[c-nsp] [j-nsp] src_ASN and dest_ASN in Netflow record
Rubens Kuhl Jr.
rubensk at gmail.com
Mon Apr 3 12:04:06 EDT 2006
> How will the router insert SRC_ASN and Dest_ASN when a
> packet is forwarded according to default route?
As others have told you, you won't have ASN information from the
router in such a scenario. But you can use published routing tables to
mark netflow records with the AS and then perform traffic analysis.
1. Grab an origin AS table; I used Route-Views originas file from
http://archive.routeviews.org/dnszones/originas.zone.bz2, and
simplified it using the following command-line:
$ bzcat originas.zone.bz2 | awk -F\" '/^[^@].*\"/ { print $2,$4,$6 }' | uniq >
originas.txt
2. Process the flow records with an script that uses the originas.txt
file to mark both origin and destination AS, like the flow-asn.pl I
wrote. Sample usage:
$ flow-cat ft-v05.2001-05-01.* | flow-export -f 2 | grep -v \# |
./flow-asn.pl | flow-import -V5 -z0 -f2 | flow-report -v
TYPE=source-as -v SORT=+octets -v OPTIONS=+percent-total,+names
All other flow* tools are from original flow-tools distribution. To
write flow-asn.pl I adapted a similar script by Kristian Larsson
(http://insomnia.juniks.net/~kll/sflow1) that used sFlow and did its
own accounting of flow records, but I preferred to grow on the
flow-tools package which already has lots of interesting tools.
It has been only tested on batch analysis, although I think it would
also work on a live feed of flow records; for such a use you might
consider converting this Perl script to C(which also has Patricia trie
libraries available), though.
Rubens
flow-asn.pl
------------------------- cut here -----------------------
#!/usr/bin/perl
use Net::Patricia;
my $pt = new Net::Patricia;
# Origin prefixes by ASNs
print STDERR "Loading prefix file into memory... ";
open (fil, "originas.txt");
@db = <fil>;
close(fil);
print STDERR "done.\n";
print STDERR "Creating data structure... ";
foreach $rrow(@db) {
my ($rAS,$rnet, $rmask) = split(/\s+/, $rrow);
$pt->add_string("$rnet/$rmask", $rAS);
}
print STDERR "done.\n";
while (<STDIN>) {
@row=split(",");
$row[22]=$pt->match_string($row[10]);
$row[23]=$pt->match_string($row[11]);
print join(",", at row) . "\n"
}
---------------- cut here ----------------------
More information about the cisco-nsp
mailing list