📄 install
字号:
COMPILING THE TOOLKIT---------------------------To compile the toolkit, you'll first need to install zlib1.0.4 or greatertcp_wrappers 7.6, and gnu makezlib - ftp://ftp.freesoftware.com/pub/infozip/zlib/tcp_wrappers ftp://ftp.win.tue.nl pub/security/tcp_wrappers_7.6.tar.gzgnu_make ftp://ftp.gnu.org/pub/gnu/make/make-3.79.1.tar.gzThen ./configure gmake gmake installCONFIGURING THE ROUTER----------------------------! enable cefip cefip cef distributed!Turn on flow accounting for each input interface with the interface commandinterface Fddi3/0 ip route-cache flowinterface atm3/0/0 ip route-cache flow...Verify the router is generating flow stats with the command'show ip cache flow'. Note that for routers with distributed switching(GSR's, 75XX's) the RP cli will only show flows that made it up to the RP.To see flows on the individual linecards use the 'attach' or 'if-con' commandand issue the 'sh ip ca fl' on each LC.IP packet size distribution (36242M total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .002 .340 .084 .021 .020 .012 .009 .009 .008 .007 .006 .007 .004 .003 .004 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .002 .004 .035 .077 .338 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 4456704 bytes 4139 active, 61397 inactive, 712344771 added 871670181 ager polls, 0 flow alloc failures last clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-Telnet 1572735 0.3 58 127 21.4 27.0 14.8TCP-FTP 6193502 1.4 24 746 35.3 3.6 9.0TCP-FTPD 1458042 0.3 1534 833 520.9 42.4 4.2TCP-WWW 93403998 21.7 19 633 432.9 4.9 6.3TCP-SMTP 16123540 3.7 15 431 59.1 3.4 6.4TCP-X 687228 0.1 238 276 38.1 20.8 14.3TCP-BGP 1116819 0.2 3 45 0.7 5.3 16.0TCP-NNTP 1455156 0.3 1102 176 373.4 106.1 11.9TCP-Frag 3244 0.0 4 636 0.0 2.8 16.3TCP-other 188162587 43.8 118 733 5204.5 11.1 6.9UDP-DNS 38042100 8.8 3 84 27.3 3.8 16.4UDP-NTP 18760129 4.3 1 76 5.3 1.3 16.3UDP-TFTP 665 0.0 4 76 0.0 7.9 16.4UDP-Frag 13111 0.0 2121 1108 6.4 366.8 13.5UDP-other 195556237 45.5 35 343 1632.5 5.8 16.3ICMP 149285440 34.7 2 64 72.9 0.9 16.5IGMP 15315 0.0 167 32 0.5 1660.6 3.9IPINIP 15112 0.0 35 52 0.1 275.3 14.2GRE 127489 0.0 3 109 0.1 16.9 16.1IP-other 348604 0.0 56 447 4.5 21.5 16.2Total: 712341053 165.8 50 620 8436.8 6.2 12.2SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP PktsAT4/0.1 128.146.225.194 AT1/0.2 128.194.203.23 06 0019 2CAF 15 AT2/0.10 129.22.250.148 AT1/0.2 129.2.226.43 06 04BA 1A20 1266 AT2/0.11 130.108.110.48 AT1/0.2 170.140.89.100 06 0923 10A3 436 AT1/0.2 170.140.89.100 AT2/0.11 130.108.110.48 06 10A3 0923 462 ! Enable the exports of flows with the global commands ip flow-export version 5 origin-as ip flow-export 10.0.0.1 9990! Enable the AS aggregation cache and export the aggregated flows to! 10.0.0.1 port 9991ip flow-aggregation cache as export destination 10.0.0.1 9991 enabled! Create a loopback interface if one does not exist!interface Loopback0 ip address 10.1.1.1 255.255.255.255!! Configure NetFlow export source address!ip flow-export source Loopback0If you have tcpdump installed on or near the host you're using to captureflows, the exports can be verified.shattered:~% /usr/local/etc/tcpdump -n udp port 9991/usr/local/etc/tcpdump: listening on le012:11:29.953100 10.0.0.1.1868 > 10.0.0.2.9991: udp 116812:11:29.962551 10.0.0.1.1868 > 10.0.0.2.9991: udp 116812:11:29.975115 10.0.0.1.1868 > 10.0.0.2.9991: udp 116812:11:29.984444 10.0.0.1.1868 > 10.0.0.2.9991: udp 116812:11:29.993956 10.0.0.1.1868 > 10.0.0.2.9991: udp 116812:11:30.003252 10.0.0.1.1868 > 10.0.0.2.9991: udp 116812:11:30.015483 10.0.0.1.1868 > 10.0.0.2.9991: udp 116812:11:30.024852 10.0.0.1.1868 > 10.0.0.2.9991: udp 116812:11:30.034182 10.0.0.1.1868 > 10.0.0.2.9991: udp 116812:11:30.043545 10.0.0.1.1868 > 10.0.0.2.9991: udp 116812:11:30.053239 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168flow-receive can be used to verify your host is receiving flows: ./flow-receive 0/0/9990 | ./flow-print or ./flow-receive 0/0/9991 | ./flow-print% ./flow-receive 0/0/9990 | ./flow-print | head -10Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets60 206.204.84.9 00 10.0.135.63 06 15 5f0 2 88 00 10.0.135.63 60 206.204.84.9 06 5f0 15 16 787 60 206.204.84.9 00 10.0.135.63 06 15 5f0 13 1742 00 10.0.155.25 60 204.62.245.167 06 50 bae5 15 948 60 204.62.245.167 00 10.0.155.25 06 bae5 50 13 681 60 206.204.84.20 00 10.0.135.63 06 50 5ed 7 3494 60 206.204.84.20 00 10.0.135.63 06 50 5ef 6 401 60 206.204.84.20 00 10.0.135.63 06 50 5eb 11 9413 00 10.0.135.63 60 206.204.84.20 06 5ed 50 9 637 To store the flow exports on disk, use flow capture. The following willstore 15 minute compressed exports in /netflow/oar/krc3.v5 and beginremoving the oldest files after 3Gig of storage has been used.mkdir -p /netflow/oar/krc3.v5 ./flow-capture -w /netflow/oar/krc3.v5 -E3G 0/10.1.1.1/9990The completed exports will begin with 'ft'. The current export file willbegin with 'tmp'. The 'ft' files can now be used with the other tools, ie./flow-print < /netflow/oar/krc3.v8.1/ft-v08m01.2001-02-09.111502flow-cat, flow-stat, and flow-filter can be combined to produce variousreports such as total bytes in the export period, source/destination matrixes, per interface totals, etc.⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -