Re: AW: Traffic monitoring
On Tue, 2003-03-18 at 16:04, debian-security wrote:
> >
> >check out flowscan
> >
> >http://www.caida.org/tools/utilities/flowscan/
> >
> >it gets close to what you want, assuming all the traffic is
> >passing through a cisco router.
A better choice (IMHO) would be flow-tools at
http://www.splintered.net/sw/flow-tools/
there is no debian package yet... but working on it :)
Description:
Flow-tools is library and a collection of programs used to collect,
send, process, and generate reports from NetFlow data. The tools can be
used together on a single server or distributed to multiple servers for
large deployments. The flow-toools library provides an API for
development of custom applications for NetFlow export versions 1,5,6 and
the 14 currently defined version 8 subversions. A Perl and Python
interface have been contributed and are included in the distribution.
Flow data is collected and stored by default in host byte order, yet the
files are portable across big and little endian architectures.
Commands that utilize the network use a localip/remoteip/port
designation for communication. "localip" is the IP address the host will
use as a source for sending or bind to when receiving NetFlow PDU's (ie
the destination address of the exporter. Configuring the "localip" to 0
will force the kernel to decide what IP address to use for sending and
listen on all IP addresses for receiving. "remoteip" is the destination
IP address used for sending or the expected address of the source when
receiving. If the "remoteip" is 0 then the application will accept flows
from any source address. The "port" is the UDP port number used for
sending or receiving. When using multicast addresses the
localip/remoteip/port is used to represent the source, group, and port
respectively.
--
JJ van Gorkum Knowledge Zone
If UNIX isn't the solution, you've got the wrong problem.
Reply to: