File: flow-rpt2rrd.html.in

package info (click to toggle)
flow-tools 1%3A0.68-12.1
links: PTS
area: main
in suites: jessie, jessie-kfreebsd, wheezy
size: 5,136 kB
ctags: 5,259
sloc: ansic: 43,197; sh: 1,674; perl: 661; python: 629; yacc: 303; makefile: 208; lex: 49
file content (344 lines) | stat: -rw-r--r-- 5,574 bytes
parent folder | download | duplicates (4)
<HTML
><HEAD
><TITLE
>flow-rpt2rrd</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.73
"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="AEN1"
><SPAN
CLASS="APPLICATION"
>flow-rpt2rrd</SPAN
></A
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6"
></A
><H2
>Name</H2
><SPAN
CLASS="APPLICATION"
>flow-rpt2rrd</SPAN
>&nbsp;--&nbsp;Convert flow-report CSV output to RRDtool format.</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>flow-rpt2rrd</B
>  [-nv] [-d<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
>] [-k<TT
CLASS="REPLACEABLE"
><I
> keys</I
></TT
>] [-K<TT
CLASS="REPLACEABLE"
><I
> keys_file</I
></TT
>] [-f<TT
CLASS="REPLACEABLE"
><I
> fields</I
></TT
>] [-p<TT
CLASS="REPLACEABLE"
><I
> rrd_path</I
></TT
>] [-P<TT
CLASS="REPLACEABLE"
><I
> rrd_postfix</I
></TT
>] [-r<TT
CLASS="REPLACEABLE"
><I
> rrd_storage</I
></TT
>]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN28"
></A
><H2
>DESCRIPTION</H2
><P
>The <B
CLASS="COMMAND"
>flow-rpt2rrd</B
> utility processes the CSV output of
flow-report into RRDtool format.  The aggregates for a key are each
stored as a DS in RRD filename {rrd_path,"/",key,rrd_postfix,".rrd"}.
By default a DS is created for flows, octets, and packets.  The key
must be specified, for example an ip-port report could use smtp,nntp,ssh,telnet
as the keys which would create a separate RRD for each key.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN32"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-d<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
></DT
><DD
><P
>Set debug level to debug_level (debugging code)</P
></DD
><DT
>-h</DT
><DD
><P
>Help.</P
></DD
><DT
>-k<TT
CLASS="REPLACEABLE"
><I
> keys</I
></TT
>|<TT
CLASS="REPLACEABLE"
><I
>html</I
></TT
></DT
><DD
><P
>Comma separated list of key values.  If the report has symbols
then the key must be the symbol, ie smtp not 25.  The totals_* lines
may be used if they are enabled in the report.  There is no default, 
keys must be specified with -k or -K.</P
></DD
><DT
>-K<TT
CLASS="REPLACEABLE"
><I
> keys_file</I
></TT
></DT
><DD
><P
>Load keys from <TT
CLASS="REPLACEABLE"
><I
>keys_file</I
></TT
>.  See -k.</P
></DD
><DT
>-f</DT
><DD
><P
>Comma separated list of columns to store.  Each column maps to a DS in the
RRD.  Defaults to flows,octets,packets</P
></DD
><DT
>-n</DT
><DD
><P
>Enable symbol table lookups.  For example TCP port 25 = smtp.  This will
result in RRD file names with the symbolic names if symbol lookups were
not enabled in the report.</P
></DD
><DT
>-p<TT
CLASS="REPLACEABLE"
><I
> rrd_path</I
></TT
></DT
><DD
><P
>Set path to RRD files.  Defaults to ".".</P
></DD
><DT
>-P<TT
CLASS="REPLACEABLE"
><I
> rrd_postfix</I
></TT
></DT
><DD
><P
>Set RRD file name postfix.  Defaults to "".</P
></DD
><DT
>-r<TT
CLASS="REPLACEABLE"
><I
> rrd_storage</I
></TT
></DT
><DD
><P
>Set RRD storage for 5 minute, 30 minute, 2 hour, and 1 day databases.  List
items are : seperated.  Defaults to 600:600:600:732.</P
></DD
><DT
>-v</DT
><DD
><P
>Enable verbose output.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN83"
></A
><H2
>EXAMPLES</H2
><DIV
CLASS="INFORMALEXAMPLE"
><A
NAME="AEN85"
></A
><P
></P
><PRE
CLASS="SCREEN"
>The following example shows the combined use of flow-nfilter (inline), 
flow-report, and flow-rpt2rrd to create an RRD depicting traffic 
from clmbo-r4 to AS 10796 and 6478 for 2004-11-08.  rrdtool graph is
then used to create a .png.

#!/bin/sh

cat &lt;&lt; EOF&#62;report.cfg

include-filter nfilter.cfg

stat-report CLMBO-R4-TO-INTERNET-BY-DESTINATION-AS
  type destination-as
  filter CLMBO-R4-INTERNET-OUT
  scale 100
  output   
    options +header,+xheader
    fields -duration

stat-definition 5min-summaries
  report CLMBO-R4-TO-INTERNET-BY-DESTINATION-AS
EOF

cat &lt;&lt; EOF&#62;nfilter.cfg
# ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifName.46 = so-0/0/0.0
filter-primitive CLMBO-R4-INTERNET
  type ifindex
  permit 46

# Match on traffic to the Internet
filter-definition CLMBO-R4-INTERNET-OUT
  match output-interface CLMBO-R4-INTERNET
EOF

mkdir rrds

# 5 minute flow files from flow-capture are here
FLOW_DATA=/flows/clmbo-r4/2004-11-08/

# for each 5 minute flow,aggregate with flow-report then store to RRD
for name in $FLOW_DATA/*; do
  echo working...$name
  flow-report -s report.cfg -S5min-summaries &#60; $name | flow-rpt2rrd -k10796,6478  -p rrds
done

# first flow - 0:1:23 11/8/2004
START=1099890083
# last flow - 0:1:25 11/9/2004
END=1099976485

rrdtool graph CLMBO-R4-TO-INTERNET.png --start $START --end $END \
        --vertical-label "Bits/Second" --title="CLMBO-R4 TO INTERNET BY AS" \
        DEF:AS10796in=rrds/10796.rrd:octets:AVERAGE \
        DEF:AS6478in=rrds/6478.rrd:octets:AVERAGE \
        CDEF:b_AS10796in=AS10796in,8,* \
        CDEF:b_AS6478in=AS6478in,8,* \
        LINE1:b_AS10796in#FF0000:AS10796-in \
        LINE1:b_AS6478in#555555:AS6478-in \&#13;</PRE
><P
></P
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN87"
></A
><H2
>BUGS</H2
><P
>Hard coded to expect 5 minute flow file intervals.  Does not properly parse
flow-report time-series output.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN90"
></A
><H2
>AUTHOR</H2
><P
>Mark Fullmer
<TT
CLASS="EMAIL"
>&#60;<A
HREF="mailto:maf@splintered.net"
>maf@splintered.net</A
>&#62;</TT
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN97"
></A
><H2
>SEE ALSO</H2
><P
><SPAN
CLASS="APPLICATION"
>flow-tools</SPAN
>(1)</P
></DIV
></BODY
></HTML
>