• NAME
• DESCRIPTION
• Announcement
• Changes in FlowScan-1.006 (since FlowScan-1.005)
• Availability
• Mailing Lists
• FlowScan Resources
• Contributors
• Thanks
• Copyright and Disclaimer

NAME

DESCRIPTION

This document is the FlowScan README $Revision: 1.10 $, $Date: 2001/02/28 21:50:17 $.

Announcement

Amonst many other things, FlowScan can measure and graph traffic for applications such as Napster. A sample of what FlowScan can do is at:

   http://wwwstats.net.wisc.edu

Changes in FlowScan-1.006 (since FlowScan-1.005)

• The CampusIO and SubNetIO reports were enhanced with a new optional configuration directive: TopN. When defined, this directive causes ``Top Talker'' reports to be produced. These HTML reports contain the most active (i.e. ``top'') source and destination addresses.

• The CampusIO and SubNetIO reports were enhanced to record the number of local IP addresses that where active for each network and subnet into the RRD files. This enables users to estimate the number of active hosts hosts over time, detect ``scans'' which systematically sweep across network address space, and to calculate the average bytes, packets, and flows per host.

• The template Makefile used to produce the graphs was enhanced to allow the inclusion of ``events'' in the graphs, similarly to what can be done with Cricket. This allows you to label events such as configuration changes and outages to discover correlations with traffic measurement.

• Two new utilities suitable for stand-alone use, are included. <kbd>ip2hostname</kbd> converts IP addresses to their respective hostnames. <kbd>event2vrule</kbd> adds ``events'' to rrdtool graphs.

• Added support for LFAP (Lightweight Flow Accouting Protocol) used by Riverstone and Enterasys (formerly Cabletron) routers. This currently requires slate (from http://www.nmops.org) and lfapd by Steven Premeau <premeau@uwp.edu>. lfapd produces time-stamped raw flow files in the same cflowd-defined format that is processed by FlowScan.

• Added the ability for the CampusIO report to identify outbound flows based solely on the flow's destination IP address. While this is less trustworthy than using NextHops or OutputIfIndexes, it is now the default and will be useful for environments where the flow nexthop or output ifIndex values are not meaningful.

• The CampusIO report contains a new experimental feature which reads a BGP routing table, and therefore can determine which Autonomous systems source, transit, or sink most of your institution's traffic. The CampusIO report was enhanced with new optional configuration directives: BGPDumpFile, TopN, ReportPrefixFormat. When properly defined, these directives cause CampusIO to create tabular HTML reports named {origin|path}_{in|out}.html under OutputDir after analyzing each raw flow file. These reports show the ``top'' Autonomous Systems with which your site exchanges traffic.

• A WebProxyIfIndex directive was added to the CampusIO report. This allows one to specify the index of the interface to which HTTP traffic is being transparently redirected. This enables FlowScan to properly count HTTP flows even though NetFlow v5 does not accurately report the nexthop value for flows which are transparently redirected via a Cisco route-map.

• CampusIO now contains a fix for a bug introduced in FlowScan-1.005 which would sometimes cause perl to abort with this message:

     patricia.c:645: patricia_lookup: Assertion `prefix' failed.
  

  This would happen if the NextHops or LocalNextHops were specified by name rather than IP address. It also would happen if the boulder SUBNET values were specified incorrectly.

Availability

   http://net.doit.wisc.edu/~plonka/FlowScan/

Mailing Lists

• flowscan a general mailing list for FlowScan users.

• flowscan-announce a low-volume, restricted post mailing list to keep FlowScan users informed of news regarding FlowScan.

   http://net.doit.wisc.edu/~plonka/list/flowscan

and:

   http://net.doit.wisc.edu/~plonka/list/flowscan-announce

Announcements will be ``cross-posted'' to both lists, so there's no need to join both.

These lists are hosted by the Division of Information Technology's Network Engineering Technology group at the University of Wisconsin - Madison. To subscribe to either of them, send email to:

   majordomo@net.doit.wisc.edu

containing either:

   subscribe flowscan

or:

   subscribe flowscan-announce

You should receive an automatic response that will request that you verify your request to become a member of the list, to which you must reply with the authentication information there-in. Then, in response to your reply, you should receive a welcome message. If you have any questions about the administrative policies of this list's manager, please contact:

   owner-flowscan@net.doit.wisc.edu

or:

   owner-flowscan-announce@net.doit.wisc.edu

FlowScan Resources

   http://www.caida.org/tools/utilities/flowscan/

Paper - ``FlowScan: A Network Traffic Flow Reporting and Visualization Tool'':

   HTML:       http://net.doit.wisc.edu/~plonka/lisa/FlowScan/
   PostScript: http://net.doit.wisc.edu/~plonka/lisa/FlowScan/out.ps.gz

   http://www.caida.org/tools/utilities/flowscan/

LISA XIV (New Orleans, Dec. 2000) Presentation:

   http://net.doit.wisc.edu/~plonka/lisa/FlowScan/presentation/

NANOG 21 (Atlanta, Feb. 2001) Presentation:

   http://www.nanog.org/mtg-0102/plonka.html
   http://net.doit.wisc.edu/~plonka/nanog/

Other:

   http://wwwstats.net.wisc.edu
   http://net.doit.wisc.edu/data/Napster/
   http://net.doit.wisc.edu/data/flow/size/

Contributors

   Alexander Kunz <Alexander.Kunz@nextra.de>
   Kevin Gannon <kevin@gannons.net>
   John Payne <john@sackheads.org>
   Michael Hare <Michael.Hare@doit.wisc.edu>
   Steven Premeau <premeau@uwp.edu>

Thanks

Also, thanks to Daniel McRobb, Tobi Oetiker, and CAIDA for providing the main tools upon which FlowScan is built, namely ``cflowd'' and ``RRDTOOL''.

Copyright and Disclaimer

   Copyright (c) 2000-2001 Dave Plonka <plonka@doit.wisc.edu>.
   All rights reserved.

This document may be reproduced and distributed in its entirety (including this authorship, copyright, and permission notice), provided that no charge is made for the document itself.