1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
fix paths in log2rrd,flow-rptfmt,flow-rpt2rrd
script to generate flow-xlate cryptopan key
flow-send is not working on big endian machines
set source port on flow-send/fanout
strip off blank lines on strftime
flow-report should have a cur_report variable name.
flow-report should have a max memory allowed per report option.
-S state_inteval with flow-capture may not be working correctly if set to 1hr.
flow-tag example uses old version of flow-xlate
report definitions need terms so filter/mask/tags can be applied to groups
of reports.
flow-fanout is not working on a Mac
-o option to flow-cat may have issues with large files
update man pages so that tag/filter/mask must be explicitely set
-- JohnWong@crimsonlogic.com
document somewhere what raw flow fields are
flow-gen random support
top 10 flows in flow-report.
mmap() problems on AIX
xlate todo
add to flow-report?
flow-report man page?
add to flow-fanout?
flow-fanout man page?
ftstat does not ior the filter xfields.
The "XXX references a field not in the flow" error message should display
the offending field.
flow-print format 24 is still missing in the flow-print manpage..
Christian.Bauer@NEFkom.de
FT_RECGET -> FTIO_RECGET - use ftio offsets.
fts3rec_compute_offsets() could be done automatically on ftio_open(4READ)
-- update everything to use ftio->fo.
flow-split, flow-report timing problem when a period passes with no clock.
source spoofing in flow-fanout is not going to work properly with multiple
sources - need per source sequence numbers on output side.
source spoofing - in flow-send use the exporter IP from the flow record.
SCTP support
NetFlow v9 support
flow-rptfmt
Sparc/Linux portability
http://www.debian.org/ports/sparc/ has a little more as does
http://www.ultralinux.org/
http://www.auroralinux.org/
Matt.Foster@Unilever.com
> stat-report report1
> input
> time yesterday
> path /data/%Y/%Y-%m/%Y-%m-%d/
(dynamic path)
flow-capture - use ftfil ACL for accepting flows.
flow-split should fail more gracefully when splitting on time with old
flow files without clocking information.
flow-cat -> ftlib so flow-xxx /flows/data/2002 will work without using flow-cat
flow-probe
flow-capture / flow-expire not removing empty directories.
flow-report per src/dst tag src/dst host count
reference ip2hostname utility on web page
flow-report, flow-nfilter, flow-tag - config file from command line string.
flow-print strftime style processing.
flow-cat mmap causes crash problem on Solaris
cisco magic filters
total_flows should always be a u_int64, not u_int32
DEC portability
- check for snprintf
Robin's libcap/flow-import patch
flow-capture/flow-receive finish the locip/remip/port code to accept multiple
exporters
the as substitution can be smarter, ie don't do substitution for multicast
traffic or output ifIndex 0, or possibly if the mask bits are 0.
mmap should be turned off for large files since it won't work.
directio
md5 checksums
ftio_write could use write() instead of writen() to better utilize d_buf
when write() returns 0 -- ie on a TCP connection.
flow-xlate - split overflow scaled flows
flow-bidir
flow-import/export - argus files
flow-import/export - OCxmon files
flow-import/export - netramet files
flow-import/export - cabletron files
bgp integration - community (xxx:yyy) -> tag yyy
packet sampling rate need to be stored in the flow file. flow-stat would
need to use this to estimate total # of flows
--with-cflow - automagically build Dave's Cflow module
flow-cat
-R ifalias Reset ifalias
-R ifmap Reset ifmap
-L ifalias Load ifalias
-L ifmap Load ifmap
-S <path> where to look for symbol names
-I <iplist> only load for IP's
flow-capture
-M <path> where to look for symbol names
symbol file:
ifmap exporter=1.2.3.4 ifIndex=99 name=FastEthernet0/0 encap=60 sample_rate=100
ifalias exporter=1.2.3.4 name=outside ifIndex_list=5,1,2,3,4,5
flow-top
flow-capture ager is running on all errors
incorporate flow-sort
AC_ARG_WITH(socks,
[ --with-libwrap use the libwrap library],
[AC_DEFINE(HAVE_LIBWRAP)])
instrument read/write for compression stats by using total_in and total_out
flow-5to8 - convert v5 to v8 flows
flow-active
maintains active src or destination IP address first/last seen on disk
first_time
last_time
flows
octets
packets
regression tests
flow-dns
-l level (heirachy level, 0 is infinity)
- level 1 would only be top level domains (.com, .edu, .net)
- level 2 would be second level (ohio-state.edu, psu.edu, cic.net)
- level 0 would be any level, ie FQDN's (shattered.net.ohio-state.edu)
flow-reduce
various data reducations
glue together TCP connections
keep state when there's a ftp control connection, then use that
to give hints about ftp data connections
|
