[netsa-tools-discuss] alernate use of rwstats --percentage

asad a.alii85 at gmail.com
Wed Sep 23 15:29:10 EDT 2015 

Thanks Thomas, for such comprehensive explanation. From silk-summary.txt
file I can verify that my

SILK 3.10.2
libfixbuf-1.7.0 >= 1.6.0

The command I used is

rwflowpack \
--sensor-configuration=/data/sensors.conf \
--site-config-file=/data/silk.conf \
--archive-directory=/usr/local/var/lib/rwflowpack/archive \
--output-mode=local-storage \
--root-directory=/data \
--pidfile=/var/log/rwflowpack.pid --log-level=info \
--log-directory=/var/log --log-basename=rwflowpack \

But I don't see in logs any "information element". I'm using tcpreplay
tool, to replay a sample pcap files (since I'm home now), but in logs I see
as

"Sep 24 00:24:04 Silky-flows rwflowpack[812]: 'S0': forward 0, reverse 0,
ignored 0; yaf: recs 0, pkts 0, dropped-pkts 0, ignored-pkts 0,
bad-sequence-pkts 0, expired-frags 0"

I have tested with cmd

"

yaf --silk --ipfix=tcp --live=pcap  --out=127.0.0.1 \
--ipfix-port=18001 --in=eth0 --applabel --max-payload=384 &"


and it works fine logs are made as they should.


On Wed, Sep 23, 2015 at 10:26 PM, Mark Thomas <mthomas at cert.org> wrote:

> The way that you set the environment variable depends on how your
> are starting rwflowpack or flowcap.
>
> 1. Using the start-up scripts.
>
> Follow these instructions if you set variables in the the
> rwflowpack.conf configuration file and then run the rwflowpack shell
> script as
>
>   rwflowpack start
>
> The rwflowpack shell script is typically installed in the directory
> $prefix/share/silk/etc/init.d.  In the RedHat RPMs, the start-up
> script is installed in /etc/init.d/rwflowpack.
>
> These instructions also apply for flowcap.
>
> Find the rwflowpack start-up script or the flowcap start-up script.
> Within that script, find the start() subroutine.  In that
> subroutine, find the following:
>
>   if [ X`whoami` = "X${USER}" ] ; then
>     eval "${PROG_PATH} ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
>   else
>     su - ${USER} -c "${PROG_PATH} ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
>   fi
>
> Insert SILK_IPFIX_PRINT_TEMPLATES=1 after the initial double quote.
> The result should read:
>
>   if [ X`whoami` = "X${USER}" ] ; then
>     eval "SILK_IPFIX_PRINT_TEMPLATES=1 ${PROG_PATH} ${PROG_OPTIONS}
> ${EXTRA_OPTIONS} &"
>   else
>     su - ${USER} -c "SILK_IPFIX_PRINT_TEMPLATES=1 ${PROG_PATH}
> ${PROG_OPTIONS} ${EXTRA_OPTIONS} &"
>   fi
>
>
>
> 2. Starting from the command line.
>
> Follow these instructions if you invoke the rwflowpack or flowcap
> binary from the command line and specify its command line options as
> part of the command, such as
>
>   rwflowpack --root-directory=/data ...
>
> These binaries are typically installed in $prefix/sbin.
>
> In this case, you can set the SILK_IPFIX_PRINT_TEMPLATES environment
> variable as you set any other environment variable in a modern
> Bourne-compatible shell:
>
>   export SILK_IPFIX_PRINT_TEMPLATES=1
>   rwflowpack --root-directory=/data ...
>
>
>
> This feature requires SiLK 3.8.2 or newer and libfixbuf-1.4.0 or
> newer.
>
> -Mark
>
>
> On Wed, 23 Sep 2015 13:33:06 +0500, asad wrote:
>
> > Thomas,
> >
> > Can you educate me how to set env variable "SILK_IPFIX_PRINT_TEMPLATES"?
> >
> > On 9/21/15, Mark Thomas <mthomas at cert.org> wrote:
> >> I have a couple of PCAP files that contain data from a Cisco ASA,
> >> and the NetFlow v9 templates do not include Information Element 6,
> >> TCP_FLAGS.
> >>
> >> If you wish to confirm this for yourself, set the
> >> SILK_IPFIX_PRINT_TEMPLATES environment variable to 1 prior to
> >> starting rwflowpack or flowcap.  With that variable set, rwflowpack
> >> or flowcap print to its log file each IPFIX/NetFlow v9 template it
> >> receives.
> >>
> >> When the tool prints the template, it uses the IPFIX names for the
> >> information elements, which you can find at
> >> http://www.iana.org/assignments/ipfix/ipfix.xhtml
> >>
> >> The IPFIX name for TCP_FLAGS is tcpControlBits.
> >>
> >> -Mark
> >>
> >>
> >> On Fri, 18 Sep 2015 10:54:56 +0500, asad wrote:
> >>
> >>> This is update.
> >>>
> >>> I have edited the cmd as told by "Angela", now I get a very useful
> >>> output which shows that the %Bytes value is never greater then
> >>> 0.025112, this explains why the percentage =1 was not working.
> >>>
> >>> But what more strange is now, I start to question the suitability of
> >>> cisco asa asel netflows logs here is reason why ..
> >>>
> >>>
> >>> changing the command and adding params e.g --packets=4- --ack-flag=1
> >>> delivers me zero output. Even more strange (please see attachment)
> >>> that flags columns is empty. ( it is even empty when there is no
> >>> --ack-flag=1 value set).
> >>>
> >>>
> >>>
> >>> On 9/16/15, asad <a.alii85 at gmail.com> wrote:
> >>>> Thanks Angela and Evgeniy. I believe I have been unfair to part I have
> >>>> explained my case effectively.
> >>>>
> >>>> There is a critical server on enterprise network who traffic I want to
> >>>> monitor for following usage :-
> >>>>
> >>>> " to monitor connection to and from the server w.r.t to bytes "
> >>>>
> >>>> This is done to get some way of knowing "normal" behavior for the
> >>>> traffic
> >>>> i.e # between server and client no of bytes send per day.
> >>>>
> >>>> I will try out the suggestions as soon i get access to office network
> >>>> (currently I'm at home) and will update accordingly.
> >>>>
> >>>> On Wed, Sep 16, 2015 at 6:22 PM, Angela Horneman <ahorneman at cert.org>
> >>>> wrote:
> >>>>
> >>>>> Asad,
> >>>>>
> >>>>> If you replace --percentage=1 with --count=10 in your first example,
> >>>>> there
> >>>>> will be a column "%Bytes" in the output. You can use that column to
> >>>>> check
> >>>>> if any of the 10 DIPs with the greatest byte volumes have a volume
> that
> >>>>> is
> >>>>> at least 1% of the total.
> >>>>>
> >>>>> Angela
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org
> [mailto:
> >>>>> netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org] On Behalf
> Of
> >>>>> asad
> >>>>> Sent: Wednesday, September 16, 2015 12:49 AM
> >>>>> To: Evgeniy Sudyr <eject.in.ua at gmail.com>
> >>>>> Cc: netsa-tools-discuss at cert.org
> >>>>> Subject: Re: [netsa-tools-discuss] alernate use of rwstats
> --percentage
> >>>>>
> >>>>> Thanks Eugene,
> >>>>>
> >>>>> My output is:-
> >>>>>
> >>>>>             sIP       |sPort|      dIP|       dPort|     bytes|
> >>>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
> >>>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
> >>>>>   10.10.13.152|    0|   10.10.4.145|    0|        78|
> >>>>>
> >>>>>
> >>>>> With command
> >>>>>
> >>>>> rwfilter --sensor=S0 --type=all --pass=stdout --saddress=10.10.13.152
> >>>>> --start-date=2015/09/13:15 --end-date=2015/09/16:15 | rwsort
> >>>>> --fields=bytes | rwcut --fields=sip,sport,dip,dport,bytes
> >>>>>
> >>>>> I'm getting bytes in last column, but as a percentage of total bytes
> >>>>> from
> >>>>> all records I don't know how to get that.
> >>>>>
> >>>>> thanks.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 9/15/15, Evgeniy Sudyr <eject.in.ua at gmail.com> wrote:
> >>>>> > Ai,
> >>>>> >
> >>>>> > are you sure  that in your rwfilter results you have more than 1%
> of
> >>>>> Bytes?
> >>>>> >
> >>>>> > From rwstats man page:
> >>>>> >
> >>>>> > *--percentage*=*N* Print the bins where the primary value is
> >>>>> > greater-than (or less-than) *N* percent of the sum of the primary
> >>>>> > values across all bins.
> >>>>> >
> >>>>> >
> >>>>> > I think it will be useful to see --count --Packets
> >>>>> >
> >>>>> >
> >>>>> > On Tue, Sep 15, 2015 at 5:31 PM, asad <a.alii85 at gmail.com> wrote:
> >>>>> >
> >>>>> >> Hi,
> >>>>> >>
> >>>>> >> I want to know what "alternate options" exists for following:-
> >>>>> >>
> >>>>> >> rwfilter --sensor=Vrouter1 --type=out --sport=3306 --pass=stdout
> >>>>> >> --start-date=2012/11/13:00 --end-date=2012/11/13:23
> >>>>> >> --saddress=172.31.253.102 | rwstats --percentage=1 --bytes
> >>>>> >> --fields=dip
> >>>>> >>
> >>>>> >> I don't know why but using --percentage=1 flag, I get zero
> results,
> >>>>> >> even when in records I know this IP is present. Is there any
> reason
> >>>>> >> why would such happpen?
> >>>>> >>
> >>>>> >> Or I can move to another rwstats switch parameters to perform same
> >>>>> >> task as trying to achieve with percentage=1
> >>>>> >>
> >>>>> >> Thanks.
> >>>>> >>
> >>>>> >>
> >>>>> >>
> >>>>> >
> >>>>> >
> >>>>> > --
> >>>>> > --
> >>>>> > With regards,
> >>>>> > Eugene Sudyr
> >>>>> >
> >>>>>
> >>>>>
> >>>>
> >>
>
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list