LINUX.ORG.RU
Ответ на: комментарий от birdie

это нужно в автоматическом режиме...чтобы получить вывод типа ИП - количество пакетов в сек. на тек. момент.

BusTeR
() автор топика
Ответ на: комментарий от BusTeR

netflow ?

zless /usr/share/doc/flowscan-cuflow/README.Debian.gz

Micro HOWTO on using CUFlow to monitor data on the local server
===============================================================

My guess is that 90% of people just want to use this package
to track what data is flowing through their Debian server,
typically with the end goal being to nail whatever is hogging
their bandwidth. It will do this well, but installing this
package is just one step among many. Here are the entire
list:

a. Install the fprobe-ulog package to gather the raw data.

b. Use debconf (ie during installation or later by running
dpkg-reconfigure fprobe-ulog) to set the FLOW_COLLECTOR
variable in /etc/default/fprobe-ulog to:

FLOW_COLLECTOR="127.0.0.1:555"

The INTERFACES variable can be left blank.

c. Add some "iptables -j ULOG" entries to your firewall
to direct the traffic to fprobe-ulog you want logged.
These commands should suffice:

iptables --insert INPUT 1 --interface ! lo --jump ULOG
iptables --insert FORWARD 1 --interface ! lo --jump ULOG
iptables --insert OUTPUT 1 --jump ULOG

d. Create these directories:

mkdir -p /var/local/netflow/flows
mkdir -p /var/local/netflow/rrd
mkdir -p /var/local/netflow/cuflow/scoreboard

e. Use the flow-capture program, which is provided by the
flow-tools package, to write the data fprobe gathers
to disk. Be sure to use version 0.68-5 or better -
versions prior to that had a bug which meant it didn't
work with flowscan. Comment out all the existing
lines in /etc/flow-tools/flow-capture.conf and add
this line at the end:

-E1G -N 0 -n 287 -S60 -V5 -w /var/local/netflow/flows -z9 127.0.0.1/127.0.0.1/555

You can alter some of these settings (making
compensating changes elsewhere), but leave "-n 287"
and "-V5" strictly alone.

f. Edit /etc/flowscan/flowscan.cf and change the
FlowFileGlob line to read:

FlowFileGlob /var/local/netflow/flows/ft-v05.*

g. Edit /etc/flowscan/CUFlow.cf, and change the following
lines:

OutputDir /var/local/netflow/rrd
Scoreboard 10 /var/local/netflow/cuflow/scoreboard /var/local/netflow/cuflow/top10.html
AggregateScore 10 /var/local/netflow/cuflow/scoreboard/agg.dat /var/local/netflow/cuflow/agg10.html
Router 127.0.0.1 localhost

You will also have to change the following configuration
items to reflect the IP address allocation for your local
LAN. For example, if "ifconfig eth0" says something like
"inet addr:192.168.1.10 Bcast:192.168.1.255 Netmask:255.255.255.0"
then you would set them to:

Subnet 192.168.1.10/24
Network 192.168.1.10/24

h. Start/restart the services you have just configured by
running:

/etc/init.d/fprobe-ulog restart
/etc/init.d/flow-capture restart

i. Within 5 minutes files named ft-v05.* should appear in
/var/local/netflow/flows. When they do run "flowscan".
No parameters are needed. The only error your should
see is something like:

illegal attempt to update using time 1135127401 when last update time is 1135127701 (minimum one second step)

Press control+C to stop it running.

j. Install flowscan.rc to /etc/init.d. flowscan.rc can be
found in the /usr/share/doc/flowscan-cuflow/examples
directory:

cp /usr/share/doc/flowscan-cuflow/examples/flowscan.rc /etc/init.d/flowscan
update-rc.d flowscan defaults
/etc/init.d/flowscan start
k. Install the flow-cugrapher package.

l. Edit /etc/flowscan/CUGrapher.cf and change these settings:

OutputDir /var/local/netflow/rrd
Scoreboard /var/local/netflow/cuflow/top10.html
AggregateScore /var/local/netflow/cuflow/agg10.html

m. Configure your web server to run CUGrapher.pl. For
Apache this line will achieve that for the URL
"http://host.name/cuflow";;:

Alias "/cuflow" "/usr/lib/cgi-bin/CUFlow.cgi"

Restart apache.

You should now be able to see pretty pictures when
you display http://127.0.0.1/cuflow.

n. Use the web page to produce the graphs you would like
to see. You can display those graphs when the web page
is initially displayed by following the instructions
in /etc/flowscan/CUGrapger.cf for the "DefaultGraph"
variable. Add one "DefaultGraph" line for each graph
you want to display.

j262 ★★
()
Ответ на: комментарий от BusTeR

если не нужен веб интерфейс то flow-tools предоставляют набор скриптов которые сгенерят практически любую информацию .

а imho лучше netflow ( как технологии) нет ничего .

j262 ★★
()
Ответ на: комментарий от j262

это сильно проблематично разворачивать netflow на шлюзе...помойму уже проще парсить вывод tcpdump-а.

BusTeR
() автор топика

1. правила iptables в FORWARD для соотв. IP 
2. Сбросить счетчик
3. Подождать N секунд
4. Считать кол-во пакета с правила из п.1
5. результат п.4 поделить на N из п.3

sdio ★★★★★
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.