Re: [Cflowd] AS-Matrix for outgoing traffic

From: Kevin Nicastro (kevin@epoch.net)
Date: Wed Nov 13 2002 - 05:00:55 PST

  • Next message: Wanja Jansson: "[Cflowd] ifindex in arts++ viewers"

    I had to solve this problem years ago when we first started using cflowd. We were trying to use the tool on a nationwide backbone with multiple peering points, both public and private, across the country. The problem was that, although I could tell the packet was to be forwarded to any given peer ASN, I could not tell at which egress point it was. So I hacked the code.

    It does not matter that flow packets are only counted on input interfaces. Each flow packet contains both a source interface and a destination interface. However, cflowd only builds arts tables based on the source interface. So I modified the code to build arts information on both the source interface AND the destination interface thereby counting each packet twice. To distinquish between an AS-matrix table which was collected based on destination interface, I did something arbitrary like added 1000 to the ifIndex value. For example:

    ifIndex: 1 (Serial1/1/0 source interface)
    ifIndex: 1001 (Serial1/1/0 destination interface)

    The only function that needed modifying was

    int CflowdCisco::AddFlow(const CflowdRawFlow & flow)

    in file CflowdCisco.cc

    Note, I don't know how your graphing/reporting program (like flowscan) would handle this change. This was before flowscan was released and I wrote my own code to parse the arts files and graphs them based on the java grapher that caida was using way back when (which we bought for about $300).

    We do not used cflowd anymore.

    Here is a copy of the modified function that we used. Note, it is from a very old version (2.1.a3). We eventually upgraded to 2.1.a9 but I cannot find the source code for that anymore. The first half is the original function, the second half is a repeat of the code changing inputIfIndex to outputIfIndex and adding 1000. Very simple.

    -Kevin
    =========================================================

    int CflowdCisco::AddFlow(const CflowdRawFlow & flow)
    {
      uint16_t inputIfIndex;
      uint16_t outputIfIndex;

      if (! (flow.Index() & CflowdRawFlow::k_inputIfIndexMask)) {
        inputIfIndex = 0;
      }
      else {
        inputIfIndex = flow.InputIfIndex();
      }

      if (this->_tableIndex & k_cflowdProtocolTableMask) {
        this->Interfaces()[inputIfIndex].ProtocolTable().AddFlow(flow);
      }

      if (this->_tableIndex & k_cflowdPortTableMask) {
        cerr << "port table not yet implemented! {"
             << __FILE__ << ":" << __LINE__ << "}"
             << endl;
      }

      // update the net matrix
      if (this->_tableIndex & k_cflowdNetMatrixMask) {
        this->Interfaces()[inputIfIndex].NetMatrix().AddFlow(flow);
      }

      // update the AS matrix
      if (this->_tableIndex & k_cflowdAsMatrixMask) {
        this->Interfaces()[inputIfIndex].AsMatrix().AddFlow(flow);
      }

      if (this->_tableIndex & k_cflowdRawFlowMask) {
        this->_flowLogger->AddFlow(flow);
      }

      // update the port matrix
      if (this->_tableIndex & k_cflowdPortMatrixMask) {
        this->Interfaces()[inputIfIndex].PortMatrix().AddFlow(flow);
      }

      // update the interface matrix
      if (this->_tableIndex & k_cflowdInterfaceMatrixMask) {
        this->Interfaces()[inputIfIndex].InterfaceMatrix().AddFlow(flow);
      }

      // update the nextHop table
      if (this->_tableIndex & k_cflowdNextHopTableMask) {
        this->Interfaces()[inputIfIndex].NextHopTable().AddFlow(flow);
      }

      // update the TOS table
      if (this->_tableIndex & k_cflowdTosTableMask) {
        this->Interfaces()[inputIfIndex].TosTable().AddFlow(flow);
      }

      this->_lastUpdated = time((time_t *)NULL);

      /// Repeat the process this time recording the flow in Arts
      /// under the ifIndex of the output interface + 1000. This
      /// way you will know which direction the flow is travelling
      /// Modified by Kevin Nicastro

      if (! (flow.Index() & CflowdRawFlow::k_outputIfIndexMask)) {
        outputIfIndex = 0;
      }
      else {
        outputIfIndex = flow.OutputIfIndex();
      }

      outputIfIndex = (uint16_t) outputIfIndex + 1000;

      if (this->_tableIndex & k_cflowdProtocolTableMask) {
        this->Interfaces()[outputIfIndex].ProtocolTable().AddFlow(flow);
      }

      if (this->_tableIndex & k_cflowdPortTableMask) {
        cerr << "port table not yet implemented! {"
             << __FILE__ << ":" << __LINE__ << "}"
             << endl;
      }

      // update the net matrix
      if (this->_tableIndex & k_cflowdNetMatrixMask) {
        this->Interfaces()[outputIfIndex].NetMatrix().AddFlow(flow);
      }

      // update the AS matrix
      if (this->_tableIndex & k_cflowdAsMatrixMask) {
        this->Interfaces()[outputIfIndex].AsMatrix().AddFlow(flow);
      }

      if (this->_tableIndex & k_cflowdRawFlowMask) {
        this->_flowLogger->AddFlow(flow);
      }

      // update the port matrix
      if (this->_tableIndex & k_cflowdPortMatrixMask) {
        this->Interfaces()[outputIfIndex].PortMatrix().AddFlow(flow);
      }

      // update the interface matrix
      if (this->_tableIndex & k_cflowdInterfaceMatrixMask) {
        this->Interfaces()[outputIfIndex].InterfaceMatrix().AddFlow(flow);
      }

      // update the nextHop table
      if (this->_tableIndex & k_cflowdNextHopTableMask) {
        this->Interfaces()[outputIfIndex].NextHopTable().AddFlow(flow);
      }

      // update the TOS table
      if (this->_tableIndex & k_cflowdTosTableMask) {
        this->Interfaces()[outputIfIndex].TosTable().AddFlow(flow);
      }

      this->_lastUpdated = time((time_t *)NULL);

      return(0);
    }

    "Strahler, Carsten" wrote:

    > Hi,
    >
    > we use cflow and arts and everything is fine so far.
    > But now I have to solve a special problem. We've a router with two
    > eBGP-Peers.
    > I'd like to sample both peers and get an AS-Matrix for in- and outgoing
    > traffic for both peers.
    > But the problem is that the tool 'artsases' generate only the matrix for the
    > source interface.
    > Therefore I'm not able to distinguish the outgoing traffic of both peers.
    > Does anyone know a solution for this problem or an other tool ?
    >
    > regards
    >
    > ------------------------------------------------------------
    > Carsten Strahler
    >
    > IP Planning
    >
    > Lambdanet Communications GmbH (AS 13237)
    > Guenther-Wagner-Allee 13
    > D-30177 Hannover (Germany)
    >
    > Phone +49 (0)511 / 84 88 12 86
    > Mobile +49 (0)178 / 362 1286
    > Fax +49 (0)511 / 84 88 12 59
    > mailto:carsten.strahler@lambdanet.net
    >
    > web: www.lambdanet.net
    > -----------------------------------------------------------
    >
    > _______________________________________________
    > Cflowd mailing list
    > Cflowd@caida.org
    > http://login.caida.org/mailman/listinfo/cflowd

    _______________________________________________
    Cflowd mailing list
    Cflowd@caida.org
    http://login.caida.org/mailman/listinfo/cflowd

    This archive was generated by hypermail 2.1.4 : Wed Nov 13 2002 - 05:20:05 PST