2007-10-31 #1

Catchup

fprobe

Source

The .srpm attached was created by building the fprobe 1.1 software and then generating a SPEC file with checkinstall. That SPEC file was then modified slightly to clean a few things up and to explicitly specify the dependance on the libpcap library. This is very ugly but it got things installed.

Collect data from eth2 then generate flows to the listener on localhost:999

# fprobe -fip -i eth2 localhost:999

Flow Tools

Source

Listen on port 999 and write the resultant flow trees into /var/spool/flows:

# flow-capture -w /var/spool/flows -S5 0/0/999

Next you want to build the CFlow perl library that is in contrib/Cflow-1.051. I had to mess around to get it to build properly (see the README -- it says that the perl Makefile.PL step will tell you that it is going to build flow-tools-aware libraries; if it doesn't, you can't read the flows you are capturing.

Interpreting the flows

The example provided didn't work out of the box.

Creating a Database

# su - postgres
$ createdb flowdb
$ psql flowdb
flowdb=# create user flowdb password 'mypassword';
flowdb=# grant all on database flowdb to flowdb;

We are going to have two tables. The LocalIP table will have the time period identifier, the IP address, and the bytes this IP received or passed during this time interval. The Conversations table will have the time period, the local IP address, the remote IP address, and the bytes passed between these systems during this time period.

flowdb=# create table LocalIP ( timeslot int, ip varchar(16), bytes int );
CREATE TABLE
flowdb=# create table Conversation ( timeslot int, local varchar(16), remote varchar(16), bytes int );
CREATE TABLE

Turns out there are 14 characters in the longest ipv4 address, not 12. Oops.

Also I had to explicitly grant permission to modify the table so that the insert would work:

flowdb=# grant all on table LocalIP to flowdb;