[flow-tools] Top Talkers?
Mark Fullmer
maf@eng.oar.net
Fri, 3 May 2002 10:19:00 -0400
It's better to filter on ifIndex so you can catch spoofed traffic. Eric's
example should work for you. To determine in vs. out run the report
two times, the first filtering on input interface, the second on output.
You may also want to look at flow-tag which will allow reports
based on groups of addresses.
mark
On Thu, May 02, 2002 at 03:49:57PM -0600, Dave Packham wrote:
> We have 3 outbound IFindexes... can you think of a way to use our class
> b's and a way to determine a In/Out system?
>
> If dst is 155.1.0.0/16,155.2.0.0/16,155.3.0.0/16 then dst else src
>
> Dave
>
> -----Original Message-----
> From: Eric S. Johnson [mailto:esj@cs.fiu.edu]
> Sent: Thursday, May 02, 2002 3:17 PM
> To: Dave Packham
> Cc: flow-tools@splintered.net
> Subject: Re: [flow-tools] Top Talkers?
>
>
> >What's an easy way to create a top talkers for our campus?
>
> >This should be easy :)
>
> flow-cat $NETFLOW_FILES | \
> flow-filter -I $OUTGOING_INTERFACE_OID | \
> flow-stat -f9 -S2 | \
> head -36
>
> or source/dest
>
> flow-cat $NETFLOW_FILES | \
> flow-filter -I $OUTGOING_INTERFACE_OID | \
> flow-stat -f10 -S3
> ....
>
>
> E
>
> _______________________________________________
> flow-tools@splintered.net
> http://www.splintered.net/sw/flow-tools