NAME FlowScan - a system to analyze and report on cflowd flow files DESCRIPTION This document is the FlowScan User Manual $Revision: 1.23 $, $Date: 2001/02/28 21:48:08 $. It describes the installation and setup of `FlowScan-1.006'. FlowScan is a system which scans cflowd-format raw flow files and reports on what it finds. There are two report modules that are included. The `CampusIO' report module produced the graphs at: http://wwwstats.net.wisc.edu which show traffic in and out through a peering point or network border. The `SubNetIO' report updates RRD files for each of the subnets that you specify (so that you can produce graphs of `CampusIO' by subnet). The idea behind the distinct report modules is that users will be able to write new reports that are either derived-classes from `CampusIO' or altogether new ones. For instance, one may wish to write a report module called `Abuse' which would send email when it detected potentially abusive things going on, like Denial-of-Service attacks and various scans. FlowScan is freely-available under the GPL, the GNU General Public License. Use the Mailing List Please help me to help you. It is, unfortunately, not uncommon for one to have questions or problems while installing FlowScan. Please do not send email about such things to my personal email address, but instead check the FlowScan mailing list archive, and join the FlowScan mailing list. Information about the FlowScan mailing lists can be found at: http://net.doit.wisc.edu/~plonka/FlowScan/#Mailing_Lists By reading and participating in the list, you will be helping me to use my time effectively so that others will benefit from questions answered and issues raised. The mailing lists' archives are available at: http://net.doit.wisc.edu/~plonka/list/flowscan and: http://net.doit.wisc.edu/~plonka/list/flowscan-announce Upgrading First-time FlowScan users should skip to the section on "Initial Install Requirements", below. If you have previously installed and properly configured `FlowScan-1.005', you need only perform a subset of the steps that one would normally have to perform for an initial installation. This release of FlowScan uses more memory than previous releases. That is, the `flowscan' process will grow to a larger size than that in `FlowScan-1.005'. In my recent experience while testing this release, the `flowscan' process size to approximately 128MB when I use the new experimental `BGPDumpFile' option to produce "Top" reports by ASN. This is hopefully understandable since `flowscan' is carrying a full internet routing table when configured in this way. The memory requirements are significantly lessened if you do not use the `BGPDumpFile' option. The `flowscan' process' size is also a function of the number of active hosts in your network. Software Upgrade Requirements * Upgrading perl Modules Upgrade the `Cflow' perl module to `Cflow-1.030' or later for improved performance. Install `HTML::Table' in case you want to produce the new "Top Talkers" reports. Details on how to obtain and install these modules can be found in the section on "Software Requirements", below. * Upgrading FlowScan Of course, when upgrading you will need to obtain the current FlowScan. When you run configure, you should specify the same value with `--prefix' that you did when installing your existing FlowScan, e.g. /var/local/flows, or wherever your time-stamped raw flow files are currently being written by `cflowd'. Configuring FlowScan when Upgrading There is now POD documentation provided with the CampusIO and SubNetIO reports. Please use that as the definitive reference on configuration options for those reports, e.g.: $ cd bin $ perldoc CampusIO Here are a few things that changed regarding the FlowScan configuration: Upgrading CampusIO and/or SubNetIO Configuration Files There are new `TopN' and `ReportPrefixFormat' directives for `CampusIO' and `SubNetIO'. These directives enable the production of "Top Talker" reports. Furthermore there are new experimental `BGPDumpFile' and `ASNFile' options `CampusIO' which are used to produce "Top" reports by Autonomous System. You will need access a Cisco carrying a full BGP routing table to produce such reports. See the CampusIO configuration documentation for more info about configuring this feature. If you have trouble with it, remember that it is experimental, so please join the discussion in the mailing list. Secondly, the Napster_subnets.boulder has changed significantly since that provided with FlowScan-1.005. If you have FlowScan configured to measure Napster traffic, replace your old Napster_subnets.boulder with the one from the newer distribution: $ cp cf/Napster_subnets.boulder $PREFIX/bin/Napster_subnets.boulder Upgrading your RRD Files If you are upgrading, it is necessary to add two new Data Sources to the some of your existing RRD files. Before running flowscan, backup your RRD files, e.g.: $ cd $prefix/graphs $ tar cf saved_rrd_files.tar *.rrd then do this: $ cd $prefix/graphs $ ../bin/add_txrx total.rrd [1-9]*.*.*.*_*.rrd Generating Graphs after Upgrading A number of new features have been added to the graphs.mf template Makefile. Some of these are described below in the section on "Supplied Graphs". You may wish to copy graphs.mf to your graphs sub-directory. While it is not required, I highly recommend installing `RRGrapher' if you want to produce other graphs. It is referenced below in the section on "Custom Graphs". Done Upgrading That should be it for upgrading! Initial Install Requirements Hardware Requirements * Cisco routers If you don't have Cisco at your border, you're probably barking up the wrong tree with this package. Also, FlowScan currently requires that your IOS version supports NetFlow version 5. Try this command on your router if you are unsure: ip flow-export version ? * a GNU/Linux or Unix machine If you have a trivial amount of traffic being exported to cflowd, such as a T1's worth, perhaps any old machine will do. However, if you want to process a fair amount of traffic (e.g. at ~OC-3 rates) you'll want a *fast* machine. I've run FlowScan on a SPARC Ultra-30 w/256MB running Solaris 2.6, a Dell Precision 610 (dual Pentium III, 2x450Mhz) w/128MB running Debian Linux 2.1, and most recenlty a dual PIII Dell server, 2x600Mhz, w/256MB running Debian Linux 2.2r2. The Intel machines are definitely preferably in the sense that `flowscan' processes flows in about 40% of the time that it took the SPARC. (The main `flowscan' script itself is currently single-threaded.) In an early performance test of mine, using 24 hours of flows from our peering router here at UW-Madison, here's the comparison of their ave. time to process 5 minutes of flows: SPARC - 284 sec Intel - 111 sec Note that it is important that flowscan doesn't take longer to process the flows than it does for your network's activity and exporting Cisco routers to produce the flows. So, you want to keep the time to process 5 minutes of flows under 300 seconds on average. My recent testing has indicated that 600-850MHz PIII machines can usually process 3000-4000 flows per second, if `flowscan' doesn't have to compete with too many other processes. * Disk Space I recommend devoting a file-system to cflowd and FlowScan. Both require disk space and the amount depends upon a number of things: * The rate of flows being exported and collected * The rate at which FlowScan is able to process (and remove) those files * Whether or not you have configured FlowScan to "save" flow files * The number of hours after which you remove `gzip(1)'ped flow files To find the characteristics of your environment, you'll just have to run the patched cflowd for a little while to see what you get. Early in this project (c. 1999), we were usually collecting about 150-300,000 flows from our peering router every 5 minutes. Recently, our 5-minute flow files average ~15 to 20 MB in size. During a recent inbound Denial-of-Service attack consisting of 40-byte TCP SYN packets with random source addresses and port numbers, I've seen a single "5-minute" flow file greater than 500MB! Even on our fast machine, that single file took hours to process. Surely YMMV, currently a 35GB file-system allows us to preserve `gzip(1)'ped flow files for about 2 weeks. * Network Interface Card Regarding the host machine configuration, consider the amount of traffic that may be exported from your Cisco(s) to your collector machine if you have enabled `ip route-cache flow' on very many fast interfaces. With lots of exported flow data (e.g. 15-20 MB of raw flow file data every 5 minutes) and only a 10 Mb/s ethernet NIC, I found that the host was dropping some of the incoming UDP packets, even though the rate of incoming flows was less than 2 Mb/s. This was evidenced by a constantly-increasing number of `udpInOverflows' in the `netstat -s' output under Solaris. I addressed this by reconfiguring my hosts with a 100 Mb/s fast ethernet NIC or 155 Mb/s OC-3 ATM LANE interface and have not seen that problem since. Of course, one should assure that the requisite bandwidth is available along the full path between the exporting Cisco(s) and the collecting host. Software Requirements The packages and perl modules required by FlowScan are numerous. Their presence or absence will be detected by FlowScan's configure script but you'll save yourself some frustration by getting ahead of the game by collecting and installing them first. Below, I've attempted to present them in a reasonable order in which to obtain, build, and install them. * arts++ arts++ is required by cflowd and is available at: ftp://ftp.caida.org/pub/arts++/ As of arts++-1-1-a5, the arts++ build appears to require GNU make 3.79 because its Makefiles use glob for header dependencies, e.g. "*.hh". From my cursory look at the GNU make ChangeLog, perhaps any version >= 3.78.90 will suffice. Also there may be trouble if you don't have flex headers installed in your "system" include directory, such as "/usr/include", even though "configure.in" appears to be trying to handle this situation. Since mine were in the "local" include directory, I hand-tweaked the classes/src/Makefile's ".cc.o" default rule to include that directory as well. * cflowd patch My patches are available at: http://net.doit.wisc.edu/~plonka/cflowd/?M=D Obtain the patch or patches which apply to the version of cflowd that you intend to run and apply it to cflowd before building cflowd below. * cflowd cflowd itself is available at: http://www.caida.org/tools/measurement/cflowd/ ftp://ftp.caida.org/pub/cflowd/ In my experience with building cflowd, you're the most likely to have success in a GNU development environment such as that provided with GNU/Linux or FreeBSD. I have not had problems building the patched `cflowd-2-1-a9' or `cflowd-2-1-a6' under Debian Linux 2.2. I've also managed to build the patched cflowd-2-1-a6 with gcc-2.95.2 and binutils-2.9.1 on a sparc-sun-solaris2.6 machine with GNU make 3.79 and flex-2.5.4. As of cflowd-2-1-a6, beware that during the build may pause for minutes while as(1) uses lots of CPU and memory to building "CflowdCisco.o". This is apparenly `normal'. Also, the build appears to be subtley reliant on GNU ld(1), which is available in the GNU "binutils" package. (I was unable to build cflowd-2-1-a6 with the sparc-sun-solaris2.6 "/usr/ccs/bin/ld" although earlier cflowd releases built fine with it.) * perl 5 If you don't have this already, you're probably way over your head, but anyway, check out the Comprehensive Perl Archive Network (CPAN): http://www.cpan.org/ and: http://www.perl.com/ I've tested with perl 5.004, 5.005, and 5.6.0. If you'd like to upgrade to perl 5.6.0 you can install it thusly: # perl -MCPAN -e shell cpan> install G/GS/GSAR/perl-5.6.0.tar.gz However, I suggest you don't install it in the same place as your existing `perl'. * Korn shell `ksh' is used as the `SHELL' in the Makefile for the graphs. `pdksh' works fine too. If for some reason you don't already have `ksh', check out: http://www.kornshell.com/ or: http://www.math.mun.ca/~michael/pdksh/ If you're using GNU/Linux, `pdksh' is available as an optional binary package for various distributions. * RRDTOOL This package is available at: http://ee-staff.ethz.ch/~oetiker/webtools/rrdtool/ I recommend that you install `rrdtool' from source, even if it is available as an optional binary package for operating system distribution. This is because FlowScan expects that you've built and installed RRDTOOL something like this: $ ./configure --enable-shared $ make install site-perl-install That last bit is important, since it makes the `rrdtool' perl modules available to all perl scripts. * Perl Modules * `RRDs' This is the shared-library perl module supplied with `rrdtool'. (See above.) * `Boulder' The Boulder distribution includes the Boulder::Stream module and its prerequisites. They are available on CPAN in the "Boulder" distribution. You can install them using the CPAN shell like this: # perl -MCPAN -e shell cpan> install Boulder::Stream If you want to fetch it manually you can probably find it at: http://search.cpan.org/search?dist=Boulder I've tested with the modules supplied in the Boulder- 1.18 distribution and also those in the old "boulder.tar.gz" distribution. * `ConfigReader::DirectiveStyle' The ConfigReader package is available on CPAN. You can install it using the CPAN shell like this: # perl -MCPAN -e shell cpan> install ConfigReader::DirectiveStyle If you want to fetch it manually you can probably find it at: http://search.cpan.org/search?dist=ConfigReader I'm using ConfigReader-0.5. * `HTML::Table' The HTML::Table package is available on CPAN. You can install it using the CPAN shell like this: # perl -MCPAN -e shell cpan> install HTML::Table If you want to fetch it manually you can probably find it at: http://search.cpan.org/search?dist=HTML-Table * `Net::Patricia' This is a new module which I have uploaded to PAUSE, but it not have entered CPAN yet. You can try to install it using the CPAN shell like this: # perl -MCPAN -e shell cpan> install Net::Patricia If `Net::Patricia' is not found on CPAN, you can obtain it here: http://net.doit.wisc.edu/~plonka/Net-Patricia/ * `Cflow' This perl module is used by FlowScan to read the raw flow files written by cflowd. It is available at: http://net.doit.wisc.edu/~plonka/Cflow/ You'll need Cflow-1.024 or greater. * FlowScan This package is available at: http://net.doit.wisc.edu/~plonka/FlowScan/ Configuring FlowScan Prerequisites Choose a User to Run cflowd and FlowScan I recommend that you create a user just for the purpose of running these utilities so that all directory permissions and created file permissions are consistent. You may find this useful especially if you have multiple network engineers accessing the flows. I suggest that the FlowScan `--prefix' directory be owned by an appropriate user and group, and that the permissions allow write by other members of the group. Also, turn on the set-group-id bit on the directory so that newly created files (such as the flow files and log file) will be owned by that group as well, e.g.: user$ chmod g+ws $PREFIX Configuring Your Host The current FlowScan graphing stuff likes your machine to have the `80/tcp' service to be called `http'. Try running this command: $ perl -le "print scalar(getservbyport(80, 'tcp'))" You can continue with the next step if this command prints `http'. However, if it prints some other value, such as `www', then I suggest you modify your /etc/services file so that the line containing `80/tcp' looks something like this: http 80/tcp www www-http #World Wide Web HTTP Be sure to leave the old name such as `www' as an "alias", like I've shown here. This will reduce the risk of breaking existing applications which may refer to the service by that name. If you decide not to modify the service name in this way, FlowScan should still work, but you'll be on your own when it comes to producing graphs. Configuring Your Ciscos First and foremost, to get useful flow information from your Cisco, you'll need to enable flow-switching on the appropriate ingress interfaces using this interface-level configuration statement: ip route-cache flow Also, I suggest that you export from your Cisco like this: ip flow-export version 5 peer-as ip flow-export destination 10.0.0.1 2055 Of course the IP address and port are determined by your cflowd.conf. To help ensure that flows are exported in a timely fashion, I suggest you also do this if your IOS version supports it: ip flow-cache timeout active 1 Some IOS versions, e.g. 12.0(9), use this syntax instead: ip flow-cache active-timeout 1 unless you've specified something such as `downward-compatible- config 11.2'. Lastly, in complicated environments, choosing which particular interfaces should have `ip route-cache flow' enabled is somewhat difficult. For FlowScan, one usually wants it enabled for any interface that is an ingress point for traffic that is from inside to outside or vice-versa. You probably don't want flow- switching enabled for interfaces that carry policy-routed traffic, such as that being redirected transparently to a web cache. Otherwise, FlowScan could count the same traffic twice because of multiple flows being reported for what was essentially the same traffic making multiple passes through a border router. E.g. user-to-webcache, webcache-to-outside world (on behalf of that user). Configuring cflowd This document does not attempt to explain cflowd. There is good documentation provided with that package. As for the tweaks necessary to get cflowd to play well with FlowScan, hopefully, an example is worth a thousand words. My cflowd.conf file looks like this: OPTIONS { LOGFACILITY: local6 TCPCOLLECTPORT: 2056 TABLESOCKFILE: /home/whomever/cflowd/etc/cflowdtable.socket FLOWDIR: /var/local/flows FLOWFILELEN: 1000000 NUMFLOWFILES: 10 MINLOGMISSED: 300 } CISCOEXPORTER { HOST: 10.0.0.10 ADDRESSES: { 10.42.42.10, } CFDATAPORT: 2055 # COLLECT: { flows } } COLLECTOR { HOST: 127.0.0.1 AUTH: none } And I invoke the *patched* cflowd like this: user$ cflowd -s 300 -O 0 -m /path/to/cflowd.conf Those options cause a flow file to be "dropped" every 5 minutes, skipping flows with an output interface of zero unless they are multicast flows. Once you have this working, your ready to continue. Configuring FlowScan Configure and Install Do not use the same `--prefix' value as might for other packages! I.e. don't use /usr/local or a similar directory in which other things are installed. This prefix should be the directory where the patched cflowd has been configured to write flow files. A good way to avoid doing something dumb here is to not run FlowScan's `configure' nor `make' as root. user$ ./configure --help # note --with-... options e.g.: user$ ./configure --prefix=/var/local/flows user$ make user$ make -n install user$ make install By the way, in the above commands, all is OK if make says "`Nothing to be done for `target''". As long as `make' completes without an error, all is OK. Subsequently in this document the "prefix" directory will be referred to as the "`--prefix' diretory" or using the environment variable `$PREFIX'. FlowScan does not require or use this environment variable, it's just a documentation convention so you know to use the directory which you passed as with `-- prefix'. Create the Output Directory The `OutputDir' is where the `.rrd' files and graphs will reside. As the chosen FlowScan user do: $ PREFIX=/var/local/flows $ mkdir -p $PREFIX/graphs Then, when you edit the `.cf' files below, be sure to specify this using the `OutputDir' directive. FlowScan Configuration Files The FlowScan Package ships with sample configuration files in the `cf' sub-directory of the distribution. During initial configuration you will copy and sometimes modify these sample files to match your network environent and your purposes. FlowScan looks for its configuration files in its `bin' directory - i.e. the directory in which the `flowscan' perl script *and* FlowScan report modules are installed. I don't really like this, but that's the way it is for now. Forgive me. FlowScan currently uses two kinds of cofiguration files: 1 Directive`-s'tyle configuration files, with the `.cf' extension This format should be relatively self-explanatory based on the sample files referenced below. The directives are documented in comments within those sample configuration files. A number of the directorives have paths to directory entries as their values. One has a choice of configuring these as either relative or absolute paths. The samples configuration files ship with relative path specifications to minimize the changes a new user must make. However, in this configuration, it is imperitive that `flowscan' be run in the `--prefix' directory if these relative paths are used. 2 "Boulder IO" format files, with the `.boulder' extension I've chosen Boulder IO's "semantic free data interchange format" to use for related projects, and since this is the format in which our subnet definitions were available, I continued to use it. If you're new to "Boulder IO", the examples referenced below should be sufficient. Remember that lines containing just `=' are record seperators. For complete information on this format, do: $ perldoc Boulder # or "perldoc bolder" if that fails Here's a step-by-step guide to installing, reviewing, and editing the FlowScan configuration files: * Copy and Edit flowscan.cf $ cp cf/flowscan.cf $PREFIX/bin $ chmod u+w $PREFIX/bin/flowscan.cf $ # edit $PREFIX/bin/flowscan.cf * Decide which FlowScan Reports to Run The FlowScan package contains the `CampusIO' and `SubNetIO' reports. These two reports are mutually exclusive - `SubNetIO' does everything that `CampusIO' does, and more. Initially, in flowscan.cf I strongly suggest you configure: ReportClasses CampusIO rather than: ReportClasses SubNetIO The `CampusIO' report class is simpler than `SubNetIO', requires less configuration, and is less CPU/processing intensive. Once you have the `CampusIO' stuff working, you can always go back and configure `flowscan' to use `SubNetIO' instead. There is POD documentation provided with the `CampusIO' and `SubNetIO' reports. Please use that as the definitive reference on configuration options for those reports, e.g.: $ cd bin $ perldoc CampusIO * Copy and Edit CampusIO.cf Copy the template to the bin directory. Adjust the values using the required and optional configuration directives documented there-in. The most important thing to consider configuring in CampusIO.cf is the method by which `CampusIO' should identify outbound flows. In order of preference, you should define `NextHops', or `OutputIfIndexes', or neither. Beware that if you define neither, CampusIO will resort to using the flow destination address to determine whether or not the flow is outbound. This can be troublesome if you do not accurately define your local networks (below), since flows forwarded to any non-local addresses will be considered outbound. If possible, it's best to define the list of `NextHops' to which you know your outbound traffic is forwarded. For most purposes, the default values for the rest of the `CampusIO' directives should suffice. For advanced users that export from multiple Ciscos to the same cflowd/FlowScan machine, it is also very important to configure `LocalNextHops'. * Copy and Edit local_nets.boulder Copy the template to the bin directory. This file should be referenced in CampusIO.cf by the `LocalSubnetFiles' directive. The local_nets.boulder file must contain a list of the networks or subnets within your organization. It is imperative that this file is maintained accurately since flowscan will use this to determine whether a given flow represents inbound traffic. You should probably specify the networks/subnets in as terse a way as possible. That is, if you have two adjacent subnets that can be coallesced into one specification, do so. (This is differnet than the similarly formatted our_subnets.boulder file mentioned below.) The format of an entry is: SUBNET=10.0.0.0/8 [TAG=value] [...] Technically, `SUBNET' is the only tag required in each record. You may find it useful to add other tags such as `DESCRIPTION' for documentation purposes. Entries are seperated by a line containing a single `='. FlowScan identifies outbound flows based on the list of nexthop addresses that you'll set up below. * Copy and Edit Napster_subnets.boulder (*if* referenced in CampusIO.cf) Note: if you do not wish to have `CampusIO' attempt to identify Napster traffic, be sure to comment out all Napster related option in CampusIO.cf. Copy the template to the bin directory from which you will be running `flowscan'. The supplied content seems to work well as of this writing (Mar 10, 2000). No warranties. Please let me know if you have updates regarding Napster IP address usage, protocol, and/or port usage. The file Napster_subnets.boulder should contain a list of the networks/subnets in use by Napster, i.e. `napster.com'. As of this writing, more info on Napster can be found at: http://napster.cjb.net/ http://opennap.sourceforge.net/napster.txt http://david.weekly.org/code/napster-proxy.php3 * Copy and Edit SubNetIO.cf (*if* you have selected it in your `ReportClasses') Copy the template to the bin directory from which you will be running flowscan. Adjust the values using the required and optional configuration directives documented there-in. For most purposes, the default values should suffice. * Copy and Edit our_subnets.boulder (*if* you use `ReportClasses SubNetIO') Copy the template to the bin directory. This file is used by the `SubNetIO' report class, and therefore is only necessary if you have defined `ReportClasses SubNetIO' rather than `ReportClasses CampusIO'. The file our_subnets.boulder should contain a list of the subnets on which you'd like to gather I/O statistics. You should format this file like the aforementioned local_nets.boulder file. However, the `SUBNET' tags and values in this file should be listed exactly as you use them in your network: one record for each subnet. So, if you have two subnets, with different purposes, they should have seperate entries even if they are numerically adjacent. This will enable you to report on each of those user populations independently. For instance: SUBNET=10.0.1.0/24 DESCRIPTION=power user subnet = SUBNET=10.0.2.0/24 DESCRIPTION=luser subnet Preserving "Old" Flow Files If you'd like to have FlowScan save your flow files, make a sub- directory named saved in the directory where flowscan has been configured to look for flow files. This has been specified with the `FlowFileGlob' directive in flowscan.cf and is usually the same directory that is specified using the `FLOWDIR' directive in your cflowd.conf. If you do this, flowscan will move each flow file to that saved sub-directory after processing it. (Otherwise it would simply remove them.) e.g.: $ mkdir $PREFIX/saved $ touch $PREFIX/saved/.gzip_lock The .gzip_lock file created by this command is used as a lock file to ensure that only one cron job at a time. Be sure to set up a crontab entry as is mentioned below in the section on "Final Setup". I.e. don't complain to the author if you're saving flows and your file-system fills up ;^). Testing FlowScan Once you have the patched cflowd running with the `-s 300' option, and it has written at least one time-stamped flow file (i.e. other than flows.current), try this: $ cd /dir/containing/your/time-stamped/raw/flow/files $ flowscan The output should appear as something like this: Loading "bin/Napster_subnets.boulder" ... Loading "bin/local_nets.boulder" ... 2000/03/20 17:01:04 working on file flows.20000320_16:57:22... 2000/03/20 17:07:38 flowscan-1.013 CampusIO: Cflow::find took 394 wallclock secs (350.03 usr + 0.52 sys = 350.55 CPU) for 23610455 flow file bytes, flow hit ratio: 254413/429281 2000/03/20 17:07:41 flowscan-1.013 CampusIO: report took 3 wallclock secs ( 0.44 usr + 0.04 sys = 0.48 CPU) sleep 300... At this point, the RRD files have been created and updated as the flow files are processed. If not, you should use the diagnostic warning and error messages or the perl debugger (`perl -d flowscan') to determine what is wrong. Look at the above output carefully. It is imperative that the number of seconds that `Cflow::find took' not usually approach nor exceed 300. If, as in the example above, your log messages indicate that it took more than 300 seconds, FlowScan will not be able to keep up with the flows being collected on this machine (if the given flow file is representative). If the total of usr + sys CPU seconds totals more than 300 seconds, than this machine is not even capable of running FlowScan fast enough, and you'll need to run it on a faster machine (or tweak the code, rewrite in C, or mess with process priorities using nice(1), etc.) Performance Problems? Here are some hints on getting the most out of your hardware if you find that FlowScan is processing 300 seconds of flows in less an averave of 300 CPU seconds or less, but not 300 seconds of real time; i.e. the `flowscan' process is not being scheduled to run often enough because of context switching or because of its competing for CPU with too many other processes. On a 2 processor Intell PIII, to keep `flowscan' from having to compete with other processes for CPU, I have recently had good luck with setting the `flowscan' process' `nice(1)' value to - 20. Furthermore, I applied this experimental patch to the Linux 2.2.18pre21 kernel: http://isunix.it.ilstu.edu/~thockin/pset/ This patch enables users to determine which processor or set of processors a process may run on. Once applied, you can reserve the 2nd processor solely for use by `flowscan': root# mpadmin -r 1 Then launch `flowscan' on processor number 1: root# /usr/bin/nice --20 /usr/bin/runon 1 /usr/bin/su - username -c '/usr/bin/nohup /var/local/flows/bin/flowscan -v' >> /var/local/flows/flowscan.log 2>&1 ] [width=x] [height=y] [ioheight=y+n] [hours=h] [tag=_tagval] [events=public_events.txt] [organization='Foobar U - Springfield Campus'] as in: $ make -f graphs.mf filetype=gif height=400 hours=24 io_services_bits.gif Adding Events to Graphs There is a new graphing feature which allows you to specify events that should be displayed in your graphs. These events are simply a list of points in time at which something of interest occurred. For instance, one could create a plain text file in the graphs directory called events.txt containing these lines: 2001/02/10 1538 added support for events to FlowScan graphs 2001/02/12 1601 allowed the events file to be named on make command line Then to generate the graphs with those events included one might run: $ make -f graphs.mf events=events.txt This feature was implemented using a new script called event2vrule that is supplied with FlowScan. This script is meant to be used as a "wrapper" for running rrdtool(1), similarly to how one might run nohup(1). E.g.: $ event2vrule -h 48 events.txt rrdtool graph -s -48h ... That command will cause these `VRULE' arguments to be passed to rrdtool, at the end of the argument list: COMMENT:\n VRULE:981841080#ff0000:2001/02/10 1538 added support for events to FlowScan graphs COMMENT:\n VRULE:982015260#ff0000:2001/02/12 1601 allowed the events file to be named on make command line COMMENT:\n Custom Graphs Creation of other graphs will require the use of a tool such as RRGrapher or knowledge of RRDTOOL. RRGrapher, my Graph Construction Set for RRDTOOL is available at: http://net.doit.wisc.edu/~plonka/RRGrapher/ For other custom graphs, if you use the supplied graphs.mf Makefile, you can use the examples there in to see how to build "Campus I/O by Network" and "AS to AS" graphs. The examples use UW-Madison network numbers, names of with which we peer and such, so it will be non-trivial for you to customize them, but at least there's an example. Currently, RRD files for the configured `ASPairs' contain a `:' in the file name. This is apparently a no-no with RRDTOOL since, although it allows you create files with these names, it doesn't let you graphs using them because of how the API uses `:' to seperate arguments. For the time being, if you want to graph AS information, you must manually create symbolic links in your graphs sub-dir. i.e. $ cd graphs $ ln -s 0:42.rrd Us2Them.rrd $ ln -s 42:0.rrd Them2Us.rrd A reminder for me to fix this is in the TODO list. Future Directions for Graphs The current Makefile-based graphing, while coherent, is cumbersome at best. I find that the verbosity and complexity of adding new graph targets to the Makefile makes my brain hurt. Other RRDTOOL front-ends that produce graphs should be able to work with FlowScan-generated `.rrd' files, so there's hope. Copyright and Disclaimer Note that this document is provided `as is'. The information in it is not warranted to be correct. Use it at your own risk. Copyright (c) 2000-2001 Dave Plonka . All rights reserved. This document may be reproduced and distributed in its entirety (including this authorship, copyright, and permission notice), provided that no charge is made for the document itself.