README for ~plonka/cflowd/ -------------------------- Below is my current patch to cflowd. cflowd is a tool for collecting and analyzing flow data exported by Cisco routers and switches which use Cisco's NetFlow switching method. It is available at "http://www.caida.org/tools/measurement/cflowd/". * cflowd-2-1-b1-djp.patch ----------------------- This patch is identical to the previous "cflowd-2-1-a6-djp.patch" and "cflowd-2-1-a9-djp.patch" files. It contain these changes: 1) adds a "-s seconds" option to "cflowd". If this "-s" option is specified when launching the daemon, cflowd will write a raw flow file named "flows.current" in the configured flow directory. After the specified number of seconds passes, that file will be renamed to "flows.YYYYMMDD_HH:MI:SS+TZ". In some circumstances, this is much more convenient than trying to read the data from the ".0", ".1", etc. rotating log files. (If "-s" is used it is unnecessary to specify "COLLECT: { flows }" in the configuration file.) 2) adds a "-O output_ifIndex" option to "cflowd". If this "-O" option is specified, cflowd will discard all flows with the specified output ifIndex, usually 0. This is useful to save disk space by not recording flows that you black-holed using access lists. (For campuses that deal with a lot of network abuse for which you've written access lists, this can save *lots* of space.) 3) adds a "-m" option to "cflowd". If this "-m" option is used in conjunction with "-O0" it will cause cflowd to retain multicast flows even though their output ifIndex is 0. In my experience, multicast flows always have an output ifIndex of 0. 4) makes a small change to "configure.in" to use the prefix value as the path to "arts++" rather than the hard-coded value of '/usr/local/arts'. This is just a convenience so that the user does not need to specify "--with-artspp=/my/prefix" in addition to "--prefix=/my/prefix". If you wish to make use of this portion of the patch, you should run "autoconf" (available from "ftp://ftp.gnu.org") to recreate "configure" before running "configure". Installation ------------ NOTE: The patch has been prepared with "gnudiff --unified". Only GNU patch is "guaranteed" to automatically apply diffs in this format. If "patch --version" fails, you're not using GNU patch. GNU patch can be found at: "ftp://ftp.gnu.org/pub/gnu/patch/". $ gunzip -c cflowd-2-1-b1.tar.gz |tar xf - $ cd cflowd-2-1-b1 $ patch -p0 < ../cflowd-2-1-b1-djp.patch $ autoconf # optional $ # continue with configure and make ... Usage ----- $ cflowd -s300 -O0 -m This will cause cflowd to drop a flow file every 5 minutes (300 's'econds), and discard all flows which have an 'O'utput ifIndex of 0, unless those flows represent 'm'ulticast traffic. Credits ------- Patricio Latini assisted in updating my older cflowd-2-0-b8 patch for cflowd-2-1-a3. Jose Dominguez notified me of mistakes in my earlier code regarding the multicast netmask. I reused Michael R. Elkins code from the mutt email client to address the timzeone/Daylight-Savings-Time issues. -- Dave Plonka , 2000/11/02