README
======

flow-tools is a set of programs for processing and managing NetFlow exports
from Cisco and Juniper routers.  The software was originally written by
Mark Fullmer while working at Ohio State University.  Steve Romig and the
OSU network security group have added documentation, functionality, and
provided feedback.  OARnet and the Ohio ITEC have recently funded my
time to add version 8 PDU support and various other features.

If you are using flow-tools please subscribe to the mailing list by
sending a message to flow-tools-request@splintered.net

flow-tools is currently available at http://www.splintered.net/sw/flow-tools

Mark Fullmer
maf@splintered.net


Flow-capture configuration
--------------------------

The flow capturing utility of flow-tools, flow-capture, needs some
configuration in /etc/flow-tools/flow-capture.conf.  I cannot at this moment
guess what you want in there, so you will have to edit that file manually.
Comments in the file will help you on your way.

After editing /etc/flow-tools/flow-capture.conf you can start
receiving flows by running '/etc/init.d/flow-capture start'.

You may also need to edit the files in /etc/flow-tools/{cfg,sym}.


CONFIGURING THE ROUTER
----------------------------

! enable cef
ip cef
ip cef distributed

!Turn on flow accounting for each input interface with the interface command

interface Fddi3/0
 ip route-cache flow

interface atm3/0/0
 ip route-cache flow

...

Verify the router is generating flow stats with the command
'show ip cache flow'.  Note that for routers with distributed switching
(GSR's, 75XX's) the RP cli will only show flows that made it up to the RP.
To see flows on the individual linecards use the 'attach' or 'if-con' command
and issue the 'sh ip ca fl' on each LC.

IP packet size distribution (36242M total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .002 .340 .084 .021 .020 .012 .009 .009 .008 .007 .006 .007 .004 .003 .004

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .002 .004 .035 .077 .338 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  4139 active, 61397 inactive, 712344771 added
  871670181 ager polls, 0 flow alloc failures
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet     1572735      0.3        58   127     21.4      27.0      14.8
TCP-FTP        6193502      1.4        24   746     35.3       3.6       9.0
TCP-FTPD       1458042      0.3      1534   833    520.9      42.4       4.2
TCP-WWW       93403998     21.7        19   633    432.9       4.9       6.3
TCP-SMTP      16123540      3.7        15   431     59.1       3.4       6.4
TCP-X           687228      0.1       238   276     38.1      20.8      14.3
TCP-BGP        1116819      0.2         3    45      0.7       5.3      16.0
TCP-NNTP       1455156      0.3      1102   176    373.4     106.1      11.9
TCP-Frag          3244      0.0         4   636      0.0       2.8      16.3
TCP-other    188162587     43.8       118   733   5204.5      11.1       6.9
UDP-DNS       38042100      8.8         3    84     27.3       3.8      16.4
UDP-NTP       18760129      4.3         1    76      5.3       1.3      16.3
UDP-TFTP           665      0.0         4    76      0.0       7.9      16.4
UDP-Frag         13111      0.0      2121  1108      6.4     366.8      13.5
UDP-other    195556237     45.5        35   343   1632.5       5.8      16.3
ICMP         149285440     34.7         2    64     72.9       0.9      16.5
IGMP             15315      0.0       167    32      0.5    1660.6       3.9
IPINIP           15112      0.0        35    52      0.1     275.3      14.2
GRE             127489      0.0         3   109      0.1      16.9      16.1
IP-other        348604      0.0        56   447      4.5      21.5      16.2
Total:       712341053    165.8        50   620   8436.8       6.2      12.2

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
AT4/0.1       128.146.225.194 AT1/0.2       128.194.203.23  06 0019 2CAF    15 
AT2/0.10      129.22.250.148  AT1/0.2       129.2.226.43    06 04BA 1A20  1266 
AT2/0.11      130.108.110.48  AT1/0.2       170.140.89.100  06 0923 10A3   436 
AT1/0.2       170.140.89.100  AT2/0.11      130.108.110.48  06 10A3 0923   462 


! Enable the exports of flows with the global commands
 ip flow-export version 5 origin-as
 ip flow-export 10.0.0.1 9990

! Enable the AS aggregation cache and export the aggregated flows to
! 10.0.0.1 port 9991
ip flow-aggregation cache as
 export destination 10.0.0.1 9991
 enabled

! Create a loopback interface if one does not exist
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.255

!
! Configure NetFlow export source address
!
ip flow-export source Loopback0


If you have tcpdump installed on or near the host you're using to capture
flows, the exports can be verified.

shattered:~% tcpdump -n udp port 9991
tcpdump: listening on le0
12:11:29.953100 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.962551 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.975115 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.984444 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.993956 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.003252 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.015483 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.024852 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.034182 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.043545 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.053239 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168

flow-receive can be used to verify your host is receiving flows:

  ./flow-receive 0/0/9990 | ./flow-print
                 or
  ./flow-receive 0/0/9991 | ./flow-print

% ./flow-receive 0/0/9990 | ./flow-print | head -10
Sif SrcIPaddress     Dif DstIPaddress    Pr SrcP DstP Pkts       Octets
60  206.204.84.9     00  10.0.135.63     06 15   5f0  2          88        
00  10.0.135.63      60  206.204.84.9    06 5f0  15   16         787       
60  206.204.84.9     00  10.0.135.63     06 15   5f0  13         1742      
00  10.0.155.25      60  204.62.245.167  06 50   bae5 15         948       
60  204.62.245.167   00  10.0.155.25     06 bae5 50   13         681       
60  206.204.84.20    00  10.0.135.63     06 50   5ed  7          3494      
60  206.204.84.20    00  10.0.135.63     06 50   5ef  6          401       
60  206.204.84.20    00  10.0.135.63     06 50   5eb  11         9413      
00  10.0.135.63      60  206.204.84.20   06 5ed  50   9          637       

To store the flow exports on disk, use flow capture.  The following will
store 15 minute compressed exports in /netflow/oar/krc3.v5 and begin
removing the oldest files after 3Gig of storage has been used.

mkdir -p /var/netflow/oar/krc3.v5 
./flow-capture -w /var/netflow/oar/krc3.v5 -E3G 0/10.1.1.1/9990

The completed exports will begin with 'ft'.  The current export file will
begin with 'tmp'.  The 'ft' files can now be used with the other tools, ie

./flow-print < /var/netflow/oar/krc3.v8.1/ft-v08m01.2001-02-09.111502

flow-cat, flow-stat, and flow-filter can be combined to produce various
reports such as total bytes in the export period, source/destination 
matrixes, per interface totals, etc.