Linux使用FlowScan

Linux使用FlowScan完全安装配置指南

2015.04.30


1. Flowscan介绍


    Flowscan采用Perl语言编写,主要用于处理展现网络设备发过来Netflow数据。


    早先Flowscan利用cflow收集处理netflow v5数据,后来利用flow-tool收集处理netflow v5数据,

注意cflow需要在flow-tool下面编译供flowscan后期使用,然后flowscan对流进行扫描分析并绘图,

是一款挺不错的Netflow分析展现工具。


    CUFlow是Flowscan一个扩展模块,比Flowscan自带的CampusIO和SubNetIO两个模块友好,因此

这里采用CUFlow模块替代自带的模块。



2. 检查或安装依赖软件


2.1. 检查Apache配置

Suse11:~ # apache2ctl -v

Server version: Apache/2.2.12 (Linux/SUSE)

Server built:   Mar 27 2013 18:47:49

Suse11:~ # grep -v \^# /etc/sysconfig/apache2 


DOC_SERVER="no"

APACHE_CONF_INCLUDE_FILES=""

APACHE_CONF_INCLUDE_DIRS=""


APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif suexec userdir php5 reqtimeout"


APACHE_SERVER_FLAGS=""

APACHE_HTTPD_CONF=""

APACHE_MPM=""

APACHE_SERVERADMIN=""

APACHE_SERVERNAME=""

APACHE_START_TIMEOUT="2"

APACHE_SERVERSIGNATURE="on"

APACHE_LOGLEVEL="debug"

APACHE_ACCESS_LOG="/dev/null combined"

APACHE_USE_CANONICAL_NAME="off"

APACHE_SERVERTOKENS="OS"

APACHE_EXTENDED_STATUS="off"

APACHE_DISABLE_SSL_COMPRESSION="on"

Suse11:~ # 


2.2. 检查Perl5安装

Suse11:~ # perl -v


This is perl, v5.10.0 built for x86_64-linux-thread-multi


Copyright 1987-2007, Larry Wall


Perl may be copied only under the terms of either the Artistic License or the

GNU General Public License, which may be found in the Perl 5 source kit.


Complete documentation for Perl, including FAQ lists, should be found on

this system using "man perl" or "perldoc perl".  If you have access to the

Internet, point your browser at http://www.perl.org/, the Perl Home Page.


Suse11:~ # 


2.3. 编译安装RRDTool


# tar xvzf rrdtool-1.4.5.tar.tar

# cd rrdtool-1.4.5

修改configure,找到

PERL_MAKE_OPTIONS="PREFIX=$langpref INSTALL_BASE= LIB=$langpref/lib/perl/$PERL_VERSION"

修改为

PERL_MAKE_OPTIONS="PREFIX=$langpref INSTALL_BASE= LIB=$langpref/lib/perl5/$PERL_VERSION"

#./configure --prefix=/usr --sysconfdir=/etc --enable-shared

# make

# make install

或者make install site-perl-install


Suse11:~ # rrdtool -v

RRDtool 1.4.9  Copyright 1997-2013 by Tobias Oetiker <[email protected]>

               Compiled Apr 30 2015 14:21:19


Usage: rrdtool [options] command command_options

Valid commands: create, update, updatev, graph, graphv,  dump, restore,

                last, lastupdate, first, info, fetch, tune,

                resize, xport, flushcached


RRDtool is distributed under the Terms of the GNU General

Public License Version 2. (www.gnu.org/copyleft/gpl.html)


For more information read the RRD manpages


Suse11:~ # 


2.4. 编译安装flow-tools


2.4.1 下载flow-tools-0.68.5.1.tar.bz2

tar -xvjf flow-tools-0.68.5.1.tar.bz2 

cd flow-tools-0.68.5.1 

./configure --prefix=/usr --sysconfdir=/etc

make 

make install 


2.4.2 flow-tool的自启动脚本,于Cacti的flowview插件合用

Suse11:~ # cat /etc/init.d/flow-capture 

#!/usr/bin/php

<?php

/*

# description: Start Flow-Capture

# chkconfig: 2345 95 00

*/


$cacti_base = '/srv/www/htdocs/cacti';


include_once($cacti_base . '/include/global.php');

$tools_path = read_config_option("path_flowtools");


if (isset($_SERVER['argv'][1])) {

        switch (strtolower($_SERVER['argv'][1])) {

        case 'start':

                start();

                break;

        case 'stop':

                stop();

                break;

        case 'restart':

                restart();

                break;

        default:

                echo "Usage: /etc/init.d/flow-capture {start|stop|restart}\n";

                break;

        }

}


function start() {

       global $tools_path, $cacti_base;;


        echo "NOTE: Starting Flow Tools\n";

        $devices = db_fetch_assoc("SELECT * FROM plugin_flowview_devices");

        if (!empty($devices)) {

                $path = db_fetch_cell("SELECT value FROM `settings` WHERE name = 'path_flows_dir'");

                if ($path == '')

                        break;

                if (substr($path, -1) == '/') {

                        $path = substr($path, 0, -1);

                }

                foreach ($devices as $device) {

                        $port   = $device['port'];

                        $folder = $device['folder'];

                        $nest   = $device['nesting'];

                        $v      = $device['version'];

                        $from   = $device['allowfrom'];

                        $comp   = $device['compression'];

                        $rotate = $device['rotation'];

                        $expire = $device['expire'] * ($rotate + 1);

                        if (!is_dir("$path/$folder")) {

                                echo "NOTE: Making directory '$path/$folder'\n";

                                mkdir("$path/$folder");

                        }

                        if (is_dir("$path/$folder")) {

                                echo "NOTE: Launching flow-capture as '$tools_path/flow-capture -w $path/$folder 0/$from/$port -S5 -V$v -z $comp -n $rotate -e $expire -N $nest'\n";

                                shell_exec($tools_path . "/flow-capture -w $path/$folder 0/$from/$port -S5 -V$v -z $comp -n $rotate -e $expire -N $nest");

                        }

                }

        }else{

                echo "WARNING: No flows configured\n";

        }

}


function stop() {

       global $tools_path, $cacti_base;;


        echo "NOTE: Stopping Flow Tools\n";

        $devices = db_fetch_assoc("SELECT * FROM plugin_flowview_devices");

        if (!empty($devices)) {

                shell_exec('killall -9 ' . $tools_path . '/flow-capture');

        }

}


function restart() {

        stop();

        start();

}

Suse11:~ # 


2.4.3. 启动flow-capture 

Suse11:~ # /etc/init.d/flow-capture start

NOTE: Starting Flow Tools

NOTE: Launching flow-capture as '/usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1'

Suse11:~ # ps -eaf |grep flow-capture |grep -v grep

root      7087     1  4 20:32 ?        00:00:00 /usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1

Suse11:~ # 



2.5. 安装flowscan需要的Perl模块

Perl Modules- In addition to Perl5, you will need the modules listed below. 

  Net::Patricia

  Boulder::Stream

  HTML::Table

  ConfigReader::DirectiveStyle

  Cflow


  从http://search.cpan.org/找到并下载这些包

# perl Makefile.PL

# make

# make install


  对于ConfigReader, 解压缩到/usr/lib/perl5/site_perl/5.10.0目录即可

Suse11:~/bin/flow-tools-0.68.5.1 # ls -al /usr/lib/perl5/site_perl/5.10.0/ConfigReader

total 76

drwxr-xr-x 2  405    4  4096 Feb 20  1996 .

drwxr-xr-x 9 root root  4096 Apr 30 11:09 ..

-rw-r--r-- 1  405    4 25265 Feb 17  1996 COPYING.LIB

-rw-r--r-- 1  405    4  2424 Feb 14  1996 ConfigReader.pod

-rw-r--r-- 1  405    4  9084 Feb 20  1996 DirectiveStyle.pm

-rw-r--r-- 1  405    4  2152 Feb 19  1996 README

-rw-r--r-- 1  405    4  9705 Feb 20  1996 Spec.pm

-rw-r--r-- 1  405    4  7573 Feb 20  1996 Values.pm

Suse11:~/bin/flow-tools-0.68.5.1 # 


  注意,CFlow需要在flow-tools的环境下编译,因此该步骤需要在flow-tool编译完成后进行。

cd flow-tools-0.68.5.1 

cd contrib 

tar -zxvf Cflow-1.053.tar.gz 

cd Cflow-1.051 

perl Makefile.PL 

make 

make install 


Suse11:~ # perl -MExtUtils::Installed -le 'foreach (ExtUtils::Installed->new->modules) { print $_,"-->", ExtUtils::Installed->new->version($_)}'

Boulder-->

Cflow-->1.053

HTML::Table-->2.08a

Net::CIDR-->0.18

Net::CIDR::Lite-->0.21

Net::Patricia-->1.22

Perl-->5.10.0

RRDp-->1.4009

RRDs-->1.4009

Socket6-->0.25

Test::Simple-->1.001014

Suse11:~ # 


2.6. 安装并配置FlowScan


2.6.1. 检查Flowscan安装

目录Suse11:~ # ls -al /var/netflow/

total 24

drwxr-xr-x  4 root root  4096 Apr 30 19:34 .

drwxr-xr-x 16 root root 12288 Apr 26 18:13 ..

drwxr-xr-x 10 root root  4096 Apr 30 00:00 cisco3745

drwxr-xr-x  6 root root  4096 Apr 30 18:40 flowscan

Suse11:~ # ls -al /var/netflow/cisco3745/

total 656

drwxr-xr-x 10 root root  4096 Apr 30 00:00 .

drwxr-xr-x  4 root root  4096 Apr 30 19:34 ..

drwxr-xr-x  2 root root 36864 Apr 24 00:00 2015-04-23

drwxr-xr-x  2 root root 86016 Apr 25 00:00 2015-04-24

drwxr-xr-x  2 root root 81920 Apr 26 00:00 2015-04-25

drwxr-xr-x  2 root root 90112 Apr 27 00:00 2015-04-26

drwxr-xr-x  2 root root 90112 Apr 28 00:00 2015-04-27

drwxr-xr-x  2 root root 90112 Apr 29 00:00 2015-04-28

drwxr-xr-x  2 root root 86016 Apr 30 00:00 2015-04-29

drwxr-xr-x  2 root root 73728 Apr 30 19:38 2015-04-30

Suse11:~ # ls -al /var/netflow/flowscan/

total 1820

drwxr-xr-x 6 root root    4096 Apr 30 18:40 .

drwxr-xr-x 4 root root    4096 Apr 30 19:34 ..

drwxr-xr-x 2 root root    4096 Apr 30 18:40 flows

drwxr-xr-x 2 root root    4096 Apr 30 18:25 graphs

Suse11:~ # 


2.6.2. 安装Flowscan

下载FlowScan-1.006.tar.gz

Suse11:~/bin # tar xvzf FlowScan-1.006.tar.gz 

Suse11:~/bin # cd FlowScan-1.006/

Suse11:~/bin/FlowScan-1.006 # ./configure --prefix=/var/netflow/flowscan

Suse11:~/bin/FlowScan-1.006 # make

make: Nothing to be done for `all'.

Suse11:~/bin/FlowScan-1.006 # make -n install

test -d /var/netflow/flowscan/bin || /bin/mkdir -p /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c flowscan /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c FlowScan.pm /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c CampusIO.pm /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c SubNetIO.pm /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c util/locker /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c util/add_ds.pl /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c util/add_txrx /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c util/event2vrule /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c util/ip2hostname /var/netflow/flowscan/bin

Suse11:~/bin/FlowScan-1.006 # make install

test -d /var/netflow/flowscan/bin || /bin/mkdir -p /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c flowscan /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c FlowScan.pm /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c CampusIO.pm /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c SubNetIO.pm /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c util/locker /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c util/add_ds.pl /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c util/add_txrx /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c util/event2vrule /var/netflow/flowscan/bin

/root/bin/FlowScan-1.006/install-sh -c util/ip2hostname /var/netflow/flowscan/bin

Suse11:~/bin/FlowScan-1.006 # 

2.6.2 配置Flowscan

Suse11:~ # ls -al /var/netflow/flowscan/

total 1820

drwxr-xr-x 6 root root    4096 Apr 30 18:40 .

drwxr-xr-x 4 root root    4096 Apr 30 19:34 ..

drwxr-xr-x 2 root root    4096 Apr 30 18:40 bin

drwxr-xr-x 2 root root    4096 Apr 30 18:40 flows

drwxr-xr-x 2 root root    4096 Apr 30 18:25 graphs

Suse11:~ # 


Suse11:~ # cat /var/netflow/flowscan/bin/flowscan.cf 


# flowscan Configuration Directives ############################################


# FlowFileGlob (REQUIRED)

# use this glob (file pattern match) when looking for raw flow files to be

# processed, e.g.:

# FlowFileGlob /var/local/flows/flows.*:*[0-9]

# FlowFileGlob flows.*:*[0-9]

FlowFileGlob /var/netflow/flowscan/flows/ft-v05*[0-9]


# ReportClasses (REQUIRED)

# a comma-seperated list of FlowScan report classes, e.g.:

# ReportClasses CampusIO

#ReportClasses SubNetIO

ReportClasses CUFlow


# WaitSeconds (OPTIONAL)

# This should be <= the "-s" value passed on the command-line to cflowd, e.g.:

# WaitSeconds 300

WaitSeconds 30


# Verbose (OPTIONAL, non-zero = true)

Verbose 0

Suse11:~ # 

.6.3. 修订FlowScan.pm文件

打开FlowScan.pm文件第96行、第108行,修改如下


Suse11:/var/netflow/flowscan/bin # diff FlowScan.pm FlowScan.OLD 

96c96

<     m/(\d\d\d\d)-(\d\d)-(\d\d)\.(\d\d)(\d\d)(\d\d)([+-])(\d\d)(\d\d)$/) {

---

>            m/(\d\d\d\d)(\d\d)(\d\d)_(\d\d):(\d\d):(\d\d)([+-])(\d\d)(\d\d)/) {

108c108

<    } elsif ($file =~ m/(\d\d\d\d)-(\d\d)-(\d\d)\.(\d\d)(\d\d)(\d\d)$/) {

---

>    } elsif ($file =~ m/(\d\d\d\d)(\d\d)(\d\d)_(\d\d):(\d\d):(\d\d)$/) {

Suse11:/var/netflow/flowscan/bin # 


2.6.4. 修订Table.pm文件

打开/usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm文件第2685行,修改如下

Suse11:~ # diff /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm /usr/lib/perl5/site_perl/5.10.0/HTML/Table.OLD 

2685c2685

<    $self->{last_col} = $count if (!defined($self->{last_col}) || ( $count > $self->{last_col}));

---

>    $self->{last_col} = $count if ($count > $self->{last_col});

Suse11:~ # 


2.6.5. 配置Flowscan自启动脚本

Suse11:~ # cat /etc/init.d/flowscan 


# rc script for flowscan

# D Plonka, Jan 11 1999


bindir=/var/netflow/flowscan/bin

scandir=/var/netflow/flowscan

logfile=/var/netflow/flowscan/flowscan.log

user=root

su=/bin/su

nohup=/usr/bin/nohup

kill=/bin/kill

ps=/bin/ps

grep=/bin/grep

awk=/usr/bin/awk

perl=/usr/bin/perl

nice=/usr/bin/nice

meanness=0


case "$1" in

'start')

        echo "starting flowscan"

        ${nice} --${meanness} ${su} - ${user} -c "cd ${scandir} && ${nohup} ${perl} ${bindir}/flowscan >>${logfile} 2>&1 </dev/null &" >/dev/null

        ;;

 

'stop')

        echo "killing flowscan"

        pid=`${ps} ax |${grep} "${perl} ${bindir}/[f]lowscan" |${awk} '{print $1}'`

        if [ -n "$pid" ]

        then

           ${kill} $pid

        fi

        ;;

esac

Suse11:~ # 



2.7. 安装并配置CUFlow


2.7.1. 安装CUFlow

SLES 11 SP3 -- flowscan-cuflow-1.7-1.2.x86_64.rpm

flowscan-cuflow_1.7.orig.tar.gz


Suse11:~ # rpm -Uvh flowscan-cuflow-1.7-1.2.x86_64.rpm

Suse11:/var/netflow/flowscan/bin # rpm -ql flowscan-cuflow

/etc/flowscan/CUFlow.cf

/srv/www/cflow

/srv/www/cflow/reports

/srv/www/cflow/reports/scoreboard

/srv/www/cgi-bin/CUGrapher.pl

/usr/lib/perl5/vendor_perl/5.8.6/CUFlow.pm

/usr/share/man/man3/CUFlow.3pm.gz

Suse11:~ #


2.6.2 配置CUFlow

Suse11:~ # find / -name CUFlow\*

/usr/share/man/man3/CUFlow.3pm.gz

/usr/lib/perl5/vendor_perl/5.10.0/CUFlow.pm

/etc/flowscan/CUFlow.cf

Suse11:~ # grep etc /usr/lib/perl5/vendor_perl/5.10.0/CUFlow.pm 

&parseConfig("/etc/flowscan/CUFlow.cf");        # Read our config file

Suse11:~ # cat /etc/flowscan/CUFlow.cf 

# These are the subnets in our network

# These are used only to determine whether a packet is inbound our 

# outbound

Subnet 172.16.100.0/24


# These are networks we are particularly interested in, and want to

# get separate rrd's for their aggregate traffic

Network 172.16.100.254/32 routers


# Where to put the rrd's

# Make sure this is the same as $rrddir in CUGrapher.pl

OutputDir /var/netflow/flowscan/graphs


# Track multicast traffic

Multicast


# Keep top N lists 

# Show the top ten talkers, storing reports in /cflow/flows/reports

# and keeping the current report in /etc/httpd/data/reports/topten.html

Scoreboard 10 /srv/www/htdocs/reports/scoreboard /srv/www/htdocs/topten.html


# Same, but build an over-time average top N list

AggregateScore 10 /srv/www/htdocs/reports/scoreboard/agg.dat /srv/www/htdocs/overall.html


# Our two netflow exporters. Produce service and protocol reports for the

# total, and each of these.

#Router 172.16.100.254 router3745

#Router 10.0.1.2 router2


# Services we are interested in

Service 20-21/tcp ftp

Service 22/tcp ssh

Service 23/tcp telnet

Service 25/tcp smtp

Service 53/udp,53/tcp dns

Service 80/tcp http

Service 110/tcp pop3

#Service 119/tcp nntp

#Service 143/tcp imap

#Service 412/tcp,412/udp dc

Service 443/tcp https

#Service 1214/tcp kazaa

Service 1723/tcp pptp

Service 2119/tcp Camp2119

Service 2556/tcp Camp2556

#Service 4661-4662/tcp,4665/udp edonkey

Service 5070/tcp sip

#Service 5190/tcp aim

#Service 6346-6347/tcp gnutella

#Service 6665-6669/tcp irc

#Service 54320/tcp bo2k

Service 7070/tcp,554/tcp,6970-7170/udp real

Service 22228/tcp Camp22228


# protocols we are interested in

Protocol 1 icmp

#Protocol 4 ipinip

Protocol 6 tcp

Protocol 17 udp

Protocol 41 ipv6

Protocol 47 gre

#Protocol 50 esp

#Protocol 51 ah

#Protocol 57 skip

#Protocol 88 eigrp

#Protocol 169

Protocol 255


# ToS bit percentages to graph

TOS 0 normal

TOS 1-255 other


# Interested in traffic to/from AS 1

ASNumber 1 Genuity

Suse11:~ # 



3. 启动Flowscan并观察

3.1 启动Flowscan

Suse11:/var/netflow/flowscan # ps -eaf |grep flow |grep -v grep

root      7087     1  0 20:32 ?        00:00:00 /usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1

Suse11:/var/netflow/flowscan # /etc/init.d/flowscan start

starting flowscan

Suse11:/var/netflow/flowscan # ps -eaf |grep flow |grep -v grep

root      7087     1  0 20:32 ?        00:00:00 /usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1

root     18736     1  0 20:44 pts/3    00:00:00 -bash -c cd /var/netflow/flowscan && /usr/bin/nohup /usr/bin/perl /var/netflow/flowscan/bin/flowscan >>/var/netflow/flowscan/flowscan.log 2>&1 </dev/null &

root     18737 18736  1 20:44 pts/3    00:00:00 /usr/bin/perl /var/netflow/flowscan/bin/flowscan

Suse11:/var/netflow/flowscan # 


3.2 观察Flowscan运行

Suse11:~ # ls -al /var/netflow/flowscan/flows

total 104

drwxr-xr-x 2 root root 98304 Apr 30 20:44 .

drwxr-xr-x 5 root root  4096 Apr 30 20:44 ..

Suse11:~ # ls -al /var/netflow/flowscan/graphs/

total 8

drwxr-xr-x 2 root root 4096 Apr 30 19:54 .

drwxr-xr-x 5 root root 4096 Apr 30 20:44 ..

Suse11:~ # cat /var/netflow/flowscan/flowscan.log 

sleep 30...

sleep 30...

sleep 30...

sleep 30...

Suse11:~ # 


3.3 把flow-tool收集到的数据放入flowscan处理目录

Suse11:~ # cp /var/netflow/cisco3745/2015-04-23/* /var/netflow/flowscan/flows

Suse11:~ # head -30 /var/netflow/flowscan/flowscan.log 

sleep 30...

sleep 30...

2015/04/30 21:03:50 working on file /var/netflow/flowscan/flows/ft-v05.2015-04-23.132406+0800...

2015/04/30 21:03:50 flowscan-1.020 CUFlow: Cflow::find took  0 wallclock secs ( 0.01 usr +  0.00 sys =  0.01 CPU) for 7892 flow file bytes, flow hit ratio: 40/122

2015/04/30 21:03:50 flowscan-1.020 CUFlow: report took  0 wallclock secs ( 0.00 usr  0.01 sys +  0.00 cusr  0.02 csys =  0.03 CPU)

2015/04/30 21:03:50 working on file /var/netflow/flowscan/flows/ft-v05.2015-04-23.132501+0800...

2015/04/30 21:03:50 flowscan-1.020 CUFlow: Cflow::find took  0 wallclock secs ( 0.02 usr +  0.00 sys =  0.02 CPU) for 6292 flow file bytes, flow hit ratio: 42/97

ERROR updating /var/netflow/flowscan/graphs/service_ssh_dst.rrd: /var/netflow/flowscan/graphs/service_ssh_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)

ERROR updating /var/netflow/flowscan/graphs/service_pptp_dst.rrd: '/var/netflow/flowscan/graphs/service_pptp_dst.rrd' is not an RRD file

ERROR updating /var/netflow/flowscan/graphs/service_sip_src.rrd: /var/netflow/flowscan/graphs/service_sip_src.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)

ERROR updating /var/netflow/flowscan/graphs/service_sip_dst.rrd: /var/netflow/flowscan/graphs/service_sip_dst.rrd: illegal 

attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)

ERROR updating /var/netflow/flowscan/graphs/service_sip_dst.rrd: /var/netflow/flowscan/graphs/service_sip_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)

ERROR updating /var/netflow/flowscan/graphs/service_Camp2119_src.rrd: /var/netflow/flowscan/graphs/service_Camp2119_src.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)

ERROR updating /var/netflow/flowscan/graphs/service_Camp2119_dst.rrd: /var/netflow/flowscan/graphs/service_Camp2119_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)

ERROR updating /var/netflow/flowscan/graphs/service_Camp22228_src.rrd: '/var/netflow/flowscan/graphs/service_Camp22228_src.rrd' is too small (should be 190656 bytes)

ERROR updating /var/netflow/flowscan/graphs/service_Camp22228_dst.rrd: /var/netflow/flowscan/graphs/service_Camp22228_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)

ERROR updating /var/netflow/flowscan/graphs/service_ftp_src.rrd: '/var/netflow/flowscan/graphs/service_ftp_src.rrd' is not an RRD file

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

2015/04/30 21:03:50 flowscan-1.020 CUFlow: report took  0 wallclock secs ( 0.00 usr  0.00 sys +  0.00 cusr  0.03 csys =  0.03 CPU)

2015/04/30 21:03:50 working on file /var/netflow/flowscan/flows/ft-v05.2015-04-23.132601+0800...

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

2015/04/30 21:03:50 flowscan-1.020 CUFlow: Cflow::find took  0 wallclock secs ( 0.00 usr +  0.00 sys =  0.00 CPU) for 6868 flow file bytes, flow hit ratio: 46/106

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.

Suse11:~ #  ls -al /var/netflow/flowscan/graphs/

total 7496

drwxr-xr-x 2 root root   4096 Apr 30 21:03 .

drwxr-xr-x 5 root root   4096 Apr 30 21:02 ..

-rw-r--r-- 1 root root 190656 Apr 30 21:04 as_Genuity.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 network_routers.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_255.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_gre.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_icmp.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_multicast.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_tcp.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_udp.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_dns_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_dns_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ftp_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ftp_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_http_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_http_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_https_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_https_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pop3_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pop3_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pptp_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pptp_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2119_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2119_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp22228_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp22228_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2556_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2556_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_real_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_real_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_sip_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_sip_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_smtp_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_smtp_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ssh_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ssh_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_telnet_dst.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_telnet_src.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 tos_normal.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 tos_other.rrd

-rw-r--r-- 1 root root 190656 Apr 30 21:04 total.rrd

Suse11:~ # 

4. 配置路由器


4.1. 关键配置如下

Global Mode

ip cef

ip flow-export version 5 peer-as 

ip flow-export source interface fa0/1

ip flow-export destination 10.1.0.1  2055

ip flow-cache timeout active 1 

Interface Configuration

ip route-cache flow 


4.2. 一个完整的实例

Camp#sh ver

Cisco IOS Software, 3700 Software (C3745-ADVSECURITYK9-M), Version 12.4(25d), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Wed 18-Aug-10 08:18 by prod_rel_team


ROM: System Bootstrap, Version 12.3(6r) [cmong 6r], RELEASE SOFTWARE (fc1)


Camp uptime is 9 weeks, 2 days, 5 hours, 21 minutes

System returned to ROM by reload at 00:05:50 UTC Fri Mar 1 2002

System restarted at 14:14:15 Shanghai Tue Feb 24 2015

System image file is "flash:/c3745-advsecurityk9-mz.124-25d.bin"



This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. 

Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. 

By using this product you agree to comply with applicable laws and regulations. 

If you are unable to comply with U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at: 

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to [email protected].


Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.

Processor board ID FTX1108A1AM

R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache

2 FastEthernet interfaces

DRAM configuration is 64 bits wide with parity disabled.

151K bytes of NVRAM.

31360K bytes of ATA System CompactFlash (Read/Write)


Configuration register is 0x2102


Camp#sh run

Building configuration...


Current configuration : 2661 bytes

!

! Last configuration change at 15:23:16 Shanghai Thu Apr 30 2015 by cisco

! NVRAM config last updated at 16:05:14 Shanghai Thu Apr 30 2015 by cisco

!

version 12.4

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Camp

!

boot-start-marker

boot system flash:/c3745-advsecurityk9-mz.124-25d.bin

boot-end-marker

!

logging buffered 4194304 debugging

no logging console

no logging monitor

!

no aaa new-model

clock timezone Shanghai 8

clock save interval 8

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

no ip domain lookup

ip sla monitor 101

 type http operation get url http://172.16.100.8:88/ source-ipaddr 172.16.100.254 cache disable

 threshold 500

 tag UNI

ip sla monitor schedule 101 life forever start-time now

!

!

!

!

username cisco privilege 15 secret 5 $1$wJN1$ufsPnRdNErXx1HGtK0kHi1

!

!

!

!

!

interface FastEthernet0/0

 description Internet

 ip address 172.16.63.247 255.255.255.0

 ip flow ingress

 ip nat outside

 ip virtual-reassembly max-fragments 64 max-reassemblies 64

 duplex auto

 speed auto

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.16.63.1

ip flow-export source FastEthernet0/1

ip flow-export version 5 peer-as

ip flow-export destination 172.16.100.8 2055

!

no ip http server

no ip http secure-server

no ip nat service sip udp port 5060

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static 172.16.100.2 interface FastEthernet0/0

ip nat inside source static tcp 172.16.100.10 22 172.16.63.245 22 extendable

ip nat inside source static tcp 172.16.100.10 80 172.16.63.245 80 extendable

ip nat inside source static tcp 172.16.100.9 7900 172.16.63.245 7900 extendable

ip nat inside source static tcp 172.16.100.8 13579 172.16.63.245 13579 extendable

ip nat inside source static tcp 172.16.100.7 22228 172.16.63.245 22228 extendable

ip nat inside source static tcp 172.16.100.7 22229 172.16.63.245 22229 extendable

ip nat inside source static 172.16.100.5 172.16.63.246 extendable

!

no logging trap

access-list 5 permit 172.16.100.5

access-list 101 permit ip 172.16.100.0 0.0.0.255 any

snmp-server community public RO

no cdp run

!

!

control-plane

!

!

!

line con 0

 login local

line aux 0

line vty 0 4

 privilege level 15

 login local

 transport input telnet

!

!

end


Camp# 


5. Web界面展现

5.1. Web界面布局


Suse11:~ # ls -al /srv/www/

total 16

drwxr-xr-x  4 root root 4096 Apr 30 11:59 .

drwxr-xr-x  4 root root 4096 Dec 31  2011 ..

drwxr-xr-x  3 root root 4096 Apr 30 19:02 cgi-bin

drwxr-xr-x 10 root root 4096 Apr 30 18:25 htdocs

Suse11:~ # ls -al /srv/www/cgi-bin/

total 92

drwxr-xr-x 3 root   root  4096 Apr 30 19:02 .

drwxr-xr-x 4 root   root  4096 Apr 30 11:59 ..

-rwxr-xr-x 1 root   root 38580 Apr 30 16:21 CUGrapher.pl

drwxr-xr-x 7 wwwrun www   4096 Apr 24 21:26 FV

-rwxr-xr-x 1 root   root 26284 Feb 24  2009 info2html

-rw-r--r-- 1 root   root  3233 Feb 24  2009 info2html.conf

-rwxr-xr-x 1 root   root  5381 Feb 24  2009 infocat

Suse11:~ # ls -al /srv/www/htdocs/

total 92

drwxr-xr-x 10 root   root 4096 Apr 30 18:25 .

drwxr-xr-x  4 root   root 4096 Apr 30 11:59 ..

drwxr-xr-x  2 wwwrun www  4096 Apr 30 09:54 FlowGrapher

drwxr-xr-x  2 wwwrun www  4096 Apr 24 18:45 FlowMonitor

drwxr-xr-x  2 wwwrun www  4096 Apr 24 21:25 FlowSaves

drwxr-xr-x  2 wwwrun www  4096 Apr 24 19:21 FlowViewer

drwxr-xr-x  2 wwwrun www  4096 Apr 24 18:46 FlowViewer_Dashboard

-rw-r--r--  1 root   root 2326 Nov 21  2004 apache_pb.gif

-rw-r--r--  1 root   root 2088 Nov 26  2008 apache_pb.png

-rw-r--r--  1 root   root 1797 Nov 26  2008 apache_pb2.gif

drwxr-xr-x 13 root   root 4096 Apr 19 17:54 cacti

-rw-r--r--  1 root   root 1406 Apr 24 21:11 favicon.ico

drwxr-xr-x  2 root   root 4096 Dec 31  2011 gif

-rw-r--r--  1 root   root   44 Nov 21  2004 index.html

-rw-r--r--  1 root   root   30 Apr 19 17:45 index.php

-rw-r--r--  1 root   root 2356 Feb 24  2009 info2html.css

-rw-r--r--  1 root   root 5116 Apr 30 18:25 overall.html

drwxr-xr-x  3 wwwrun www  4096 Apr 30 13:39 reports

-rw-r--r--  1 root   root   26 Mar 28  2013 robots.txt

lrwxrwxrwx  1 root   root   62 Apr 30 18:25 topten.html -> /srv/www/htdocs/reports/scoreboard/2015-04-30/18/18:23:01.html

Suse11:~ # ls -al /srv/www/htdocs/reports/

total 40

drwxr-xr-x   3 wwwrun www   4096 Apr 30 13:39 .

drwxr-xr-x  10 root   root  4096 Apr 30 18:25 ..

drwxr-xr-x 842 wwwrun www  32768 Apr 30 18:10 scoreboard


5.2 Web界面配置

主要在于CUGrapher.pl中的$rrddir目录配置

Suse11:~ # head -30 /srv/www/cgi-bin/CUGrapher.pl 

#! /usr/bin/perl -w


# CUGrapher.pl

# $Revision: 1.53 $

# Author: Matt Selsky <[email protected]>

# Contact for help: <[email protected]>


# (c) 2002 - 2005 The Trustees of Columbia University in the City of New York

# License restrictions apply, see COPYING for details.


use strict;

use CGI::Pretty qw(-nosticky :standard);

use RRDs;

use Digest::MD5 qw(md5_hex);


### Local settings ###


# directory with rrd files

#my $rrddir = "/srv/www/htdocs/graphs";

my $rrddir = "/var/netflow/flowscan/graphs";

# default number of hours to go back

my $hours = 48;

# duration of graph, starting from $hours ago

my $duration;

# organization name

my $organization = "Camp Net";

# default graph width

my $width = 640;

# default graph height

my $height = 320;

Suse11:~ # cat -n  /srv/www/cgi-bin/CUGrapher.pl |grep hours

    21  # default number of hours to go back

    22  my $hours = 48;

    23  # duration of graph, starting from $hours ago

   143      my %hours = ( 3 => '3 hours',

   144                    6 => '6 hours',

   145                    12 => '12 hours',

   146                    24 => '24 hours',

   147                    36 => '36 hours',

   148                    48 => '48 hours',

   154                    $q->popup_menu( -name => 'hours',

   155                                    -values => [sort {$a <=> $b} keys %hours],

   156                                    -default => $hours,

   157                                    -labels => \%hours ) );

   184                                    -values => ['', sort {$a <=> $b} keys %hours],

   185                                    -labels => \%hours ) );

   324      if( param('hours') ) {

   325          if( param('hours') =~ /^\d+$/ ) { $hours = param('hours') }

   326          else { &browserDie( "Invalid hours parameter" ) }

   334      } else { $duration = $hours; }

   661                   "--start=".(time - $hours*60*60),

   662                   "--end=".(time - $hours*60*60 + $duration*60*60),

Suse11:~ # grep -v \#  /etc/apache2/default-server.conf |more


DocumentRoot "/srv/www/htdocs"


<Directory "/srv/www/htdocs">

        Options FollowSymLinks

        AllowOverride None

        Order allow,deny

        Allow from all

</Directory>


Alias /icons/ "/usr/share/apache2/icons/"


<Directory "/usr/share/apache2/icons">

        Options Indexes MultiViews

        AllowOverride None

        Order allow,deny

        Allow from all

</Directory>


ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"


<Directory "/srv/www/cgi-bin">

        AllowOverride None

        Options +ExecCGI -Includes

        Order allow,deny

        Allow from all

</Directory>


<IfModule mod_userdir.c>

        UserDir public_html

        Include /etc/apache2/mod_userdir.conf

</IfModule>


Include /etc/apache2/conf.d/*.conf

Include /etc/apache2/conf.d/apache2-manual?conf


Suse11:~ # 


5.3 Web界面地址

http://172.16.100.8:88/cgi-bin/CUGrapher.pl

http://172.16.100.8:88/overall.html

http://172.16.100.8:88/topten.htm


你可能感兴趣的:(linux,网络,version,软件,友好)