Host Overall. The
AggregateScore option allows you to do that.
AggregateScore also takes three arguments: the number of hosts in your list, a log file to store the accumulated data, and a location to post the overall Top Talker list.
AggregateScore 10 /var/log/cuflow/agg.dat /usr/local/www/data/overall.html
If you have a complicated network, you might have multiple Netflow sensors.
CUFlow can separate data from separate sensors so that you can get a handle on where different sorts of traffic are going. Each router listed becomes a separate drop-down item in the
Router 192.168.2.1 fred Router 192.168.3.1 barney
Services statements to define TCP/IP ports that you wish to track separately. The
Services statement allows you to make definitive statements such as "80 percent of our internet traffic is outbound web browsing." As Netflow tracks each service, increasing the number of services increases the amount of processing power Netflow requires. Don't just copy /etc/services here! I always eliminate unnecessary protocols; for example, nobody on my hosting network can use Gnutella, so I don't bother trying to track it. Here are some example
Service 20-21/tcp ftp Service 22/tcp ssh Service 23/tcp telnet
Protocol statement is very similar to
Services, except for Layer 3 instead of Layer 4. I recommend tracking
Protocol 1 (ICMP),
Protocol 6 (UDP), and
Protocol 17 (TCP), at a bare minimum. If you have lots of VPN users, you might wish to track IPSec and GRE as well.
Protocol 1 icmp Protocol 6 tcp Protocol 17 udp
As Netflow originated with Cisco, it's not surprising that many Netflow sensors include BGP information.
CUFlow can report on traffic to and from various AS numbers using the ASNumber option, but
softflowd doesn't provide that information and most of the readers out there have only a single internet feed. Comment out the
ASNumber option when using