ANNOUNCE: FlowScan-1.006 released

From: Dave Plonka (
Date: Wed Feb 28 2001 - 14:04:15 PST

  • Next message: Rich Norderhaug: "Problems compiling Cflowd (cflowd-2-1-b1)"

    cflowd users,

        I'm pleased to announce the release of `FlowScan-1.006'.
        `FlowScan' is a tool to monitor and graph flow information from
        Cisco and Riverstone routers in near real-time.

        Amonst many other things, `FlowScan' can measure and graph
        traffic for applications such as Napster. A sample of what
        FlowScan can do is at:


    Changes in FlowScan-1.006 (since FlowScan-1.005)
        * The CampusIO and SubNetIO reports were enhanced with a new
            optional configuration directive: `TopN'. When defined, this
            directive causes "Top Talker" reports to be produced. These
            HTML reports contain the most active (i.e. "top") source and
            destination addresses.

        * The CampusIO and SubNetIO reports were enhanced to record the
            number of local IP addresses that where active for each
            network and subnet into the RRD files. This enables users to
            estimate the number of active hosts hosts over time, detect
            "scans" which systematically sweep across network address
            space, and to calculate the average bytes, packets, and
            flows per host.

        * The template Makefile used to produce the graphs was enhanced to
            allow the inclusion of "events" in the graphs, similarly to
            what can be done with Cricket. This allows you to label
            events such as configuration changes and outages to discover
            correlations with traffic measurement.

        * Two new utilities suitable for stand-alone use, are included.
            <kbd>ip2hostname</kbd> converts IP addresses to their
            respective hostnames. <kbd>event2vrule</kbd> adds "events"
            to `rrdtool' graphs.

        * Added support for LFAP (Lightweight Flow Accouting Protocol)
            used by Riverstone and Enterasys (formerly Cabletron)
            routers. This currently requires `slate' (from
            `') and `lfapd' by Steven Premeau
            <>. `lfapd' produces time-stamped raw flow
            files in the same cflowd-defined format that is processed by

        * Added the ability for the `CampusIO' report to identify outbound
            flows based solely on the flow's destination IP address.
            While this is less trustworthy than using `NextHops' or
            `OutputIfIndexes', it is now the default and will be useful
            for environments where the flow nexthop or output ifIndex
            values are not meaningful.

        * The `CampusIO' report contains a new experimental feature which
            reads a BGP routing table, and therefore can determine which
            Autonomous systems source, transit, or sink most of your
            institution's traffic. The `CampusIO' report was enhanced
            with new optional configuration directives: `BGPDumpFile',
            `TopN', `ReportPrefixFormat'. When properly defined, these
            directives cause `CampusIO' to create tabular HTML reports
            named `{origin|path}_{in|out}.html' under `OutputDir' after
            analyzing each raw flow file. These reports show the "top"
            Autonomous Systems with which your site exchanges traffic.

        * A `WebProxyIfIndex' directive was added to the `CampusIO'
            report. This allows one to specify the index of the
            interface to which HTTP traffic is being transparently
            redirected. This enables `FlowScan' to properly count HTTP
            flows even though NetFlow v5 does not accurately report the
            nexthop value for flows which are transparently redirected
            via a Cisco route-map.

        * `CampusIO' now contains a fix for a bug introduced in `FlowScan-
            1.005' which would sometimes cause perl to abort with this

               patricia.c:645: patricia_lookup: Assertion `prefix' failed.

            This would happen if the `NextHops' or `LocalNextHops' were
            specified by name rather than IP address. It also would
            happen if the boulder `SUBNET' values were specified

        FlowScan is licensed under the GNU General Public License, and
        is available to you at:


    Mailing Lists
            There are two mailing lists having to do with FlowScan:

        * flowscan
            a general mailing list for FlowScan users.

        * flowscan-announce
            a low-volume, restricted post mailing list to keep FlowScan
            users informed of news regarding FlowScan.

        The lists' respective archives are available at:




        Announcements will be "cross-posted" to both lists, so there's
        no need to join both.

        These lists are hosted by the Division of Information
        Technology's Network Engineering Technology group at the
        University of Wisconsin - Madison. To subscribe to either of
        them, send email to:


        containing either:

           subscribe flowscan


           subscribe flowscan-announce

        You should receive an automatic response that will request that
        you verify your request to become a member of the list, to which
        you must reply with the authentication information there-in.
        Then, in response to your reply, you should receive a welcome
        message. If you have any questions about the administrative
        policies of this list's manager, please contact:




    FlowScan Resources


        Paper - "FlowScan: A Network Traffic Flow Reporting and
        Visualization Tool":



        LISA XIV (New Orleans, Dec. 2000) Presentation:


        NANOG 21 (Atlanta, Feb. 2001) Presentation:




           Alexander Kunz <>
           Kevin Gannon <>
           John Payne <>
           Michael Hare <>
           Steven Premeau <>

        I'd like to thank the participants in the FlowScan mailing list
        for their efforts and feedback.

        Also, thanks to Daniel McRobb, Tobi Oetiker, and CAIDA for
        providing the main tools upon which FlowScan is built, namely
        "cflowd" and "RRDTOOL".

    Copyright and Disclaimer
            Note that this document is provided `as is'. The information
            in it is not warranted to be correct. Use it at your own

               Copyright (c) 2000-2001 Dave Plonka <>.
               All rights reserved.

            This document may be reproduced and distributed in its
            entirety (including this authorship, copyright, and
            permission notice), provided that no charge is made for the
            document itself.

    --  ARS:N9HZF  Madison, WI
    cflowd mailing list

    This archive was generated by hypermail 2b29 : Wed Feb 28 2001 - 14:24:52 PST