NAME
README - information about `FlowScan'
DESCRIPTION
`FlowScan' is a network analysis and reporting tool. It
processes IP flows recorded `cflowd'-format raw flow files and
reports on what it finds.
This document is the `FlowScan' `README' $Revision: 1.10 $,
$Date: 2001/02/28 21:50:17 $.
Announcement
I'm pleased to announce the release of `FlowScan-1.006'.
`FlowScan' is a tool to monitor and graph flow information from
Cisco and Riverstone routers in near real-time.
Amonst many other things, `FlowScan' can measure and graph
traffic for applications such as Napster. A sample of what
FlowScan can do is at:
http://wwwstats.net.wisc.edu
Changes in FlowScan-1.006 (since FlowScan-1.005)
* The CampusIO and SubNetIO reports were enhanced with a new
optional configuration directive: `TopN'. When defined, this
directive causes "Top Talker" reports to be produced. These
HTML reports contain the most active (i.e. "top") source and
destination addresses.
* The CampusIO and SubNetIO reports were enhanced to record the
number of local IP addresses that where active for each
network and subnet into the RRD files. This enables users to
estimate the number of active hosts hosts over time, detect
"scans" which systematically sweep across network address
space, and to calculate the average bytes, packets, and
flows per host.
* The template Makefile used to produce the graphs was enhanced to
allow the inclusion of "events" in the graphs, similarly to
what can be done with Cricket. This allows you to label
events such as configuration changes and outages to discover
correlations with traffic measurement.
* Two new utilities suitable for stand-alone use, are included.
ip2hostname converts IP addresses to their
respective hostnames. event2vrule adds "events"
to `rrdtool' graphs.
* Added support for LFAP (Lightweight Flow Accouting Protocol)
used by Riverstone and Enterasys (formerly Cabletron)
routers. This currently requires `slate' (from
`http://www.nmops.org') and `lfapd' by Steven Premeau
. `lfapd' produces time-stamped raw flow
files in the same cflowd-defined format that is processed by
FlowScan.
* Added the ability for the `CampusIO' report to identify outbound
flows based solely on the flow's destination IP address.
While this is less trustworthy than using `NextHops' or
`OutputIfIndexes', it is now the default and will be useful
for environments where the flow nexthop or output ifIndex
values are not meaningful.
* The `CampusIO' report contains a new experimental feature which
reads a BGP routing table, and therefore can determine which
Autonomous systems source, transit, or sink most of your
institution's traffic. The `CampusIO' report was enhanced
with new optional configuration directives: `BGPDumpFile',
`TopN', `ReportPrefixFormat'. When properly defined, these
directives cause `CampusIO' to create tabular HTML reports
named `{origin|path}_{in|out}.html' under `OutputDir' after
analyzing each raw flow file. These reports show the "top"
Autonomous Systems with which your site exchanges traffic.
* A `WebProxyIfIndex' directive was added to the `CampusIO'
report. This allows one to specify the index of the
interface to which HTTP traffic is being transparently
redirected. This enables `FlowScan' to properly count HTTP
flows even though NetFlow v5 does not accurately report the
nexthop value for flows which are transparently redirected
via a Cisco route-map.
* `CampusIO' now contains a fix for a bug introduced in `FlowScan-
1.005' which would sometimes cause perl to abort with this
message:
patricia.c:645: patricia_lookup: Assertion `prefix' failed.
This would happen if the `NextHops' or `LocalNextHops' were
specified by name rather than IP address. It also would
happen if the boulder `SUBNET' values were specified
incorrectly.
Availability
FlowScan is licensed under the GNU General Public License, and
is available to you at:
http://net.doit.wisc.edu/~plonka/FlowScan/
Mailing Lists
There are two mailing lists having to do with FlowScan:
* flowscan
a general mailing list for FlowScan users.
* flowscan-announce
a low-volume, restricted post mailing list to keep FlowScan
users informed of news regarding FlowScan.
The lists' respective archives are available at:
http://net.doit.wisc.edu/~plonka/list/flowscan
and:
http://net.doit.wisc.edu/~plonka/list/flowscan-announce
Announcements will be "cross-posted" to both lists, so there's
no need to join both.
These lists are hosted by the Division of Information
Technology's Network Engineering Technology group at the
University of Wisconsin - Madison. To subscribe to either of
them, send email to:
majordomo@net.doit.wisc.edu
containing either:
subscribe flowscan
*or*:
subscribe flowscan-announce
You should receive an automatic response that will request that
you verify your request to become a member of the list, to which
you must reply with the authentication information there-in.
Then, in response to your reply, you should receive a welcome
message. If you have any questions about the administrative
policies of this list's manager, please contact:
owner-flowscan@net.doit.wisc.edu
*or*:
owner-flowscan-announce@net.doit.wisc.edu
FlowScan Resources
Overview:
http://www.caida.org/tools/utilities/flowscan/
Paper - "FlowScan: A Network Traffic Flow Reporting and
Visualization Tool":
HTML: http://net.doit.wisc.edu/~plonka/lisa/FlowScan/
PostScript: http://net.doit.wisc.edu/~plonka/lisa/FlowScan/out.ps.gz
http://www.caida.org/tools/utilities/flowscan/
LISA XIV (New Orleans, Dec. 2000) Presentation:
http://net.doit.wisc.edu/~plonka/lisa/FlowScan/presentation/
NANOG 21 (Atlanta, Feb. 2001) Presentation:
http://www.nanog.org/mtg-0102/plonka.html
http://net.doit.wisc.edu/~plonka/nanog/
Other:
http://wwwstats.net.wisc.edu
http://net.doit.wisc.edu/data/Napster/
http://net.doit.wisc.edu/data/flow/size/
Contributors
Alexander Kunz
Kevin Gannon
John Payne
Michael Hare
Steven Premeau
Thanks
I'd like to thank the participants in the FlowScan mailing list
for their efforts and feedback.
Also, thanks to Daniel McRobb, Tobi Oetiker, and CAIDA for
providing the main tools upon which FlowScan is built, namely
"cflowd" and "RRDTOOL".
Copyright and Disclaimer
Note that this document is provided `as is'. The information
in it is not warranted to be correct. Use it at your own
risk.
Copyright (c) 2000-2001 Dave Plonka .
All rights reserved.
This document may be reproduced and distributed in its
entirety (including this authorship, copyright, and
permission notice), provided that no charge is made for the
document itself.