From: Systems Administrator (firstname.lastname@example.org)
Date: Thu Nov 28 2002 - 15:28:32 PST
Hmm. I've just seen the netmask element of the netflows, and it does
seem to be chopping them off at that point in the aggregate data.
Anyway, I'll probably just go with flow-tools, since this seems to do
what I want :).
Incidentally, does anyone know why Dave Plonka's cflowd patches
(necessary for flow-tools, I understand) haven't been integrated into
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
----- Original Message -----
From: "Martin van den Nieuwelaar" <email@example.com>
To: "Systems Administrator" <firstname.lastname@example.org>
Sent: Friday, November 29, 2002 7:11 AM
Subject: Re: [Cflowd] Question
> Systems Administrator wrote:
> > ----- Original Message -----
> > From: "Martin van den Nieuwelaar" <email@example.com>
> > To: "Systems Administrator" <firstname.lastname@example.org>
> > Sent: Wednesday, November 27, 2002 8:23 PM
> > Subject: Re: [Cflowd] Question
> >>Systems Administrator wrote:
> >>> Just so that I understand, does this mean that 220.127.116.11 in a
> > Class
> >>>C network will be registered as 18.104.22.168 ?
> >>Um, maybe :-)
> >>The granularity you get I think is directly related to the BGP routing
> >>table in your router. Have a look at the BGP table and you will see
> >>what sort of granularity you can expect. In some cases a class C
> >>network may have an entry for itself in the BGP table. This however
> >>is wasteful and in most cases many class C networks will be aggregated
> >>into one block. Typically you will see /16 (class B), /19, /20 etc.
> >>rather than /24 (class C).
> >>Any more questions, just ask away.
> > Hmm. We're not using BGP :). But I meant that as an example -- I
> > actually have a /26 and a /24 going through a certain pipe, and I want
> > know how much data *each client* from there is sending, but it's not our
> > network, so I can't install stuff any closer to the client.
> > :)
> Hmm, I'm really not sure how the Cisco will work out the netmask for
> the Netflow Exports then. Maybe it will find it in the 202 range and
> just call it a class C etc.
> One way to find out would be to look at some raw Netflow Exports. A
> quick and easy way to do that would be to run BBNFC (Bare Bones
> Netflow Collector). It's a freeware program I wrote, available on
> www.gadgets.co.nz. It will dump the contents of the Netflow Export to
> stdout so you can see immediately what values are being assigned to
> the netmask etc. Your requirements might be simple enough that you
> could hack the output of BBNFC with some Perl script even... (BBNFC
> will display individual source/destination IP addresses)
> Expert carrier network traffic analysis and visualisation
> xenaphobia: The fear of being beaten to a
> pulp by a leather-clad, New Zealand woman
Cflowd mailing list
This archive was generated by hypermail 2.1.4 : Thu Nov 28 2002 - 15:50:13 PST