'RE: 100% Multicast'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       flowscan
Subject:    RE: 100% Multicast
From:       "Robert S. Galloway" <securityguy () ikano ! com>
Date:       2004-09-13 18:49:37
Message-ID: 20040913124940.SM02784 () pendleton
[Download RAW message or body]

You probably need to add more Subnet statements to cover all of your local
subnets. This is how FlowScan determines what is coming in and going out.

Thanks,

Robert S. Galloway
Chief Network Security Engineer
IKANO Communications
Network Operations Department
...the team behind the machines


-----Original Message-----
From: majordomo listserver [mailto:majordomo@mil.doit.wisc.edu] On Behalf Of
fatih ayvaz
Sent: Monday, September 13, 2004 10:44 AM
To: Robert S. Galloway; flowscan@net.doit.wisc.edu
Subject: RE: 100% Multicast

My current settings can be seen below. What am I
actually supposed to set for the Subnet directive? I
tried the 0.0.0.0/0 and got the same... Thanks
[root@necromancer netflow]# more bin/CUFlow.cf
# These are the subnets in our network
# These are used only to determine whether a packet is
inbound our
# outbound
Subnet 10.9.7.0/24
#Subnet 0.0.0.0/0
 
# These are networks we are particularly interested
in, and want to
# get separate rrd's for their aggregate traffic
Network 10.11.10.0/24 routers
 
# Where to put the rrd's
# Make sure this is the same as $rrddir in
CUGrapher.pl
#OutputDir /cflow/reports/rrds
OutputDir /var/netflow/rrds
 
# Track multicast traffic
Multicast
 
# Keep top N lists
# Show the top ten talkers, storing reports in
/cflow/flows/reports
# and keeping the current report in
/etc/httpd/data/reports/topten.html
#Scoreboard 10 /cflow/reports/scoreboard
/var/www/html/topten.html
Scoreboard 10 /var/netflow/scoreboard
/var/www/html/topten.html
                                                      
                            
# Same, but build an over-time average top N list
AggregateScore 10 /var/netflow/rrds/agg.dat
/var/www/html/overall.html
 
# Our two netflow exporters. Produce service and
protocol reports for the
# total, and each of these.
Router 10.11.10.X ANKARA_7507
 
# Services we are interested in
Service 20-21/tcp ftp
Service 22/tcp ssh
Service 23/tcp telnet
Service 25/tcp smtp
Service 53/udp,53/tcp dns
Service 80/tcp http
Service 110/tcp pop3
Service 119/tcp nntp
Service 143/tcp imap
Service 412/tcp,412/udp dc
Service 443/tcp https
Service 1214/tcp kazaa
Service 4661-4662/tcp,4665/udp edonkey
Service 5190/tcp aim
Service 6346-6347/tcp gnutella
Service 6665-6669/tcp irc
Service 54320/tcp bo2k
Service 7070/tcp,554/tcp,6970-7170/udp real
 
# protocols we are interested in
Protocol 1 icmp
Protocol 4 ipinip
Protocol 6 tcp
Protocol 17 udp
Protocol 47 gre
Protocol 50 esp
Protocol 51 ah
Protocol 57 skip
Protocol 88 eigrp
Protocol 169
Protocol 255
 
# ToS bit percentages to graph
TOS 0 normal
TOS 1-255 other
 
# Interested in traffic to/from AS 1
#ASNumber 1 Genuity

--- "Robert S. Galloway" <securityguy@ikano.com>
wrote:

> You are using the CUFlow report module. Most likely
> you are getting a 0 hit
> count because you have not specified your local
> subnets with the "Subnet"
> directive in the CUFlow.cf config file.
> 
> Thanks,
> 
> Robert S. Galloway
> Chief Network Security Engineer
> IKANO Communications
> Network Operations Department
> ...the team behind the machines
> 
> 
> -----Original Message-----
> From: majordomo listserver
> [mailto:majordomo@mil.doit.wisc.edu] On Behalf Of
> fatih ayvaz
> Sent: Monday, September 13, 2004 9:44 AM
> To: flowscan@net.doit.wisc.edu
> Subject: Re: 100% Multicast
> 
> Also note the following: (it says "0" hit, why?)
> 2004/09/13 18:20:12 flowscan-1.020 CUFlow:
> Cflow::find
> took  0 wallclock secs ( 0.04 usr +  0.00 sys = 
> 0.04
> CPU) for 10967 flow file bytes, flow hit ratio:
> 0/710
> 
> --- fatih ayvaz <fayvaz77@yahoo.com> wrote:
> 
> > Hi,
> > Flowscan and flow-capture services seem to be
> > running
> > properly but the graph shows only multicast
> > traffifc.
> > And the utilization is 110 bits/sec. But, for real
> > the
> > util is about 200 Kbps.
> > There should be something which picks the
> multicast
> > and  ignores the others.
> > Where shall I look? Thanks.
> > Fatih
> > 
> > 
> > 		
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail is new and improved - Check it out!
> > http://promotions.yahoo.com/new_mail
> > 
> > --
> > Help        mailto:majordomo@net.doit.wisc.edu and
> > say "help" in message body
> > Unsubscribe mailto:majordomo@net.doit.wisc.edu and
> > say
> > "unsubscribe flowscan" in message body
> > Archive    
> >
>
http://net.doit.wisc.edu/~plonka/list/flowscan/archive/
> > 
> 
> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Shop for Back-to-School deals on Yahoo! Shopping.
> http://shopping.yahoo.com/backtoschool
> 
> --
> Help        mailto:majordomo@net.doit.wisc.edu and
> say "help" in message
> body
> Unsubscribe mailto:majordomo@net.doit.wisc.edu and
> say
> "unsubscribe flowscan" in message body
> Archive    
>
http://net.doit.wisc.edu/~plonka/list/flowscan/archive/
> 
> 
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

--
Help        mailto:majordomo@net.doit.wisc.edu and say "help" in message
body
Unsubscribe mailto:majordomo@net.doit.wisc.edu and say
"unsubscribe flowscan" in message body
Archive     http://net.doit.wisc.edu/~plonka/list/flowscan/archive/




--
Help        mailto:majordomo@net.doit.wisc.edu and say "help" in message body
Unsubscribe mailto:majordomo@net.doit.wisc.edu and say
"unsubscribe flowscan" in message body
Archive     http://net.doit.wisc.edu/~plonka/list/flowscan/archive/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic