NAME README - information about `FlowScan' DESCRIPTION `FlowScan' is a network analysis and reporting tool. It processes IP flows recorded `cflowd'-format raw flow files and reports on what it finds. This document is the `FlowScan' `README' $Revision: 1.10 $, $Date: 2001/02/28 21:50:17 $. Announcement I'm pleased to announce the release of `FlowScan-1.006'. `FlowScan' is a tool to monitor and graph flow information from Cisco and Riverstone routers in near real-time. Amonst many other things, `FlowScan' can measure and graph traffic for applications such as Napster. A sample of what FlowScan can do is at: http://wwwstats.net.wisc.edu Changes in FlowScan-1.006 (since FlowScan-1.005) * The CampusIO and SubNetIO reports were enhanced with a new optional configuration directive: `TopN'. When defined, this directive causes "Top Talker" reports to be produced. These HTML reports contain the most active (i.e. "top") source and destination addresses. * The CampusIO and SubNetIO reports were enhanced to record the number of local IP addresses that where active for each network and subnet into the RRD files. This enables users to estimate the number of active hosts hosts over time, detect "scans" which systematically sweep across network address space, and to calculate the average bytes, packets, and flows per host. * The template Makefile used to produce the graphs was enhanced to allow the inclusion of "events" in the graphs, similarly to what can be done with Cricket. This allows you to label events such as configuration changes and outages to discover correlations with traffic measurement. * Two new utilities suitable for stand-alone use, are included. ip2hostname converts IP addresses to their respective hostnames. event2vrule adds "events" to `rrdtool' graphs. * Added support for LFAP (Lightweight Flow Accouting Protocol) used by Riverstone and Enterasys (formerly Cabletron) routers. This currently requires `slate' (from `http://www.nmops.org') and `lfapd' by Steven Premeau . `lfapd' produces time-stamped raw flow files in the same cflowd-defined format that is processed by FlowScan. * Added the ability for the `CampusIO' report to identify outbound flows based solely on the flow's destination IP address. While this is less trustworthy than using `NextHops' or `OutputIfIndexes', it is now the default and will be useful for environments where the flow nexthop or output ifIndex values are not meaningful. * The `CampusIO' report contains a new experimental feature which reads a BGP routing table, and therefore can determine which Autonomous systems source, transit, or sink most of your institution's traffic. The `CampusIO' report was enhanced with new optional configuration directives: `BGPDumpFile', `TopN', `ReportPrefixFormat'. When properly defined, these directives cause `CampusIO' to create tabular HTML reports named `{origin|path}_{in|out}.html' under `OutputDir' after analyzing each raw flow file. These reports show the "top" Autonomous Systems with which your site exchanges traffic. * A `WebProxyIfIndex' directive was added to the `CampusIO' report. This allows one to specify the index of the interface to which HTTP traffic is being transparently redirected. This enables `FlowScan' to properly count HTTP flows even though NetFlow v5 does not accurately report the nexthop value for flows which are transparently redirected via a Cisco route-map. * `CampusIO' now contains a fix for a bug introduced in `FlowScan- 1.005' which would sometimes cause perl to abort with this message: patricia.c:645: patricia_lookup: Assertion `prefix' failed. This would happen if the `NextHops' or `LocalNextHops' were specified by name rather than IP address. It also would happen if the boulder `SUBNET' values were specified incorrectly. Availability FlowScan is licensed under the GNU General Public License, and is available to you at: http://net.doit.wisc.edu/~plonka/FlowScan/ Mailing Lists There are two mailing lists having to do with FlowScan: * flowscan a general mailing list for FlowScan users. * flowscan-announce a low-volume, restricted post mailing list to keep FlowScan users informed of news regarding FlowScan. The lists' respective archives are available at: http://net.doit.wisc.edu/~plonka/list/flowscan and: http://net.doit.wisc.edu/~plonka/list/flowscan-announce Announcements will be "cross-posted" to both lists, so there's no need to join both. These lists are hosted by the Division of Information Technology's Network Engineering Technology group at the University of Wisconsin - Madison. To subscribe to either of them, send email to: majordomo@net.doit.wisc.edu containing either: subscribe flowscan *or*: subscribe flowscan-announce You should receive an automatic response that will request that you verify your request to become a member of the list, to which you must reply with the authentication information there-in. Then, in response to your reply, you should receive a welcome message. If you have any questions about the administrative policies of this list's manager, please contact: owner-flowscan@net.doit.wisc.edu *or*: owner-flowscan-announce@net.doit.wisc.edu FlowScan Resources Overview: http://www.caida.org/tools/utilities/flowscan/ Paper - "FlowScan: A Network Traffic Flow Reporting and Visualization Tool": HTML: http://net.doit.wisc.edu/~plonka/lisa/FlowScan/ PostScript: http://net.doit.wisc.edu/~plonka/lisa/FlowScan/out.ps.gz http://www.caida.org/tools/utilities/flowscan/ LISA XIV (New Orleans, Dec. 2000) Presentation: http://net.doit.wisc.edu/~plonka/lisa/FlowScan/presentation/ NANOG 21 (Atlanta, Feb. 2001) Presentation: http://www.nanog.org/mtg-0102/plonka.html http://net.doit.wisc.edu/~plonka/nanog/ Other: http://wwwstats.net.wisc.edu http://net.doit.wisc.edu/data/Napster/ http://net.doit.wisc.edu/data/flow/size/ Contributors Alexander Kunz Kevin Gannon John Payne Michael Hare Steven Premeau Thanks I'd like to thank the participants in the FlowScan mailing list for their efforts and feedback. Also, thanks to Daniel McRobb, Tobi Oetiker, and CAIDA for providing the main tools upon which FlowScan is built, namely "cflowd" and "RRDTOOL". Copyright and Disclaimer Note that this document is provided `as is'. The information in it is not warranted to be correct. Use it at your own risk. Copyright (c) 2000-2001 Dave Plonka . All rights reserved. This document may be reproduced and distributed in its entirety (including this authorship, copyright, and permission notice), provided that no charge is made for the document itself.