<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML ><HEAD ><TITLE >flow-rpt2rrd</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.79"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><H1 ><A NAME="AEN1" ></A ><TT CLASS="APPLICATION" >flow-rpt2rrd</TT ></H1 ><DIV CLASS="REFNAMEDIV" ><A NAME="AEN6" ></A ><H2 >Name</H2 ><TT CLASS="APPLICATION" >flow-rpt2rrd</TT > -- Convert flow-report CSV output to RRDtool format.</DIV ><DIV CLASS="REFSYNOPSISDIV" ><A NAME="AEN10" ></A ><H2 >Synopsis</H2 ><P ><B CLASS="COMMAND" >flow-rpt2rrd</B > [-nv] [-d<TT CLASS="REPLACEABLE" ><I > debug_level</I ></TT >] [-k<TT CLASS="REPLACEABLE" ><I > keys</I ></TT >] [-K<TT CLASS="REPLACEABLE" ><I > keys_file</I ></TT >] [-f<TT CLASS="REPLACEABLE" ><I > fields</I ></TT >] [-p<TT CLASS="REPLACEABLE" ><I > rrd_path</I ></TT >] [-P<TT CLASS="REPLACEABLE" ><I > rrd_postfix</I ></TT >] [-r<TT CLASS="REPLACEABLE" ><I > rrd_storage</I ></TT >]</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN28" ></A ><H2 >DESCRIPTION</H2 ><P >The <B CLASS="COMMAND" >flow-rpt2rrd</B > utility processes the CSV output of flow-report into RRDtool format. The aggregates for a key are each stored as a DS in RRD filename {rrd_path,"/",key,rrd_postfix,".rrd"}. By default a DS is created for flows, octets, and packets. The key must be specified, for example an ip-port report could use smtp,nntp,ssh,telnet as the keys which would create a separate RRD for each key.</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN32" ></A ><H2 >OPTIONS</H2 ><P ></P ><DIV CLASS="VARIABLELIST" ><DL ><DT >-d<TT CLASS="REPLACEABLE" ><I > debug_level</I ></TT ></DT ><DD ><P >Set debug level to debug_level (debugging code)</P ></DD ><DT >-h</DT ><DD ><P >Help.</P ></DD ><DT >-k<TT CLASS="REPLACEABLE" ><I > keys</I ></TT >|<TT CLASS="REPLACEABLE" ><I >html</I ></TT ></DT ><DD ><P >Comma separated list of key values. If the report has symbols then the key must be the symbol, ie smtp not 25. The totals_* lines may be used if they are enabled in the report. There is no default, keys must be specified with -k or -K.</P ></DD ><DT >-K<TT CLASS="REPLACEABLE" ><I > keys_file</I ></TT ></DT ><DD ><P >Load keys from <TT CLASS="REPLACEABLE" ><I >keys_file</I ></TT >. See -k.</P ></DD ><DT >-f</DT ><DD ><P >Comma separated list of columns to store. Each column maps to a DS in the RRD. Defaults to flows,octets,packets</P ></DD ><DT >-n</DT ><DD ><P >Enable symbol table lookups. For example TCP port 25 = smtp. This will result in RRD file names with the symbolic names if symbol lookups were not enabled in the report.</P ></DD ><DT >-p<TT CLASS="REPLACEABLE" ><I > rrd_path</I ></TT ></DT ><DD ><P >Set path to RRD files. Defaults to ".".</P ></DD ><DT >-P<TT CLASS="REPLACEABLE" ><I > rrd_postfix</I ></TT ></DT ><DD ><P >Set RRD file name postfix. Defaults to "".</P ></DD ><DT >-r<TT CLASS="REPLACEABLE" ><I > rrd_storage</I ></TT ></DT ><DD ><P >Set RRD storage for 5 minute, 30 minute, 2 hour, and 1 day databases. List items are : seperated. Defaults to 600:600:600:732.</P ></DD ><DT >-v</DT ><DD ><P >Enable verbose output.</P ></DD ></DL ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN83" ></A ><H2 >EXAMPLES</H2 ><DIV CLASS="INFORMALEXAMPLE" ><P ></P ><A NAME="AEN85" ></A ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="SCREEN" >The following example shows the combined use of flow-nfilter (inline), flow-report, and flow-rpt2rrd to create an RRD depicting traffic from clmbo-r4 to AS 10796 and 6478 for 2004-11-08. rrdtool graph is then used to create a .png. #!/bin/sh cat << EOF>report.cfg include-filter nfilter.cfg stat-report CLMBO-R4-TO-INTERNET-BY-DESTINATION-AS type destination-as filter CLMBO-R4-INTERNET-OUT scale 100 output options +header,+xheader fields -duration stat-definition 5min-summaries report CLMBO-R4-TO-INTERNET-BY-DESTINATION-AS EOF cat << EOF>nfilter.cfg # ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifName.46 = so-0/0/0.0 filter-primitive CLMBO-R4-INTERNET type ifindex permit 46 # Match on traffic to the Internet filter-definition CLMBO-R4-INTERNET-OUT match output-interface CLMBO-R4-INTERNET EOF mkdir rrds # 5 minute flow files from flow-capture are here FLOW_DATA=/flows/clmbo-r4/2004-11-08/ # for each 5 minute flow,aggregate with flow-report then store to RRD for name in $FLOW_DATA/*; do echo working...$name flow-report -s report.cfg -S5min-summaries < $name | flow-rpt2rrd -k10796,6478 -p rrds done # first flow - 0:1:23 11/8/2004 START=1099890083 # last flow - 0:1:25 11/9/2004 END=1099976485 rrdtool graph CLMBO-R4-TO-INTERNET.png --start $START --end $END \ --vertical-label "Bits/Second" --title="CLMBO-R4 TO INTERNET BY AS" \ DEF:AS10796in=rrds/10796.rrd:octets:AVERAGE \ DEF:AS6478in=rrds/6478.rrd:octets:AVERAGE \ CDEF:b_AS10796in=AS10796in,8,* \ CDEF:b_AS6478in=AS6478in,8,* \ LINE1:b_AS10796in#FF0000:AS10796-in \ LINE1:b_AS6478in#555555:AS6478-in \ </PRE ></TD ></TR ></TABLE ><P ></P ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN87" ></A ><H2 >BUGS</H2 ><P >Hard coded to expect 5 minute flow file intervals. Does not properly parse flow-report time-series output.</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN90" ></A ><H2 >AUTHOR</H2 ><P >Mark Fullmer <CODE CLASS="EMAIL" ><<A HREF="mailto:maf@splintered.net" >maf@splintered.net</A >></CODE ></P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN97" ></A ><H2 >SEE ALSO</H2 ><P ><TT CLASS="APPLICATION" >flow-tools</TT >(1)</P ></DIV ></BODY ></HTML >