Re: [Cflowd] Question

From: Systems Administrator (sysadmin@sunet.com.au)
Date: Thu Nov 28 2002 - 15:28:32 PST

  • Next message: Sales Department: "[Cflowd] Cheap Smokes"

        Hmm. I've just seen the netmask element of the netflows, and it does
    seem to be chopping them off at that point in the aggregate data.

        Anyway, I'll probably just go with flow-tools, since this seems to do
    what I want :).

        Incidentally, does anyone know why Dave Plonka's cflowd patches
    (necessary for flow-tools, I understand) haven't been integrated into
    cflowd?

        Thanks,

    Tim Nelson
    Systems Administrator
    Sunet Internet
    Tel: +61 3 5241 1155
    Fax: +61 3 5241 6187
    Web: http://www.sunet.com.au/
    Email: sysadmin@sunet.com.au
    ----- Original Message -----
    From: "Martin van den Nieuwelaar" <martin@gadgets.co.nz>
    To: "Systems Administrator" <sysadmin@sunet.com.au>
    Sent: Friday, November 29, 2002 7:11 AM
    Subject: Re: [Cflowd] Question

    > Systems Administrator wrote:
    > > ----- Original Message -----
    > > From: "Martin van den Nieuwelaar" <martin@gadgets.co.nz>
    > > To: "Systems Administrator" <sysadmin@sunet.com.au>
    > > Sent: Wednesday, November 27, 2002 8:23 PM
    > > Subject: Re: [Cflowd] Question
    > >
    > >
    > >
    > >>Systems Administrator wrote:
    > >>
    > >>> Just so that I understand, does this mean that 210.80.157.200 in a
    > >>
    > > Class
    > >
    > >>>C network will be registered as 210.80.157.0 ?
    > >>
    > >>Um, maybe :-)
    > >>
    > >>The granularity you get I think is directly related to the BGP routing
    > >>table in your router. Have a look at the BGP table and you will see
    > >>what sort of granularity you can expect. In some cases a class C
    > >>network may have an entry for itself in the BGP table. This however
    > >>is wasteful and in most cases many class C networks will be aggregated
    > >>into one block. Typically you will see /16 (class B), /19, /20 etc.
    > >>rather than /24 (class C).
    > >>
    > >>Any more questions, just ask away.
    > >
    > >
    > >
    > > Hmm. We're not using BGP :). But I meant that as an example -- I
    > > actually have a /26 and a /24 going through a certain pipe, and I want
    to
    > > know how much data *each client* from there is sending, but it's not our
    > > network, so I can't install stuff any closer to the client.
    > >
    > > :)
    >
    > Hmm, I'm really not sure how the Cisco will work out the netmask for
    > the Netflow Exports then. Maybe it will find it in the 202 range and
    > just call it a class C etc.
    >
    > One way to find out would be to look at some raw Netflow Exports. A
    > quick and easy way to do that would be to run BBNFC (Bare Bones
    > Netflow Collector). It's a freeware program I wrote, available on
    > www.gadgets.co.nz. It will dump the contents of the Netflow Export to
    > stdout so you can see immediately what values are being assigned to
    > the netmask etc. Your requirements might be simple enough that you
    > could hack the output of BBNFC with some Perl script even... (BBNFC
    > will display individual source/destination IP addresses)
    >
    > Cheers,
    >
    > -Martin
    >
    > --
    > Expert carrier network traffic analysis and visualisation
    > http://www.networkintelligence.biz
    > xenaphobia: The fear of being beaten to a
    > pulp by a leather-clad, New Zealand woman
    >

    _______________________________________________
    Cflowd mailing list
    Cflowd@caida.org
    http://login.caida.org/mailman/listinfo/cflowd



    This archive was generated by hypermail 2.1.4 : Thu Nov 28 2002 - 15:50:13 PST