[flow-tools] src/dst AS list

[Mark Fullmer]

On Tue, Jun 04, 2002 at 10:19:27PM +0200, Olav Langeland wrote:
> Just getting back to flow-tools after being with some other projects,
> last time I looked into it a large chunk of src/dst AS list was 0.
> Reading the flow-capture manpage revealed that it was the router
> exporting the local AS as 0, so fixed now.

The AS can be 0 for other reasons, such as not having full routing
tables.

> But, my question is about exactly what is being exported. Does the AS
> list contain both incoming and outgoing AS numbers, both
> internet->inside and inside->internet? When I run a flow-stat -f19 for
> SRC AS is that a mix of flows from both directions? 

flow-stat alone will report on both inbound and outbound flows.  To
produce an outbound report use flow-filter inline with an interface
filter.

> What is the difference between "ip route-cache flow" and "ip route-cache
> flow sampled"? 

Packet sampling.

> I saw a post the other day where the config included: 
> > !
> > ip flow-aggregation cache as
> >  export destination a.b.c.d 9691
> >  cache timeout inactive 10
> >  cache timeout active 1
> >  enabled
> > !
> As I can understand from Cisco.com it is "The NetFlow ToS-Based Router
> Aggregation feature provides the ability to enable limited router-based
> type of service (ToS) aggregation of NetFlow Export data, which results
> in summarized NetFlow Export data to be exported to a collection device.
> The result is lower bandwidth requirements for NetFlow Export data and
> reduced platform requirements for NetFlow data collection devices." 
> So this is basically just a way for decreasing the traffic that is
> created with exporting netflow data, or is it any other reasons for
> using it?

More or less.  Most aggregated exports do not contain IP addresses
which addresses privacy concerns for some installations.

> 
> Any input appreciated
> 
> -olav
> 
> _______________________________________________
> flow-tools@splintered.net
> http://www.splintered.net/sw/flow-tools