Using this module ================= 1. Edit /etc/flowscan/flowscan.cf and change the ReportClasses to read: ReportClasses CUFlow 2. Edit /etc/flowscan/CUFlow.cf to suit. There is a copy of this file as distributed upstream in the examples directory. There is also an example of a version more suited to a typical home / small office server. 3. Capture data in 5 minute intervals. (See the -N flag to flow-capture below). CUFlow doesn't handle anything other than 5 minute intervals very well. 4. Consider installing flowscan-cugrapher so you can display pretty graphs of the data you collect on a web page. Micro HOWTO on using CUFlow to monitor data on the local server =============================================================== My guess is that 90% of people just want to use this package to track what data is flowing through their Debian server, typically with the end goal being to nail whatever is hogging their bandwidth. It will do this well, but installing this package is just one step among many. Here are the entire list: a. Install the fprobe-ulog package to gather the raw data. b. Use debconf (ie during installation or later by running dpkg-reconfigure fprobe-ulog) to set the FLOW_COLLECTOR variable in /etc/default/fprobe-ulog to: FLOW_COLLECTOR="127.0.0.1:555" The INTERFACES variable can be left blank. c. Add some "iptables -j ULOG" entries to your firewall to direct the traffic to fprobe-ulog you want logged. These commands may suffice: iptables --insert INPUT 1 ! --source LAN/N --interface ! lo --jump ULOG iptables --insert FORWARD 1 --interface ! lo --jump ULOG iptables --insert OUTPUT 1 ! --destination LAN/N --jump ULOG Here "LAN/N" is the IP address range of your LAN, eg "192.168.0.0/24". Having it there prevents fprobe-ulog from seeing LAN traffic. Writing the LAN traffic to the log doesn't confuse flowscan, but fprobe-ulog can be overwhelmed by too much traffic, such as you might find on a 100Mbit LAN. d. Create these directories: mkdir -p /var/local/netflow/flows mkdir -p /var/local/netflow/rrd mkdir -p /var/local/netflow/cuflow/scoreboard e. Use the flow-capture program, which is provided by the flow-tools package, to write the data fprobe gathers to disk. Be sure to use version 0.68-5 or better - versions prior to that had a bug which meant it didn't work with flowscan. Comment out all the existing lines in /etc/flow-tools/flow-capture.conf and add this line at the end: -E1G -N 0 -n 287 -S60 -V5 -w /var/local/netflow/flows -z9 127.0.0.1/127.0.0.1/555 You can alter some of these settings (making compensating changes elsewhere), but leave "-n 287" and "-V5" strictly alone. f. Edit /etc/flowscan/flowscan.cf and change the FlowFileGlob line to read: FlowFileGlob /var/local/netflow/flows/ft-v05.* g. Edit /etc/flowscan/CUFlow.cf, and change the following lines: OutputDir /var/local/netflow/rrd Scoreboard 10 /var/local/netflow/cuflow/scoreboard /var/local/netflow/cuflow/top10.html AggregateScore 10 /var/local/netflow/cuflow/scoreboard/agg.dat /var/local/netflow/cuflow/agg10.html Router 127.0.0.1 localhost You will have to change the following configuration items to reflect the IP address allocation for your local LAN. For example, if "ifconfig eth0" says something like "inet addr:192.168.1.10 Bcast:192.168.1.255 Netmask:255.255.255.0" then you would set them to: Subnet 192.168.1.10/24 Network 192.168.1.10/24 You must also put all other IP addresses you machine has been allocated in this file. For example, if your machine is running a PPPoE server and has been allocated the IP address 11.12.13.14 by your ISP, then you need a line like this: Subnet 11.12.13.14/32 Alas adding this IP address is NOT optional. CUFlow will only gather statistics on packets it thinks are going from an internal IP address to an external IP address, or visa versa. If you don't add all IP addresses the machine has, then incoming packet destined those IP addresses will look like external-->external, and hence be ignored. This is a real issue if your ISP allocated you your IP address dynamically. Your only recourse it to create CUFlow.cf dynamically every time you re-connect the link, and re-start flowscan after you have done so. h. Start/restart the services you have just configured by running: /etc/init.d/fprobe-ulog restart /etc/init.d/flow-capture restart i. Within 5 minutes files named ft-v05.* should appear in /var/local/netflow/flows. When they do run "flowscan". No parameters are needed. The only error your should see is something like: illegal attempt to update using time 1135127401 when last update time is 1135127701 (minimum one second step) Press control+C to stop it running. j. Install flowscan.rc to /etc/init.d. flowscan.rc can be found in the /usr/share/doc/flowscan-cuflow/examples directory: cp /usr/share/doc/flowscan-cuflow/examples/flowscan.rc /etc/init.d/flowscan update-rc.d flowscan defaults /etc/init.d/flowscan start k. Install the flow-cugrapher package. l. Edit /etc/flowscan/CUGrapher.cf and change these settings: OutputDir /var/local/netflow/rrd Scoreboard /var/local/netflow/cuflow/top10.html AggregateScore /var/local/netflow/cuflow/agg10.html m. Configure your web server to run CUGrapher.pl. For Apache this line will achieve that for the URL "http://host.name/cuflow": Alias "/cuflow" "/usr/lib/cgi-bin/CUFlow.cgi" Restart apache. You should now be able to see pretty pictures when you display http://127.0.0.1/cuflow. n. Use the web page to produce the graphs you would like to see. You can display those graphs when the web page is initially displayed by following the instructions in /etc/flowscan/CUGrapger.cf for the "DefaultGraph" variable. Add one "DefaultGraph" line for each graph you want to display.