Linux使用FlowScan完全安装配置指南
2015.04.30
1. Flowscan介绍
Flowscan采用Perl语言编写,主要用于处理展现网络设备发过来Netflow数据。
早先Flowscan利用cflow收集处理netflow v5数据,后来利用flow-tool收集处理netflow v5数据,
注意cflow需要在flow-tool下面编译供flowscan后期使用,然后flowscan对流进行扫描分析并绘图,
是一款挺不错的Netflow分析展现工具。
CUFlow是Flowscan一个扩展模块,比Flowscan自带的CampusIO和SubNetIO两个模块友好,因此
这里采用CUFlow模块替代自带的模块。
2. 检查或安装依赖软件
2.1. 检查Apache配置
Suse11:~ # apache2ctl -v
Server version: Apache/2.2.12 (Linux/SUSE)
Server built: Mar 27 2013 18:47:49
Suse11:~ # grep -v \^# /etc/sysconfig/apache2
DOC_SERVER="no"
APACHE_CONF_INCLUDE_FILES=""
APACHE_CONF_INCLUDE_DIRS=""
APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif suexec userdir php5 reqtimeout"
APACHE_SERVER_FLAGS=""
APACHE_HTTPD_CONF=""
APACHE_MPM=""
APACHE_SERVERADMIN=""
APACHE_SERVERNAME=""
APACHE_START_TIMEOUT="2"
APACHE_SERVERSIGNATURE="on"
APACHE_LOGLEVEL="debug"
APACHE_ACCESS_LOG="/dev/null combined"
APACHE_USE_CANONICAL_NAME="off"
APACHE_SERVERTOKENS="OS"
APACHE_EXTENDED_STATUS="off"
APACHE_DISABLE_SSL_COMPRESSION="on"
Suse11:~ #
2.2. 检查Perl5安装
Suse11:~ # perl -v
This is perl, v5.10.0 built for x86_64-linux-thread-multi
Copyright 1987-2007, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.
Suse11:~ #
2.3. 编译安装RRDTool
# tar xvzf rrdtool-1.4.5.tar.tar
# cd rrdtool-1.4.5
修改configure,找到
PERL_MAKE_OPTIONS="PREFIX=$langpref INSTALL_BASE= LIB=$langpref/lib/perl/$PERL_VERSION"
修改为
PERL_MAKE_OPTIONS="PREFIX=$langpref INSTALL_BASE= LIB=$langpref/lib/perl5/$PERL_VERSION"
#./configure --prefix=/usr --sysconfdir=/etc --enable-shared
# make
# make install
或者make install site-perl-install
Suse11:~ # rrdtool -v
RRDtool 1.4.9 Copyright 1997-2013 by Tobias Oetiker <[email protected]>
Compiled Apr 30 2015 14:21:19
Usage: rrdtool [options] command command_options
Valid commands: create, update, updatev, graph, graphv, dump, restore,
last, lastupdate, first, info, fetch, tune,
resize, xport, flushcached
RRDtool is distributed under the Terms of the GNU General
Public License Version 2. (www.gnu.org/copyleft/gpl.html)
For more information read the RRD manpages
Suse11:~ #
2.4. 编译安装flow-tools
2.4.1 下载flow-tools-0.68.5.1.tar.bz2
tar -xvjf flow-tools-0.68.5.1.tar.bz2
cd flow-tools-0.68.5.1
./configure --prefix=/usr --sysconfdir=/etc
make
make install
2.4.2 flow-tool的自启动脚本,于Cacti的flowview插件合用
Suse11:~ # cat /etc/init.d/flow-capture
#!/usr/bin/php
<?php
/*
# description: Start Flow-Capture
# chkconfig: 2345 95 00
*/
$cacti_base = '/srv/www/htdocs/cacti';
include_once($cacti_base . '/include/global.php');
$tools_path = read_config_option("path_flowtools");
if (isset($_SERVER['argv'][1])) {
switch (strtolower($_SERVER['argv'][1])) {
case 'start':
start();
break;
case 'stop':
stop();
break;
case 'restart':
restart();
break;
default:
echo "Usage: /etc/init.d/flow-capture {start|stop|restart}\n";
break;
}
}
function start() {
global $tools_path, $cacti_base;;
echo "NOTE: Starting Flow Tools\n";
$devices = db_fetch_assoc("SELECT * FROM plugin_flowview_devices");
if (!empty($devices)) {
$path = db_fetch_cell("SELECT value FROM `settings` WHERE name = 'path_flows_dir'");
if ($path == '')
break;
if (substr($path, -1) == '/') {
$path = substr($path, 0, -1);
}
foreach ($devices as $device) {
$port = $device['port'];
$folder = $device['folder'];
$nest = $device['nesting'];
$v = $device['version'];
$from = $device['allowfrom'];
$comp = $device['compression'];
$rotate = $device['rotation'];
$expire = $device['expire'] * ($rotate + 1);
if (!is_dir("$path/$folder")) {
echo "NOTE: Making directory '$path/$folder'\n";
mkdir("$path/$folder");
}
if (is_dir("$path/$folder")) {
echo "NOTE: Launching flow-capture as '$tools_path/flow-capture -w $path/$folder 0/$from/$port -S5 -V$v -z $comp -n $rotate -e $expire -N $nest'\n";
shell_exec($tools_path . "/flow-capture -w $path/$folder 0/$from/$port -S5 -V$v -z $comp -n $rotate -e $expire -N $nest");
}
}
}else{
echo "WARNING: No flows configured\n";
}
}
function stop() {
global $tools_path, $cacti_base;;
echo "NOTE: Stopping Flow Tools\n";
$devices = db_fetch_assoc("SELECT * FROM plugin_flowview_devices");
if (!empty($devices)) {
shell_exec('killall -9 ' . $tools_path . '/flow-capture');
}
}
function restart() {
stop();
start();
}
Suse11:~ #
2.4.3. 启动flow-capture
Suse11:~ # /etc/init.d/flow-capture start
NOTE: Starting Flow Tools
NOTE: Launching flow-capture as '/usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1'
Suse11:~ # ps -eaf |grep flow-capture |grep -v grep
root 7087 1 4 20:32 ? 00:00:00 /usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1
Suse11:~ #
2.5. 安装flowscan需要的Perl模块
Perl Modules- In addition to Perl5, you will need the modules listed below.
Net::Patricia
Boulder::Stream
HTML::Table
ConfigReader::DirectiveStyle
Cflow
从http://search.cpan.org/找到并下载这些包
# perl Makefile.PL
# make
# make install
对于ConfigReader, 解压缩到/usr/lib/perl5/site_perl/5.10.0目录即可
Suse11:~/bin/flow-tools-0.68.5.1 # ls -al /usr/lib/perl5/site_perl/5.10.0/ConfigReader
total 76
drwxr-xr-x 2 405 4 4096 Feb 20 1996 .
drwxr-xr-x 9 root root 4096 Apr 30 11:09 ..
-rw-r--r-- 1 405 4 25265 Feb 17 1996 COPYING.LIB
-rw-r--r-- 1 405 4 2424 Feb 14 1996 ConfigReader.pod
-rw-r--r-- 1 405 4 9084 Feb 20 1996 DirectiveStyle.pm
-rw-r--r-- 1 405 4 2152 Feb 19 1996 README
-rw-r--r-- 1 405 4 9705 Feb 20 1996 Spec.pm
-rw-r--r-- 1 405 4 7573 Feb 20 1996 Values.pm
Suse11:~/bin/flow-tools-0.68.5.1 #
注意,CFlow需要在flow-tools的环境下编译,因此该步骤需要在flow-tool编译完成后进行。
cd flow-tools-0.68.5.1
cd contrib
tar -zxvf Cflow-1.053.tar.gz
cd Cflow-1.051
perl Makefile.PL
make
make install
Suse11:~ # perl -MExtUtils::Installed -le 'foreach (ExtUtils::Installed->new->modules) { print $_,"-->", ExtUtils::Installed->new->version($_)}'
Boulder-->
Cflow-->1.053
HTML::Table-->2.08a
Net::CIDR-->0.18
Net::CIDR::Lite-->0.21
Net::Patricia-->1.22
Perl-->5.10.0
RRDp-->1.4009
RRDs-->1.4009
Socket6-->0.25
Test::Simple-->1.001014
Suse11:~ #
2.6. 安装并配置FlowScan
2.6.1. 检查Flowscan安装
目录Suse11:~ # ls -al /var/netflow/
total 24
drwxr-xr-x 4 root root 4096 Apr 30 19:34 .
drwxr-xr-x 16 root root 12288 Apr 26 18:13 ..
drwxr-xr-x 10 root root 4096 Apr 30 00:00 cisco3745
drwxr-xr-x 6 root root 4096 Apr 30 18:40 flowscan
Suse11:~ # ls -al /var/netflow/cisco3745/
total 656
drwxr-xr-x 10 root root 4096 Apr 30 00:00 .
drwxr-xr-x 4 root root 4096 Apr 30 19:34 ..
drwxr-xr-x 2 root root 36864 Apr 24 00:00 2015-04-23
drwxr-xr-x 2 root root 86016 Apr 25 00:00 2015-04-24
drwxr-xr-x 2 root root 81920 Apr 26 00:00 2015-04-25
drwxr-xr-x 2 root root 90112 Apr 27 00:00 2015-04-26
drwxr-xr-x 2 root root 90112 Apr 28 00:00 2015-04-27
drwxr-xr-x 2 root root 90112 Apr 29 00:00 2015-04-28
drwxr-xr-x 2 root root 86016 Apr 30 00:00 2015-04-29
drwxr-xr-x 2 root root 73728 Apr 30 19:38 2015-04-30
Suse11:~ # ls -al /var/netflow/flowscan/
total 1820
drwxr-xr-x 6 root root 4096 Apr 30 18:40 .
drwxr-xr-x 4 root root 4096 Apr 30 19:34 ..
drwxr-xr-x 2 root root 4096 Apr 30 18:40 flows
drwxr-xr-x 2 root root 4096 Apr 30 18:25 graphs
Suse11:~ #
2.6.2. 安装Flowscan
下载FlowScan-1.006.tar.gz
Suse11:~/bin # tar xvzf FlowScan-1.006.tar.gz
Suse11:~/bin # cd FlowScan-1.006/
Suse11:~/bin/FlowScan-1.006 # ./configure --prefix=/var/netflow/flowscan
Suse11:~/bin/FlowScan-1.006 # make
make: Nothing to be done for `all'.
Suse11:~/bin/FlowScan-1.006 # make -n install
test -d /var/netflow/flowscan/bin || /bin/mkdir -p /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c flowscan /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c FlowScan.pm /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c CampusIO.pm /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c SubNetIO.pm /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c util/locker /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c util/add_ds.pl /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c util/add_txrx /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c util/event2vrule /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c util/ip2hostname /var/netflow/flowscan/bin
Suse11:~/bin/FlowScan-1.006 # make install
test -d /var/netflow/flowscan/bin || /bin/mkdir -p /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c flowscan /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c FlowScan.pm /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c CampusIO.pm /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c SubNetIO.pm /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c util/locker /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c util/add_ds.pl /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c util/add_txrx /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c util/event2vrule /var/netflow/flowscan/bin
/root/bin/FlowScan-1.006/install-sh -c util/ip2hostname /var/netflow/flowscan/bin
Suse11:~/bin/FlowScan-1.006 #
2.6.2 配置Flowscan
Suse11:~ # ls -al /var/netflow/flowscan/
total 1820
drwxr-xr-x 6 root root 4096 Apr 30 18:40 .
drwxr-xr-x 4 root root 4096 Apr 30 19:34 ..
drwxr-xr-x 2 root root 4096 Apr 30 18:40 bin
drwxr-xr-x 2 root root 4096 Apr 30 18:40 flows
drwxr-xr-x 2 root root 4096 Apr 30 18:25 graphs
Suse11:~ #
Suse11:~ # cat /var/netflow/flowscan/bin/flowscan.cf
# flowscan Configuration Directives ############################################
# FlowFileGlob (REQUIRED)
# use this glob (file pattern match) when looking for raw flow files to be
# processed, e.g.:
# FlowFileGlob /var/local/flows/flows.*:*[0-9]
# FlowFileGlob flows.*:*[0-9]
FlowFileGlob /var/netflow/flowscan/flows/ft-v05*[0-9]
# ReportClasses (REQUIRED)
# a comma-seperated list of FlowScan report classes, e.g.:
# ReportClasses CampusIO
#ReportClasses SubNetIO
ReportClasses CUFlow
# WaitSeconds (OPTIONAL)
# This should be <= the "-s" value passed on the command-line to cflowd, e.g.:
# WaitSeconds 300
WaitSeconds 30
# Verbose (OPTIONAL, non-zero = true)
Verbose 0
Suse11:~ #
.6.3. 修订FlowScan.pm文件
打开FlowScan.pm文件第96行、第108行,修改如下
Suse11:/var/netflow/flowscan/bin # diff FlowScan.pm FlowScan.OLD
96c96
< m/(\d\d\d\d)-(\d\d)-(\d\d)\.(\d\d)(\d\d)(\d\d)([+-])(\d\d)(\d\d)$/) {
---
> m/(\d\d\d\d)(\d\d)(\d\d)_(\d\d):(\d\d):(\d\d)([+-])(\d\d)(\d\d)/) {
108c108
< } elsif ($file =~ m/(\d\d\d\d)-(\d\d)-(\d\d)\.(\d\d)(\d\d)(\d\d)$/) {
---
> } elsif ($file =~ m/(\d\d\d\d)(\d\d)(\d\d)_(\d\d):(\d\d):(\d\d)$/) {
Suse11:/var/netflow/flowscan/bin #
2.6.4. 修订Table.pm文件
打开/usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm文件第2685行,修改如下
Suse11:~ # diff /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm /usr/lib/perl5/site_perl/5.10.0/HTML/Table.OLD
2685c2685
< $self->{last_col} = $count if (!defined($self->{last_col}) || ( $count > $self->{last_col}));
---
> $self->{last_col} = $count if ($count > $self->{last_col});
Suse11:~ #
2.6.5. 配置Flowscan自启动脚本
Suse11:~ # cat /etc/init.d/flowscan
# rc script for flowscan
# D Plonka, Jan 11 1999
bindir=/var/netflow/flowscan/bin
scandir=/var/netflow/flowscan
logfile=/var/netflow/flowscan/flowscan.log
user=root
su=/bin/su
nohup=/usr/bin/nohup
kill=/bin/kill
ps=/bin/ps
grep=/bin/grep
awk=/usr/bin/awk
perl=/usr/bin/perl
nice=/usr/bin/nice
meanness=0
case "$1" in
'start')
echo "starting flowscan"
${nice} --${meanness} ${su} - ${user} -c "cd ${scandir} && ${nohup} ${perl} ${bindir}/flowscan >>${logfile} 2>&1 </dev/null &" >/dev/null
;;
'stop')
echo "killing flowscan"
pid=`${ps} ax |${grep} "${perl} ${bindir}/[f]lowscan" |${awk} '{print $1}'`
if [ -n "$pid" ]
then
${kill} $pid
fi
;;
esac
Suse11:~ #
2.7. 安装并配置CUFlow
2.7.1. 安装CUFlow
SLES 11 SP3 -- flowscan-cuflow-1.7-1.2.x86_64.rpm
flowscan-cuflow_1.7.orig.tar.gz
Suse11:~ # rpm -Uvh flowscan-cuflow-1.7-1.2.x86_64.rpm
Suse11:/var/netflow/flowscan/bin # rpm -ql flowscan-cuflow
/etc/flowscan/CUFlow.cf
/srv/www/cflow
/srv/www/cflow/reports
/srv/www/cflow/reports/scoreboard
/srv/www/cgi-bin/CUGrapher.pl
/usr/lib/perl5/vendor_perl/5.8.6/CUFlow.pm
/usr/share/man/man3/CUFlow.3pm.gz
Suse11:~ #
2.6.2 配置CUFlow
Suse11:~ # find / -name CUFlow\*
/usr/share/man/man3/CUFlow.3pm.gz
/usr/lib/perl5/vendor_perl/5.10.0/CUFlow.pm
/etc/flowscan/CUFlow.cf
Suse11:~ # grep etc /usr/lib/perl5/vendor_perl/5.10.0/CUFlow.pm
&parseConfig("/etc/flowscan/CUFlow.cf"); # Read our config file
Suse11:~ # cat /etc/flowscan/CUFlow.cf
# These are the subnets in our network
# These are used only to determine whether a packet is inbound our
# outbound
Subnet 172.16.100.0/24
# These are networks we are particularly interested in, and want to
# get separate rrd's for their aggregate traffic
Network 172.16.100.254/32 routers
# Where to put the rrd's
# Make sure this is the same as $rrddir in CUGrapher.pl
OutputDir /var/netflow/flowscan/graphs
# Track multicast traffic
Multicast
# Keep top N lists
# Show the top ten talkers, storing reports in /cflow/flows/reports
# and keeping the current report in /etc/httpd/data/reports/topten.html
Scoreboard 10 /srv/www/htdocs/reports/scoreboard /srv/www/htdocs/topten.html
# Same, but build an over-time average top N list
AggregateScore 10 /srv/www/htdocs/reports/scoreboard/agg.dat /srv/www/htdocs/overall.html
# Our two netflow exporters. Produce service and protocol reports for the
# total, and each of these.
#Router 172.16.100.254 router3745
#Router 10.0.1.2 router2
# Services we are interested in
Service 20-21/tcp ftp
Service 22/tcp ssh
Service 23/tcp telnet
Service 25/tcp smtp
Service 53/udp,53/tcp dns
Service 80/tcp http
Service 110/tcp pop3
#Service 119/tcp nntp
#Service 143/tcp imap
#Service 412/tcp,412/udp dc
Service 443/tcp https
#Service 1214/tcp kazaa
Service 1723/tcp pptp
Service 2119/tcp Camp2119
Service 2556/tcp Camp2556
#Service 4661-4662/tcp,4665/udp edonkey
Service 5070/tcp sip
#Service 5190/tcp aim
#Service 6346-6347/tcp gnutella
#Service 6665-6669/tcp irc
#Service 54320/tcp bo2k
Service 7070/tcp,554/tcp,6970-7170/udp real
Service 22228/tcp Camp22228
# protocols we are interested in
Protocol 1 icmp
#Protocol 4 ipinip
Protocol 6 tcp
Protocol 17 udp
Protocol 41 ipv6
Protocol 47 gre
#Protocol 50 esp
#Protocol 51 ah
#Protocol 57 skip
#Protocol 88 eigrp
#Protocol 169
Protocol 255
# ToS bit percentages to graph
TOS 0 normal
TOS 1-255 other
# Interested in traffic to/from AS 1
ASNumber 1 Genuity
Suse11:~ #
3. 启动Flowscan并观察
3.1 启动Flowscan
Suse11:/var/netflow/flowscan # ps -eaf |grep flow |grep -v grep
root 7087 1 0 20:32 ? 00:00:00 /usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1
Suse11:/var/netflow/flowscan # /etc/init.d/flowscan start
starting flowscan
Suse11:/var/netflow/flowscan # ps -eaf |grep flow |grep -v grep
root 7087 1 0 20:32 ? 00:00:00 /usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1
root 18736 1 0 20:44 pts/3 00:00:00 -bash -c cd /var/netflow/flowscan && /usr/bin/nohup /usr/bin/perl /var/netflow/flowscan/bin/flowscan >>/var/netflow/flowscan/flowscan.log 2>&1 </dev/null &
root 18737 18736 1 20:44 pts/3 00:00:00 /usr/bin/perl /var/netflow/flowscan/bin/flowscan
Suse11:/var/netflow/flowscan #
3.2 观察Flowscan运行
Suse11:~ # ls -al /var/netflow/flowscan/flows
total 104
drwxr-xr-x 2 root root 98304 Apr 30 20:44 .
drwxr-xr-x 5 root root 4096 Apr 30 20:44 ..
Suse11:~ # ls -al /var/netflow/flowscan/graphs/
total 8
drwxr-xr-x 2 root root 4096 Apr 30 19:54 .
drwxr-xr-x 5 root root 4096 Apr 30 20:44 ..
Suse11:~ # cat /var/netflow/flowscan/flowscan.log
sleep 30...
sleep 30...
sleep 30...
sleep 30...
Suse11:~ #
3.3 把flow-tool收集到的数据放入flowscan处理目录
Suse11:~ # cp /var/netflow/cisco3745/2015-04-23/* /var/netflow/flowscan/flows
Suse11:~ # head -30 /var/netflow/flowscan/flowscan.log
sleep 30...
sleep 30...
2015/04/30 21:03:50 working on file /var/netflow/flowscan/flows/ft-v05.2015-04-23.132406+0800...
2015/04/30 21:03:50 flowscan-1.020 CUFlow: Cflow::find took 0 wallclock secs ( 0.01 usr + 0.00 sys = 0.01 CPU) for 7892 flow file bytes, flow hit ratio: 40/122
2015/04/30 21:03:50 flowscan-1.020 CUFlow: report took 0 wallclock secs ( 0.00 usr 0.01 sys + 0.00 cusr 0.02 csys = 0.03 CPU)
2015/04/30 21:03:50 working on file /var/netflow/flowscan/flows/ft-v05.2015-04-23.132501+0800...
2015/04/30 21:03:50 flowscan-1.020 CUFlow: Cflow::find took 0 wallclock secs ( 0.02 usr + 0.00 sys = 0.02 CPU) for 6292 flow file bytes, flow hit ratio: 42/97
ERROR updating /var/netflow/flowscan/graphs/service_ssh_dst.rrd: /var/netflow/flowscan/graphs/service_ssh_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
ERROR updating /var/netflow/flowscan/graphs/service_pptp_dst.rrd: '/var/netflow/flowscan/graphs/service_pptp_dst.rrd' is not an RRD file
ERROR updating /var/netflow/flowscan/graphs/service_sip_src.rrd: /var/netflow/flowscan/graphs/service_sip_src.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
ERROR updating /var/netflow/flowscan/graphs/service_sip_dst.rrd: /var/netflow/flowscan/graphs/service_sip_dst.rrd: illegal
attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
ERROR updating /var/netflow/flowscan/graphs/service_sip_dst.rrd: /var/netflow/flowscan/graphs/service_sip_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
ERROR updating /var/netflow/flowscan/graphs/service_Camp2119_src.rrd: /var/netflow/flowscan/graphs/service_Camp2119_src.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
ERROR updating /var/netflow/flowscan/graphs/service_Camp2119_dst.rrd: /var/netflow/flowscan/graphs/service_Camp2119_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
ERROR updating /var/netflow/flowscan/graphs/service_Camp22228_src.rrd: '/var/netflow/flowscan/graphs/service_Camp22228_src.rrd' is too small (should be 190656 bytes)
ERROR updating /var/netflow/flowscan/graphs/service_Camp22228_dst.rrd: /var/netflow/flowscan/graphs/service_Camp22228_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
ERROR updating /var/netflow/flowscan/graphs/service_ftp_src.rrd: '/var/netflow/flowscan/graphs/service_ftp_src.rrd' is not an RRD file
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
2015/04/30 21:03:50 flowscan-1.020 CUFlow: report took 0 wallclock secs ( 0.00 usr 0.00 sys + 0.00 cusr 0.03 csys = 0.03 CPU)
2015/04/30 21:03:50 working on file /var/netflow/flowscan/flows/ft-v05.2015-04-23.132601+0800...
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
2015/04/30 21:03:50 flowscan-1.020 CUFlow: Cflow::find took 0 wallclock secs ( 0.00 usr + 0.00 sys = 0.00 CPU) for 6868 flow file bytes, flow hit ratio: 46/106
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
Suse11:~ # ls -al /var/netflow/flowscan/graphs/
total 7496
drwxr-xr-x 2 root root 4096 Apr 30 21:03 .
drwxr-xr-x 5 root root 4096 Apr 30 21:02 ..
-rw-r--r-- 1 root root 190656 Apr 30 21:04 as_Genuity.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 network_routers.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_255.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_gre.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_icmp.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_multicast.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_tcp.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_udp.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_dns_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_dns_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ftp_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ftp_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_http_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_http_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_https_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_https_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pop3_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pop3_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pptp_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pptp_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2119_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2119_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp22228_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp22228_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2556_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2556_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_real_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_real_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_sip_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_sip_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_smtp_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_smtp_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ssh_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ssh_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_telnet_dst.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_telnet_src.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 tos_normal.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 tos_other.rrd
-rw-r--r-- 1 root root 190656 Apr 30 21:04 total.rrd
Suse11:~ #
4. 配置路由器
4.1. 关键配置如下
Global Mode
ip cef
ip flow-export version 5 peer-as
ip flow-export source interface fa0/1
ip flow-export destination 10.1.0.1 2055
ip flow-cache timeout active 1
Interface Configuration
ip route-cache flow
4.2. 一个完整的实例
Camp#sh ver
Cisco IOS Software, 3700 Software (C3745-ADVSECURITYK9-M), Version 12.4(25d), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 18-Aug-10 08:18 by prod_rel_team
ROM: System Bootstrap, Version 12.3(6r) [cmong 6r], RELEASE SOFTWARE (fc1)
Camp uptime is 9 weeks, 2 days, 5 hours, 21 minutes
System returned to ROM by reload at 00:05:50 UTC Fri Mar 1 2002
System restarted at 14:14:15 Shanghai Tue Feb 24 2015
System image file is "flash:/c3745-advsecurityk9-mz.124-25d.bin"
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use.
Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws.
By using this product you agree to comply with applicable laws and regulations.
If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to [email protected].
Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.
Processor board ID FTX1108A1AM
R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
151K bytes of NVRAM.
31360K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
Camp#sh run
Building configuration...
Current configuration : 2661 bytes
!
! Last configuration change at 15:23:16 Shanghai Thu Apr 30 2015 by cisco
! NVRAM config last updated at 16:05:14 Shanghai Thu Apr 30 2015 by cisco
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Camp
!
boot-start-marker
boot system flash:/c3745-advsecurityk9-mz.124-25d.bin
boot-end-marker
!
logging buffered 4194304 debugging
no logging console
no logging monitor
!
no aaa new-model
clock timezone Shanghai 8
clock save interval 8
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip sla monitor 101
type http operation get url http://172.16.100.8:88/ source-ipaddr 172.16.100.254 cache disable
threshold 500
tag UNI
ip sla monitor schedule 101 life forever start-time now
!
!
!
!
username cisco privilege 15 secret 5 $1$wJN1$ufsPnRdNErXx1HGtK0kHi1
!
!
!
!
!
!
interface FastEthernet0/0
description Internet
ip address 172.16.63.247 255.255.255.0
ip flow ingress
ip nat outside
ip virtual-reassembly max-fragments 64 max-reassemblies 64
duplex auto
speed auto
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.63.1
ip flow-export source FastEthernet0/1
ip flow-export version 5 peer-as
ip flow-export destination 172.16.100.8 2055
!
no ip http server
no ip http secure-server
no ip nat service sip udp port 5060
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static 172.16.100.2 interface FastEthernet0/0
ip nat inside source static tcp 172.16.100.10 22 172.16.63.245 22 extendable
ip nat inside source static tcp 172.16.100.10 80 172.16.63.245 80 extendable
ip nat inside source static tcp 172.16.100.9 7900 172.16.63.245 7900 extendable
ip nat inside source static tcp 172.16.100.8 13579 172.16.63.245 13579 extendable
ip nat inside source static tcp 172.16.100.7 22228 172.16.63.245 22228 extendable
ip nat inside source static tcp 172.16.100.7 22229 172.16.63.245 22229 extendable
ip nat inside source static 172.16.100.5 172.16.63.246 extendable
!
no logging trap
access-list 5 permit 172.16.100.5
access-list 101 permit ip 172.16.100.0 0.0.0.255 any
snmp-server community public RO
no cdp run
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
!
!
end
Camp#
5. Web界面展现
5.1. Web界面布局
Suse11:~ # ls -al /srv/www/
total 16
drwxr-xr-x 4 root root 4096 Apr 30 11:59 .
drwxr-xr-x 4 root root 4096 Dec 31 2011 ..
drwxr-xr-x 3 root root 4096 Apr 30 19:02 cgi-bin
drwxr-xr-x 10 root root 4096 Apr 30 18:25 htdocs
Suse11:~ # ls -al /srv/www/cgi-bin/
total 92
drwxr-xr-x 3 root root 4096 Apr 30 19:02 .
drwxr-xr-x 4 root root 4096 Apr 30 11:59 ..
-rwxr-xr-x 1 root root 38580 Apr 30 16:21 CUGrapher.pl
drwxr-xr-x 7 wwwrun www 4096 Apr 24 21:26 FV
-rwxr-xr-x 1 root root 26284 Feb 24 2009 info2html
-rw-r--r-- 1 root root 3233 Feb 24 2009 info2html.conf
-rwxr-xr-x 1 root root 5381 Feb 24 2009 infocat
Suse11:~ # ls -al /srv/www/htdocs/
total 92
drwxr-xr-x 10 root root 4096 Apr 30 18:25 .
drwxr-xr-x 4 root root 4096 Apr 30 11:59 ..
drwxr-xr-x 2 wwwrun www 4096 Apr 30 09:54 FlowGrapher
drwxr-xr-x 2 wwwrun www 4096 Apr 24 18:45 FlowMonitor
drwxr-xr-x 2 wwwrun www 4096 Apr 24 21:25 FlowSaves
drwxr-xr-x 2 wwwrun www 4096 Apr 24 19:21 FlowViewer
drwxr-xr-x 2 wwwrun www 4096 Apr 24 18:46 FlowViewer_Dashboard
-rw-r--r-- 1 root root 2326 Nov 21 2004 apache_pb.gif
-rw-r--r-- 1 root root 2088 Nov 26 2008 apache_pb.png
-rw-r--r-- 1 root root 1797 Nov 26 2008 apache_pb2.gif
drwxr-xr-x 13 root root 4096 Apr 19 17:54 cacti
-rw-r--r-- 1 root root 1406 Apr 24 21:11 favicon.ico
drwxr-xr-x 2 root root 4096 Dec 31 2011 gif
-rw-r--r-- 1 root root 44 Nov 21 2004 index.html
-rw-r--r-- 1 root root 30 Apr 19 17:45 index.php
-rw-r--r-- 1 root root 2356 Feb 24 2009 info2html.css
-rw-r--r-- 1 root root 5116 Apr 30 18:25 overall.html
drwxr-xr-x 3 wwwrun www 4096 Apr 30 13:39 reports
-rw-r--r-- 1 root root 26 Mar 28 2013 robots.txt
lrwxrwxrwx 1 root root 62 Apr 30 18:25 topten.html -> /srv/www/htdocs/reports/scoreboard/2015-04-30/18/18:23:01.html
Suse11:~ # ls -al /srv/www/htdocs/reports/
total 40
drwxr-xr-x 3 wwwrun www 4096 Apr 30 13:39 .
drwxr-xr-x 10 root root 4096 Apr 30 18:25 ..
drwxr-xr-x 842 wwwrun www 32768 Apr 30 18:10 scoreboard
5.2 Web界面配置
主要在于CUGrapher.pl中的$rrddir目录配置
Suse11:~ # head -30 /srv/www/cgi-bin/CUGrapher.pl
#! /usr/bin/perl -w
# CUGrapher.pl
# $Revision: 1.53 $
# Author: Matt Selsky <[email protected]>
# Contact for help: <[email protected]>
# (c) 2002 - 2005 The Trustees of Columbia University in the City of New York
# License restrictions apply, see COPYING for details.
use strict;
use CGI::Pretty qw(-nosticky :standard);
use RRDs;
use Digest::MD5 qw(md5_hex);
### Local settings ###
# directory with rrd files
#my $rrddir = "/srv/www/htdocs/graphs";
my $rrddir = "/var/netflow/flowscan/graphs";
# default number of hours to go back
my $hours = 48;
# duration of graph, starting from $hours ago
my $duration;
# organization name
my $organization = "Camp Net";
# default graph width
my $width = 640;
# default graph height
my $height = 320;
Suse11:~ # cat -n /srv/www/cgi-bin/CUGrapher.pl |grep hours
21 # default number of hours to go back
22 my $hours = 48;
23 # duration of graph, starting from $hours ago
143 my %hours = ( 3 => '3 hours',
144 6 => '6 hours',
145 12 => '12 hours',
146 24 => '24 hours',
147 36 => '36 hours',
148 48 => '48 hours',
154 $q->popup_menu( -name => 'hours',
155 -values => [sort {$a <=> $b} keys %hours],
156 -default => $hours,
157 -labels => \%hours ) );
184 -values => ['', sort {$a <=> $b} keys %hours],
185 -labels => \%hours ) );
324 if( param('hours') ) {
325 if( param('hours') =~ /^\d+$/ ) { $hours = param('hours') }
326 else { &browserDie( "Invalid hours parameter" ) }
334 } else { $duration = $hours; }
661 "--start=".(time - $hours*60*60),
662 "--end=".(time - $hours*60*60 + $duration*60*60),
Suse11:~ # grep -v \# /etc/apache2/default-server.conf |more
DocumentRoot "/srv/www/htdocs"
<Directory "/srv/www/htdocs">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
<Directory "/srv/www/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
<IfModule mod_userdir.c>
UserDir public_html
Include /etc/apache2/mod_userdir.conf
</IfModule>
Include /etc/apache2/conf.d/*.conf
Include /etc/apache2/conf.d/apache2-manual?conf
Suse11:~ #
5.3 Web界面地址
http://172.16.100.8:88/cgi-bin/CUGrapher.pl
http://172.16.100.8:88/overall.html
http://172.16.100.8:88/topten.htm