[netsa-tools-discuss] alernate use of rwstats --percentage

Mark Thomas mthomas at cert.org
Wed Sep 23 13:26:20 EDT 2015 

The way that you set the environment variable depends on how your
are starting rwflowpack or flowcap.

1. Using the start-up scripts.

Follow these instructions if you set variables in the the
rwflowpack.conf configuration file and then run the rwflowpack shell
script as

  rwflowpack start

The rwflowpack shell script is typically installed in the directory
$prefix/share/silk/etc/init.d.  In the RedHat RPMs, the start-up
script is installed in /etc/init.d/rwflowpack.

These instructions also apply for flowcap.

Find the rwflowpack start-up script or the flowcap start-up script.
Within that script, find the start() subroutine.  In that
subroutine, find the following:

  if [ X`whoami` = "X${USER}" ] ; then
    eval "${PROG_PATH} ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
  else
    su - ${USER} -c "${PROG_PATH} ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
  fi

Insert SILK_IPFIX_PRINT_TEMPLATES=1 after the initial double quote.
The result should read:

  if [ X`whoami` = "X${USER}" ] ; then
    eval "SILK_IPFIX_PRINT_TEMPLATES=1 ${PROG_PATH} ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
  else
    su - ${USER} -c "SILK_IPFIX_PRINT_TEMPLATES=1 ${PROG_PATH} ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
  fi



2. Starting from the command line.

Follow these instructions if you invoke the rwflowpack or flowcap
binary from the command line and specify its command line options as
part of the command, such as

  rwflowpack --root-directory=/data ...

These binaries are typically installed in $prefix/sbin.

In this case, you can set the SILK_IPFIX_PRINT_TEMPLATES environment
variable as you set any other environment variable in a modern
Bourne-compatible shell:

  export SILK_IPFIX_PRINT_TEMPLATES=1
  rwflowpack --root-directory=/data ...



This feature requires SiLK 3.8.2 or newer and libfixbuf-1.4.0 or
newer.

-Mark


On Wed, 23 Sep 2015 13:33:06 +0500, asad wrote:

> Thomas,
>
> Can you educate me how to set env variable "SILK_IPFIX_PRINT_TEMPLATES"?
>
> On 9/21/15, Mark Thomas <mthomas at cert.org> wrote:
>> I have a couple of PCAP files that contain data from a Cisco ASA,
>> and the NetFlow v9 templates do not include Information Element 6,
>> TCP_FLAGS.
>>
>> If you wish to confirm this for yourself, set the
>> SILK_IPFIX_PRINT_TEMPLATES environment variable to 1 prior to
>> starting rwflowpack or flowcap.  With that variable set, rwflowpack
>> or flowcap print to its log file each IPFIX/NetFlow v9 template it
>> receives.
>>
>> When the tool prints the template, it uses the IPFIX names for the
>> information elements, which you can find at
>> http://www.iana.org/assignments/ipfix/ipfix.xhtml
>>
>> The IPFIX name for TCP_FLAGS is tcpControlBits.
>>
>> -Mark
>>
>>
>> On Fri, 18 Sep 2015 10:54:56 +0500, asad wrote:
>>
>>> This is update.
>>>
>>> I have edited the cmd as told by "Angela", now I get a very useful
>>> output which shows that the %Bytes value is never greater then
>>> 0.025112, this explains why the percentage =1 was not working.
>>>
>>> But what more strange is now, I start to question the suitability of
>>> cisco asa asel netflows logs here is reason why ..
>>>
>>>
>>> changing the command and adding params e.g --packets=4- --ack-flag=1
>>> delivers me zero output. Even more strange (please see attachment)
>>> that flags columns is empty. ( it is even empty when there is no
>>> --ack-flag=1 value set).
>>>
>>>
>>>
>>> On 9/16/15, asad <a.alii85 at gmail.com> wrote:
>>>> Thanks Angela and Evgeniy. I believe I have been unfair to part I have
>>>> explained my case effectively.
>>>>
>>>> There is a critical server on enterprise network who traffic I want to
>>>> monitor for following usage :-
>>>>
>>>> " to monitor connection to and from the server w.r.t to bytes "
>>>>
>>>> This is done to get some way of knowing "normal" behavior for the
>>>> traffic
>>>> i.e # between server and client no of bytes send per day.
>>>>
>>>> I will try out the suggestions as soon i get access to office network
>>>> (currently I'm at home) and will update accordingly.
>>>>
>>>> On Wed, Sep 16, 2015 at 6:22 PM, Angela Horneman <ahorneman at cert.org>
>>>> wrote:
>>>>
>>>>> Asad,
>>>>>
>>>>> If you replace --percentage=1 with --count=10 in your first example,
>>>>> there
>>>>> will be a column "%Bytes" in the output. You can use that column to
>>>>> check
>>>>> if any of the 10 DIPs with the greatest byte volumes have a volume that
>>>>> is
>>>>> at least 1% of the total.
>>>>>
>>>>> Angela
>>>>>
>>>>> -----Original Message-----
>>>>> From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org [mailto:
>>>>> netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf Of
>>>>> asad
>>>>> Sent: Wednesday, September 16, 2015 12:49 AM
>>>>> To: Evgeniy Sudyr <eject.in.ua at gmail.com>
>>>>> Cc: netsa-tools-discuss at cert.org
>>>>> Subject: Re: [netsa-tools-discuss] alernate use of rwstats --percentage
>>>>>
>>>>> Thanks Eugene,
>>>>>
>>>>> My output is:-
>>>>>
>>>>>             sIP       |sPort|      dIP|       dPort|     bytes|
>>>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
>>>>>
>>>>>
>>>>> With command
>>>>>
>>>>> rwfilter --sensor=S0 --type=all --pass=stdout --saddress=10.10.13.152
>>>>> --start-date=2015/09/13:15 --end-date=2015/09/16:15 | rwsort
>>>>> --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
>>>>>
>>>>> I'm getting bytes in last column, but as a percentage of total bytes
>>>>> from
>>>>> all records I don't know how to get that.
>>>>>
>>>>> thanks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 9/15/15, Evgeniy Sudyr <eject.in.ua at gmail.com> wrote:
>>>>> > Ai,
>>>>> >
>>>>> > are you sure  that in your rwfilter results you have more than 1% of
>>>>> Bytes?
>>>>> >
>>>>> > From rwstats man page:
>>>>> >
>>>>> > *--percentage*=*N* Print the bins where the primary value is
>>>>> > greater-than (or less-than) *N* percent of the sum of the primary
>>>>> > values across all bins.
>>>>> >
>>>>> >
>>>>> > I think it will be useful to see --count --Packets
>>>>> >
>>>>> >
>>>>> > On Tue, Sep 15, 2015 at 5:31 PM, asad <a.alii85 at gmail.com> wrote:
>>>>> >
>>>>> >> Hi,
>>>>> >>
>>>>> >> I want to know what "alternate options" exists for following:-
>>>>> >>
>>>>> >> rwfilter --sensor=Vrouter1 --type=out --sport=3306 --pass=stdout
>>>>> >> --start-date=2012/11/13:00 --end-date=2012/11/13:23
>>>>> >> --saddress=172.31.253.102 | rwstats --percentage=1 --bytes
>>>>> >> --fields=dip
>>>>> >>
>>>>> >> I don't know why but using --percentage=1 flag, I get zero results,
>>>>> >> even when in records I know this IP is present. Is there any reason
>>>>> >> why would such happpen?
>>>>> >>
>>>>> >> Or I can move to another rwstats switch parameters to perform same
>>>>> >> task as trying to achieve with percentage=1
>>>>> >>
>>>>> >> Thanks.
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >
>>>>> >
>>>>> > --
>>>>> > --
>>>>> > With regards,
>>>>> > Eugene Sudyr
>>>>> >
>>>>>
>>>>>
>>>>
>>

More information about the netsa-tools-discuss mailing list