Hi!
Devon wrote (Thu 2001-May-17 17:19:36 -0400):
> When I run "artsnets <filename>", I get the SrcAdr as a /24 or smaller (e.g.
> /23, /22, etc). Is there anyway to get specific hosts (i.e. /32)? If not,
> anyone have any suggestions? We are trying to track down an IP address that
> is sending a lot of traffic.
Within the flow information sent out by a Cisco, netmasks are
included. These netmasks match an entry in the current routing
table.
If you have a specific route in the table (be careful with route
aggregation, e.g. eigrp auto-summary), the mask should never be
shorter than the routing entry.
I have seen Ciscos being more detailled than expected. We had a
single host-route into a network for which we also had a route
with a shorter mask. However, all flows coming from or destined
to a host within this network were given 32bit masks.
For you, Devon, it might be sufficient to include a host route
into the network the traffic is coming from. In any case, you
should be able to do a "binary search" by adding two routes
which are each 1bit longer, then take the one with all the
traffic, split that one, ...
Cheers, Marcus
-- Condat AG Alt-Moabit 91d | 10559 Berlin | Germany Tel: +49.30.39094-167 | Fax: +49.30.39094-555-167 <mcg@condat.de> | http://www.condat.de -- cflowd mailing list cflowd@caida.org
This archive was generated by hypermail 2b29 : Fri May 18 2001 - 02:53:33 PDT