Re: Sorting Cisco IP accounting data!

Some searching will help with the sorting question... However there's a better way. Check if your router is capable of Netflow export. You can have the routers export to a collector machine, much much better than polling the router for stats.

I'm using the cflowd package (C code) to collect the flows, but for processing there's Cflow.pm (same guy who wrote cflowd). A typical export looks something like:

$ flowdumper -e '($exporterip eq "192.168.251.43") && ($input_if == 6)
+' -c ../flows.current
FLOW
  index:          0xc7ffff
  router:         192.168.251.43
  src IP:         64.12.27.230
  dst IP:         192.168.252.188
  input ifIndex:  6
  output ifIndex: 9
  src port:       5190
  dst port:       2877
  pkts:           11
  bytes:          2291
  IP nexthop:     192.168.254.1
  start time:     Mon Feb 25 16:29:47 2002
  end time:       Mon Feb 25 16:32:42 2002
  protocol:       6
  tos:            0x0
  src AS:         0
  dst AS:         0
  src masklen:    0
  dst masklen:    24
  TCP flags:      0x1a (SYN|ACK|PUSH)
  engine type:    1
  engine id:      1
...snip...
matched 19333 of 27695 flows
$
[download]

The tools available are quite flexible. FlowScan is a perl application to gather stats/make graphs with a backend RRD database. If nothing else it's a good place to start rolling your own.

Comment on Re: Sorting Cisco IP accounting data! Download Code

Replies are listed 'Best First'.
Re: Re: Sorting Cisco IP accounting data! by Baiul (Acolyte) on Feb 26, 2002 at 10:39 UTC
Thanks for the info Zen. My main problem is that I do not have full access to the routers since the company I work for have them outsourced through a rather inefficient third party. This means that I do not have enable mode access and am very limited in what I can do. If I could get this sorting problem 'Sorted' I would be happy. :) Thanks for the input though, Baiul.	[reply]
Re: Re: Re: Sorting Cisco IP accounting data! by zengargoyle (Deacon) on Feb 26, 2002 at 19:07 UTC
`foreach $key (sort keys %tt) { printf "%35s %15d\n",$key, $tt{$key}; }` [download] Assuming that works for you... `while (($key, $value) = each %tt) { push @unsorted, [ $k, $v ]; } @sort_asc = sort { $a->[1] <=> $b->[1] } @unsorted; @sort_dsc = sort { $b->[1] <=> $a->[1] } @unsorted; print "low to high\n"; foreach (@sort_asc) { prinf "%35s %15d\n", $_->[0], $_->[1]; } print "\n"; print "high to low\n"; foreach (@sort_dsc) { prinf "%35s %15d\n", $_->[0], $_->[1]; }` [download]	[reply] [d/l] [select]
Re: Re: Re: Sorting Cisco IP accounting data! by zengargoyle (Deacon) on Feb 26, 2002 at 19:15 UTC
Talk to them. If the router can do it, they should be happy to do it for you. It's easier on the router to export them than for you to continuously connect to the console and dump them. That's easier loadwise. IMNSHO using the console for this type of thing is bad. Setup on the router is 3 lines... `ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-export destination <your host> 2055 (plus turning on flow cache on the interfaces, but most do that by default, big win.)` [download] I would go so far as to say that if they wouldn't do this for you, Replace Them.	[reply] [d/l]
Re: Re: Re: Re: Sorting Cisco IP accounting data! by Baiul (Acolyte) on Feb 27, 2002 at 09:57 UTC
Hehe funny you should say that ZEN, we are replacing them. They are terrible. thanks for the info though and I will try to get it sorted out. We did get the sort funciotn done though and it does work pretty damn well. Yell if anyone wants to see the code. But you are right, not good to do the logon all the time :(. I'll talk to the muppets about Flow exporting, Thanks again, Baiul.	[reply]