Netflow?

bluz

22-09-2004 13:34:58

Hi, over the last day or so i've tweaked NetMRG to also collect and display Cisco Netflow data... it's a really rough implementation and isn't fully configurable yet, but wondering if anyone else has tackled this?

Any plans to add this to Netmrg?
Regards,
Rob

silfreed

22-09-2004 14:15:15

"Collect netflow" is a very large term - there's a lot of data going on. This could mean Top AS's (in and out), Top Protocols (HTTP, FTP, DNS, etc, in and out), and a couple other things.

In the past we've used argus logging to a mysql database (custom script), and then get aggregate data out of the mysql database.

We wouldn't mind hearing what you've done, though. If what you've worked on can be included in the contrib/ directory or as part of the distribution (in documentation or code), we'd love to have it.

-Doug

bluz

22-09-2004 15:03:20

Hi doug,

Thanks for the reply.

I don't really think i'm ready to share the code.. it's a bit of a mess. But I wanted to get an idea about it - I didn't want to spend 3 weeks on it and then find out it was already done.

What i've done so far, is basically is have a Cisco 2600 router send netflow to a listener on my netmrg server. The "listener" takes the data and imports it into a table called "netflows" in the netmrg database. Then i've just modified the view.php file and a few functions to allow a display type of "netflow" and manually added a few report types to the netmrg database. So a report type of "50" is top protocols by bandwidth, '51' is Current Top Flows, etc.

As you mentioned, there are a lot of problems with collecting netflow data. There's SO much. In 2 days I have 1.45Million records, slightly large to query on. So I'm thinking about ways to aggregate it in the database, without loosing the potential all the raw data has. I would like to do something simliar to what you've done with regards to aggregating using rrdtool and keeping the data in the database to a minimum.

If I did end up getting this integrated into netmrg, how would i provide that code back to netmrg?

BTW - great progamming wrt Netmrg.. i'm trying to use your example and keep the format clean.

Thanks. Rob