Linux使用FlowScan

夜勿眠

　　Linux使用FlowScan完全安装配置指南
　　2015.04.30
　　

　　1. Flowscan介绍
　　

　　Flowscan采用Perl语言编写，主要用于处理展现网络设备发过来Netflow数据。
　　

　　早先Flowscan利用cflow收集处理netflow v5数据，后来利用flow-tool收集处理netflow v5数据，
　　注意cflow需要在flow-tool下面编译供flowscan后期使用，然后flowscan对流进行扫描分析并绘图，
　　是一款挺不错的Netflow分析展现工具。
　　

　　CUFlow是Flowscan一个扩展模块，比Flowscan自带的CampusIO和SubNetIO两个模块友好，因此
　　这里采用CUFlow模块替代自带的模块。
　　

　　

　　2. 检查或安装依赖软件
　　

　　2.1. 检查Apache配置
　　Suse11:~ # apache2ctl -v
　　Server version: Apache/2.2.12 (Linux/SUSE)
　　Server built:   Mar 27 2013 18:47:49
　　Suse11:~ # grep -v \^# /etc/sysconfig/apache2
　　

　　DOC_SERVER="no"
　　APACHE_CONF_INCLUDE_FILES=""
　　APACHE_CONF_INCLUDE_DIRS=""
　　

　　APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif suexec userdir php5 reqtimeout"
　　

　　APACHE_SERVER_FLAGS=""
　　APACHE_HTTPD_CONF=""
　　APACHE_MPM=""
　　APACHE_SERVERADMIN=""
　　APACHE_SERVERNAME=""
　　APACHE_START_TIMEOUT="2"
　　APACHE_SERVERSIGNATURE="on"
　　APACHE_LOGLEVEL="debug"
　　APACHE_ACCESS_LOG="/dev/null combined"
　　APACHE_USE_CANONICAL_NAME="off"
　　APACHE_SERVERTOKENS="OS"
　　APACHE_EXTENDED_STATUS="off"
　　APACHE_DISABLE_SSL_COMPRESSION="on"
　　Suse11:~ #
　　

　　2.2. 检查Perl5安装
　　Suse11:~ # perl -v
　　

　　This is perl, v5.10.0 built for x86_64-linux-thread-multi
　　

　　Copyright 1987-2007, Larry Wall
　　

　　Perl may be copied only under the terms of either the Artistic License or the
　　GNU General Public License, which may be found in the Perl 5 source kit.
　　

　　Complete documentation for Perl, including FAQ lists, should be found on
　　this system using "man perl" or "perldoc perl".  If you have access to the
　　Internet, point your browser at http://www.perl.org/, the Perl Home Page.
　　

　　Suse11:~ #
　　

　　2.3. 编译安装RRDTool
　　

　　# tar xvzf rrdtool-1.4.5.tar.tar
　　# cd rrdtool-1.4.5
　　修改configure,找到
　　PERL_MAKE_OPTIONS="PREFIX=$langpref INSTALL_BASE= LIB=$langpref/lib/perl/$PERL_VERSION"
　　修改为
　　PERL_MAKE_OPTIONS="PREFIX=$langpref INSTALL_BASE= LIB=$langpref/lib/perl5/$PERL_VERSION"
　　#./configure --prefix=/usr --sysconfdir=/etc --enable-shared
　　# make
　　# make install
　　或者make install site-perl-install
　　

　　Suse11:~ # rrdtool -v
　　RRDtool 1.4.9  Copyright 1997-2013 by Tobias Oetiker <tobi@oetiker.ch>
　　Compiled Apr 30 2015 14:21:19
　　

　　Usage: rrdtool [options] command command_options
　　Valid commands: create, update, updatev, graph, graphv,  dump, restore,
　　last, lastupdate, first, info, fetch, tune,
　　resize, xport, flushcached
　　

　　RRDtool is distributed under the Terms of the GNU General
　　Public License Version 2. (www.gnu.org/copyleft/gpl.html)
　　

　　For more information read the RRD manpages
　　

　　Suse11:~ #
　　

　　2.4. 编译安装flow-tools
　　

　　2.4.1 下载flow-tools-0.68.5.1.tar.bz2
　　tar -xvjf flow-tools-0.68.5.1.tar.bz2
　　cd flow-tools-0.68.5.1
　　./configure --prefix=/usr --sysconfdir=/etc
　　make
　　make install
　　

　　2.4.2 flow-tool的自启动脚本，于Cacti的flowview插件合用
　　Suse11:~ # cat /etc/init.d/flow-capture
　　#!/usr/bin/php
　　<?php
　　/*
　　# description: Start Flow-Capture
　　# chkconfig: 2345 95 00
　　*/
　　

　　$cacti_base = '/srv/www/htdocs/cacti';
　　

　　include_once($cacti_base . '/include/global.php');
　　$tools_path = read_config_option("path_flowtools");
　　

　　if (isset($_SERVER['argv'][1])) {
　　switch (strtolower($_SERVER['argv'][1])) {
　　case 'start':
　　start();
　　break;
　　case 'stop':
　　stop();
　　break;
　　case 'restart':
　　restart();
　　break;
　　default:
　　echo "Usage: /etc/init.d/flow-capture {start|stop|restart}\n";
　　break;
　　}
　　}
　　

　　function start() {
　　global $tools_path, $cacti_base;;
　　

　　echo "NOTE: Starting Flow Tools\n";
　　$devices = db_fetch_assoc("SELECT * FROM plugin_flowview_devices");
　　if (!empty($devices)) {
　　$path = db_fetch_cell("SELECT value FROM `settings` WHERE name = 'path_flows_dir'");
　　if ($path == '')
　　break;
　　if (substr($path, -1) == '/') {
　　$path = substr($path, 0, -1);
　　}
　　foreach ($devices as $device) {
　　$port   = $device['port'];
　　$folder = $device['folder'];
　　$nest   = $device['nesting'];
　　$v      = $device['version'];
　　$from   = $device['allowfrom'];
　　$comp   = $device['compression'];
　　$rotate = $device['rotation'];
　　$expire = $device['expire'] * ($rotate + 1);
　　if (!is_dir("$path/$folder")) {
　　echo "NOTE: Making directory '$path/$folder'\n";
　　mkdir("$path/$folder");
　　}
　　if (is_dir("$path/$folder")) {
　　echo "NOTE: Launching flow-capture as '$tools_path/flow-capture -w $path/$folder 0/$from/$port -S5 -V$v -z $comp -n $rotate -e $expire -N $nest'\n";
　　shell_exec($tools_path . "/flow-capture -w $path/$folder 0/$from/$port -S5 -V$v -z $comp -n $rotate -e $expire -N $nest");
　　}
　　}
　　}else{
　　echo "WARNING: No flows configured\n";
　　}
　　}
　　

　　function stop() {
　　global $tools_path, $cacti_base;;
　　

　　echo "NOTE: Stopping Flow Tools\n";
　　$devices = db_fetch_assoc("SELECT * FROM plugin_flowview_devices");
　　if (!empty($devices)) {
　　shell_exec('killall -9 ' . $tools_path . '/flow-capture');
　　}
　　}
　　

　　function restart() {
　　stop();
　　start();
　　}
　　Suse11:~ #
　　

　　2.4.3. 启动flow-capture
　　Suse11:~ # /etc/init.d/flow-capture start
　　NOTE: Starting Flow Tools
　　NOTE: Launching flow-capture as '/usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1'
　　Suse11:~ # ps -eaf |grep flow-capture |grep -v grep
　　root      7087     1  4 20:32 ?        00:00:00 /usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1
　　Suse11:~ #
　　

　　

　　2.5. 安装flowscan需要的Perl模块
　　Perl Modules- In addition to Perl5, you will need the modules listed below.
　　Net::Patricia
　　Boulder::Stream
　　HTML::Table
　　ConfigReader::DirectiveStyle
　　Cflow
　　

　　从http://search.cpan.org/找到并下载这些包
　　# perl Makefile.PL
　　# make
　　# make install
　　

　　对于ConfigReader, 解压缩到/usr/lib/perl5/site_perl/5.10.0目录即可
　　Suse11:~/bin/flow-tools-0.68.5.1 # ls -al /usr/lib/perl5/site_perl/5.10.0/ConfigReader
　　total 76
　　drwxr-xr-x 2  405    4  4096 Feb 20  1996 .
　　drwxr-xr-x 9 root root  4096 Apr 30 11:09 ..
　　-rw-r--r-- 1  405    4 25265 Feb 17  1996 COPYING.LIB
　　-rw-r--r-- 1  405    4  2424 Feb 14  1996 ConfigReader.pod
　　-rw-r--r-- 1  405    4  9084 Feb 20  1996 DirectiveStyle.pm
　　-rw-r--r-- 1  405    4  2152 Feb 19  1996 README
　　-rw-r--r-- 1  405    4  9705 Feb 20  1996 Spec.pm
　　-rw-r--r-- 1  405    4  7573 Feb 20  1996 Values.pm
　　Suse11:~/bin/flow-tools-0.68.5.1 #
　　

　　注意，CFlow需要在flow-tools的环境下编译，因此该步骤需要在flow-tool编译完成后进行。
　　cd flow-tools-0.68.5.1
　　cd contrib
　　tar -zxvf Cflow-1.053.tar.gz
　　cd Cflow-1.051
　　perl Makefile.PL
　　make
　　make install
　　

　　Suse11:~ # perl -MExtUtils::Installed -le 'foreach (ExtUtils::Installed->new->modules) { print $_,"-->", ExtUtils::Installed->new->version($_)}'
　　Boulder-->
　　Cflow-->1.053
　　HTML::Table-->2.08a
　　Net::CIDR-->0.18
　　Net::CIDR::Lite-->0.21
　　Net::Patricia-->1.22
　　Perl-->5.10.0
　　RRDp-->1.4009
　　RRDs-->1.4009
　　Socket6-->0.25
　　Test::Simple-->1.001014
　　Suse11:~ #
　　

　　2.6. 安装并配置FlowScan
　　

　　2.6.1. 检查Flowscan安装
　　目录Suse11:~ # ls -al /var/netflow/
　　total 24
　　drwxr-xr-x  4 root root  4096 Apr 30 19:34 .
　　drwxr-xr-x 16 root root 12288 Apr 26 18:13 ..
　　drwxr-xr-x 10 root root  4096 Apr 30 00:00 cisco3745
　　drwxr-xr-x  6 root root  4096 Apr 30 18:40 flowscan
　　Suse11:~ # ls -al /var/netflow/cisco3745/
　　total 656
　　drwxr-xr-x 10 root root  4096 Apr 30 00:00 .
　　drwxr-xr-x  4 root root  4096 Apr 30 19:34 ..
　　drwxr-xr-x  2 root root 36864 Apr 24 00:00 2015-04-23
　　drwxr-xr-x  2 root root 86016 Apr 25 00:00 2015-04-24
　　drwxr-xr-x  2 root root 81920 Apr 26 00:00 2015-04-25
　　drwxr-xr-x  2 root root 90112 Apr 27 00:00 2015-04-26
　　drwxr-xr-x  2 root root 90112 Apr 28 00:00 2015-04-27
　　drwxr-xr-x  2 root root 90112 Apr 29 00:00 2015-04-28
　　drwxr-xr-x  2 root root 86016 Apr 30 00:00 2015-04-29
　　drwxr-xr-x  2 root root 73728 Apr 30 19:38 2015-04-30
　　Suse11:~ # ls -al /var/netflow/flowscan/
　　total 1820
　　drwxr-xr-x 6 root root    4096 Apr 30 18:40 .
　　drwxr-xr-x 4 root root    4096 Apr 30 19:34 ..
　　drwxr-xr-x 2 root root    4096 Apr 30 18:40 flows
　　drwxr-xr-x 2 root root    4096 Apr 30 18:25 graphs
　　Suse11:~ #
　　

　　2.6.2. 安装Flowscan
　　下载FlowScan-1.006.tar.gz
　　Suse11:~/bin # tar xvzf FlowScan-1.006.tar.gz
　　Suse11:~/bin # cd FlowScan-1.006/
　　Suse11:~/bin/FlowScan-1.006 # ./configure --prefix=/var/netflow/flowscan
　　Suse11:~/bin/FlowScan-1.006 # make
　　make: Nothing to be done for `all'.
　　Suse11:~/bin/FlowScan-1.006 # make -n install
　　test -d /var/netflow/flowscan/bin || /bin/mkdir -p /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c flowscan /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c FlowScan.pm /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c CampusIO.pm /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c SubNetIO.pm /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c util/locker /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c util/add_ds.pl /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c util/add_txrx /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c util/event2vrule /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c util/ip2hostname /var/netflow/flowscan/bin
　　Suse11:~/bin/FlowScan-1.006 # make install
　　test -d /var/netflow/flowscan/bin || /bin/mkdir -p /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c flowscan /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c FlowScan.pm /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c CampusIO.pm /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c SubNetIO.pm /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c util/locker /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c util/add_ds.pl /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c util/add_txrx /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c util/event2vrule /var/netflow/flowscan/bin
　　/root/bin/FlowScan-1.006/install-sh -c util/ip2hostname /var/netflow/flowscan/bin
　　Suse11:~/bin/FlowScan-1.006 #
　　2.6.2 配置Flowscan
　　Suse11:~ # ls -al /var/netflow/flowscan/
　　total 1820
　　drwxr-xr-x 6 root root    4096 Apr 30 18:40 .
　　drwxr-xr-x 4 root root    4096 Apr 30 19:34 ..
　　drwxr-xr-x 2 root root    4096 Apr 30 18:40 bin
　　drwxr-xr-x 2 root root    4096 Apr 30 18:40 flows
　　drwxr-xr-x 2 root root    4096 Apr 30 18:25 graphs
　　Suse11:~ #
　　

　　Suse11:~ # cat /var/netflow/flowscan/bin/flowscan.cf
　　

　　# flowscan Configuration Directives ############################################
　　

　　# FlowFileGlob (REQUIRED)
　　# use this glob (file pattern match) when looking for raw flow files to be
　　# processed, e.g.:
　　# FlowFileGlob /var/local/flows/flows.*:*[0-9]
　　# FlowFileGlob flows.*:*[0-9]
　　FlowFileGlob /var/netflow/flowscan/flows/ft-v05*[0-9]
　　

　　# ReportClasses (REQUIRED)
　　# a comma-seperated list of FlowScan report classes, e.g.:
　　# ReportClasses CampusIO
　　#ReportClasses SubNetIO
　　ReportClasses CUFlow
　　

　　# WaitSeconds (OPTIONAL)
　　# This should be <= the "-s" value passed on the command-line to cflowd, e.g.:
　　# WaitSeconds 300
　　WaitSeconds 30
　　

　　# Verbose (OPTIONAL, non-zero = true)
　　Verbose 0
　　Suse11:~ #
　　.6.3. 修订FlowScan.pm文件
　　打开FlowScan.pm文件第96行、第108行，修改如下
　　

　　Suse11:/var/netflow/flowscan/bin # diff FlowScan.pm FlowScan.OLD
　　96c96
　　<     m/(\d\d\d\d)-(\d\d)-(\d\d)\.(\d\d)(\d\d)(\d\d)([+-])(\d\d)(\d\d)$/) {
　　---
　　>            m/(\d\d\d\d)(\d\d)(\d\d)_(\d\d):(\d\d):(\d\d)([+-])(\d\d)(\d\d)/) {
　　108c108
　　<    } elsif ($file =~ m/(\d\d\d\d)-(\d\d)-(\d\d)\.(\d\d)(\d\d)(\d\d)$/) {
　　---
　　>    } elsif ($file =~ m/(\d\d\d\d)(\d\d)(\d\d)_(\d\d):(\d\d):(\d\d)$/) {
　　Suse11:/var/netflow/flowscan/bin #
　　

　　2.6.4. 修订Table.pm文件
　　打开/usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm文件第2685行，修改如下
　　Suse11:~ # diff /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm /usr/lib/perl5/site_perl/5.10.0/HTML/Table.OLD
　　2685c2685
　　<    $self->{last_col} = $count if (!defined($self->{last_col}) || ( $count > $self->{last_col}));
　　---
　　>    $self->{last_col} = $count if ($count > $self->{last_col});
　　Suse11:~ #
　　

　　2.6.5. 配置Flowscan自启动脚本
　　Suse11:~ # cat /etc/init.d/flowscan
　　

　　# rc script for flowscan
　　# D Plonka, Jan 11 1999
　　

　　bindir=/var/netflow/flowscan/bin
　　scandir=/var/netflow/flowscan
　　logfile=/var/netflow/flowscan/flowscan.log
　　user=root
　　su=/bin/su
　　nohup=/usr/bin/nohup
　　kill=/bin/kill
　　ps=/bin/ps
　　grep=/bin/grep
　　awk=/usr/bin/awk
　　perl=/usr/bin/perl
　　nice=/usr/bin/nice
　　meanness=0
　　

　　case "$1" in
　　'start')
　　echo "starting flowscan"
　　${nice} --${meanness} ${su} - ${user} -c "cd ${scandir} && ${nohup} ${perl} ${bindir}/flowscan >>${logfile} 2>&1 </dev/null &" >/dev/null
　　;;
　　'stop')
　　echo "killing flowscan"
　　pid=`${ps} ax |${grep} "${perl} ${bindir}/[f]lowscan" |${awk} '{print $1}'`
　　if [ -n "$pid" ]
　　then
　　${kill} $pid
　　fi
　　;;
　　esac
　　Suse11:~ #
　　

　　

　　2.7. 安装并配置CUFlow
　　

　　2.7.1. 安装CUFlow
　　SLES 11 SP3 -- flowscan-cuflow-1.7-1.2.x86_64.rpm
　　flowscan-cuflow_1.7.orig.tar.gz
　　

　　Suse11:~ # rpm -Uvh flowscan-cuflow-1.7-1.2.x86_64.rpm
　　Suse11:/var/netflow/flowscan/bin # rpm -ql flowscan-cuflow
　　/etc/flowscan/CUFlow.cf
　　/srv/www/cflow
　　/srv/www/cflow/reports
　　/srv/www/cflow/reports/scoreboard
　　/srv/www/cgi-bin/CUGrapher.pl
　　/usr/lib/perl5/vendor_perl/5.8.6/CUFlow.pm
　　/usr/share/man/man3/CUFlow.3pm.gz
　　Suse11:~ #
　　

　　2.6.2 配置CUFlow
　　Suse11:~ # find / -name CUFlow\*
　　/usr/share/man/man3/CUFlow.3pm.gz
　　/usr/lib/perl5/vendor_perl/5.10.0/CUFlow.pm
　　/etc/flowscan/CUFlow.cf
　　Suse11:~ # grep etc /usr/lib/perl5/vendor_perl/5.10.0/CUFlow.pm
　　&parseConfig("/etc/flowscan/CUFlow.cf");        # Read our config file
　　Suse11:~ # cat /etc/flowscan/CUFlow.cf
　　# These are the subnets in our network
　　# These are used only to determine whether a packet is inbound our
　　# outbound
　　Subnet 172.16.100.0/24
　　

　　# These are networks we are particularly interested in, and want to
　　# get separate rrd's for their aggregate traffic
　　Network 172.16.100.254/32 routers
　　

　　# Where to put the rrd's
　　# Make sure this is the same as $rrddir in CUGrapher.pl
　　OutputDir /var/netflow/flowscan/graphs
　　

　　# Track multicast traffic
　　Multicast
　　

　　# Keep top N lists
　　# Show the top ten talkers, storing reports in /cflow/flows/reports
　　# and keeping the current report in /etc/httpd/data/reports/topten.html
　　Scoreboard 10 /srv/www/htdocs/reports/scoreboard /srv/www/htdocs/topten.html
　　

　　# Same, but build an over-time average top N list
　　AggregateScore 10 /srv/www/htdocs/reports/scoreboard/agg.dat /srv/www/htdocs/overall.html
　　

　　# Our two netflow exporters. Produce service and protocol reports for the
　　# total, and each of these.
　　#Router 172.16.100.254 router3745
　　#Router 10.0.1.2 router2
　　

　　# Services we are interested in
　　Service 20-21/tcp ftp
　　Service 22/tcp ssh
　　Service 23/tcp telnet
　　Service 25/tcp smtp
　　Service 53/udp,53/tcp dns
　　Service 80/tcp http
　　Service 110/tcp pop3
　　#Service 119/tcp nntp
　　#Service 143/tcp imap
　　#Service 412/tcp,412/udp dc
　　Service 443/tcp https
　　#Service 1214/tcp kazaa
　　Service 1723/tcp pptp
　　Service 2119/tcp Camp2119
　　Service 2556/tcp Camp2556
　　#Service 4661-4662/tcp,4665/udp edonkey
　　Service 5070/tcp sip
　　#Service 5190/tcp aim
　　#Service 6346-6347/tcp gnutella
　　#Service 6665-6669/tcp irc
　　#Service 54320/tcp bo2k
　　Service 7070/tcp,554/tcp,6970-7170/udp real
　　Service 22228/tcp Camp22228
　　

　　# protocols we are interested in
　　Protocol 1 icmp
　　#Protocol 4 ipinip
　　Protocol 6 tcp
　　Protocol 17 udp
　　Protocol 41 ipv6
　　Protocol 47 gre
　　#Protocol 50 esp
　　#Protocol 51 ah
　　#Protocol 57 skip
　　#Protocol 88 eigrp
　　#Protocol 169
　　Protocol 255
　　

　　# ToS bit percentages to graph
　　TOS 0 normal
　　TOS 1-255 other
　　

　　# Interested in traffic to/from AS 1
　　ASNumber 1 Genuity
　　Suse11:~ #
　　

　　

　　3. 启动Flowscan并观察
　　3.1 启动Flowscan
　　Suse11:/var/netflow/flowscan # ps -eaf |grep flow |grep -v grep
　　root      7087     1  0 20:32 ?        00:00:00 /usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1
　　Suse11:/var/netflow/flowscan # /etc/init.d/flowscan start
　　starting flowscan
　　Suse11:/var/netflow/flowscan # ps -eaf |grep flow |grep -v grep
　　root      7087     1  0 20:32 ?        00:00:00 /usr/bin/flow-capture -w /var/netflow/cisco3745 0/0/2055 -S5 -V5 -z 0 -n 1439 -e 525600 -N -1
　　root     18736     1  0 20:44 pts/3    00:00:00 -bash -c cd /var/netflow/flowscan && /usr/bin/nohup /usr/bin/perl /var/netflow/flowscan/bin/flowscan >>/var/netflow/flowscan/flowscan.log 2>&1 </dev/null &
　　root     18737 18736  1 20:44 pts/3    00:00:00 /usr/bin/perl /var/netflow/flowscan/bin/flowscan
　　Suse11:/var/netflow/flowscan #
　　

　　3.2 观察Flowscan运行
　　Suse11:~ # ls -al /var/netflow/flowscan/flows
　　total 104
　　drwxr-xr-x 2 root root 98304 Apr 30 20:44 .
　　drwxr-xr-x 5 root root  4096 Apr 30 20:44 ..
　　Suse11:~ # ls -al /var/netflow/flowscan/graphs/
　　total 8
　　drwxr-xr-x 2 root root 4096 Apr 30 19:54 .
　　drwxr-xr-x 5 root root 4096 Apr 30 20:44 ..
　　Suse11:~ # cat /var/netflow/flowscan/flowscan.log
　　sleep 30...
　　sleep 30...
　　sleep 30...
　　sleep 30...
　　Suse11:~ #
　　

　　3.3 把flow-tool收集到的数据放入flowscan处理目录
　　Suse11:~ # cp /var/netflow/cisco3745/2015-04-23/* /var/netflow/flowscan/flows
　　Suse11:~ # head -30 /var/netflow/flowscan/flowscan.log
　　sleep 30...
　　sleep 30...
　　2015/04/30 21:03:50 working on file /var/netflow/flowscan/flows/ft-v05.2015-04-23.132406+0800...
　　2015/04/30 21:03:50 flowscan-1.020 CUFlow: Cflow::find took  0 wallclock secs ( 0.01 usr +  0.00 sys =  0.01 CPU) for 7892 flow file bytes, flow hit ratio: 40/122
　　2015/04/30 21:03:50 flowscan-1.020 CUFlow: report took  0 wallclock secs ( 0.00 usr  0.01 sys +  0.00 cusr  0.02 csys =  0.03 CPU)
　　2015/04/30 21:03:50 working on file /var/netflow/flowscan/flows/ft-v05.2015-04-23.132501+0800...
　　2015/04/30 21:03:50 flowscan-1.020 CUFlow: Cflow::find took  0 wallclock secs ( 0.02 usr +  0.00 sys =  0.02 CPU) for 6292 flow file bytes, flow hit ratio: 42/97
　　ERROR updating /var/netflow/flowscan/graphs/service_ssh_dst.rrd: /var/netflow/flowscan/graphs/service_ssh_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
　　ERROR updating /var/netflow/flowscan/graphs/service_pptp_dst.rrd: '/var/netflow/flowscan/graphs/service_pptp_dst.rrd' is not an RRD file
　　ERROR updating /var/netflow/flowscan/graphs/service_sip_src.rrd: /var/netflow/flowscan/graphs/service_sip_src.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
　　ERROR updating /var/netflow/flowscan/graphs/service_sip_dst.rrd: /var/netflow/flowscan/graphs/service_sip_dst.rrd: illegal
　　attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
　　ERROR updating /var/netflow/flowscan/graphs/service_sip_dst.rrd: /var/netflow/flowscan/graphs/service_sip_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
　　ERROR updating /var/netflow/flowscan/graphs/service_Camp2119_src.rrd: /var/netflow/flowscan/graphs/service_Camp2119_src.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
　　ERROR updating /var/netflow/flowscan/graphs/service_Camp2119_dst.rrd: /var/netflow/flowscan/graphs/service_Camp2119_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
　　ERROR updating /var/netflow/flowscan/graphs/service_Camp22228_src.rrd: '/var/netflow/flowscan/graphs/service_Camp22228_src.rrd' is too small (should be 190656 bytes)
　　ERROR updating /var/netflow/flowscan/graphs/service_Camp22228_dst.rrd: /var/netflow/flowscan/graphs/service_Camp22228_dst.rrd: illegal attempt to update using time 1429766646 when last update time is 1429766701 (minimum one second step)
　　ERROR updating /var/netflow/flowscan/graphs/service_ftp_src.rrd: '/var/netflow/flowscan/graphs/service_ftp_src.rrd' is not an RRD file
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　2015/04/30 21:03:50 flowscan-1.020 CUFlow: report took  0 wallclock secs ( 0.00 usr  0.00 sys +  0.00 cusr  0.03 csys =  0.03 CPU)
　　2015/04/30 21:03:50 working on file /var/netflow/flowscan/flows/ft-v05.2015-04-23.132601+0800...
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　2015/04/30 21:03:50 flowscan-1.020 CUFlow: Cflow::find took  0 wallclock secs ( 0.00 usr +  0.00 sys =  0.00 CPU) for 6868 flow file bytes, flow hit ratio: 46/106
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.10.0/HTML/Table.pm line 2685.
　　Suse11:~ #  ls -al /var/netflow/flowscan/graphs/
　　total 7496
　　drwxr-xr-x 2 root root   4096 Apr 30 21:03 .
　　drwxr-xr-x 5 root root   4096 Apr 30 21:02 ..
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 as_Genuity.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 network_routers.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_255.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_gre.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_icmp.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_multicast.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_tcp.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 protocol_udp.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_dns_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_dns_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ftp_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ftp_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_http_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_http_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_https_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_https_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pop3_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pop3_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pptp_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_pptp_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2119_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2119_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp22228_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp22228_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2556_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_Camp2556_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_real_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_real_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_sip_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_sip_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_smtp_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_smtp_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ssh_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_ssh_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_telnet_dst.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 service_telnet_src.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 tos_normal.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 tos_other.rrd
　　-rw-r--r-- 1 root root 190656 Apr 30 21:04 total.rrd
　　Suse11:~ #
　　4. 配置路由器
　　

　　4.1. 关键配置如下
　　Global Mode
　　ip cef
　　ip flow-export version 5 peer-as
　　ip flow-export source interface fa0/1
　　ip flow-export destination 10.1.0.1  2055
　　ip flow-cache timeout active 1
　　Interface Configuration
　　ip route-cache flow
　　

　　4.2. 一个完整的实例
　　Camp#sh ver
　　Cisco IOS Software, 3700 Software (C3745-ADVSECURITYK9-M), Version 12.4(25d), RELEASE SOFTWARE (fc1)
　　Technical Support: http://www.cisco.com/techsupport
　　Copyright (c) 1986-2010 by Cisco Systems, Inc.
　　Compiled Wed 18-Aug-10 08:18 by prod_rel_team
　　

　　ROM: System Bootstrap, Version 12.3(6r) [cmong 6r], RELEASE SOFTWARE (fc1)
　　

　　Camp uptime is 9 weeks, 2 days, 5 hours, 21 minutes
　　System returned to ROM by reload at 00:05:50 UTC Fri Mar 1 2002
　　System restarted at 14:14:15 Shanghai Tue Feb 24 2015
　　System image file is "flash:/c3745-advsecurityk9-mz.124-25d.bin"
　　

　　

　　This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use.
　　Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
　　Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws.
　　By using this product you agree to comply with applicable laws and regulations.
　　If you are unable to comply with U.S. and local laws, return this product immediately.
　　

　　A summary of U.S. laws governing Cisco cryptographic products may be found at:
　　http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
　　

　　If you require further assistance please contact us by sending email to export@cisco.com.
　　

　　Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.
　　Processor board ID FTX1108A1AM
　　R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
　　2 FastEthernet interfaces
　　DRAM configuration is 64 bits wide with parity disabled.
　　151K bytes of NVRAM.
　　31360K bytes of ATA System CompactFlash (Read/Write)
　　

　　Configuration register is 0x2102
　　

　　Camp#sh run
　　Building configuration...
　　

　　Current configuration : 2661 bytes
　　!
　　! Last configuration change at 15:23:16 Shanghai Thu Apr 30 2015 by cisco
　　! NVRAM config last updated at 16:05:14 Shanghai Thu Apr 30 2015 by cisco
　　!
　　version 12.4
　　service timestamps debug uptime
　　service timestamps log uptime
　　no service password-encryption
　　!
　　hostname Camp
　　!
　　boot-start-marker
　　boot system flash:/c3745-advsecurityk9-mz.124-25d.bin
　　boot-end-marker
　　!
　　logging buffered 4194304 debugging
　　no logging console
　　no logging monitor
　　!
　　no aaa new-model
　　clock timezone Shanghai 8
　　clock save interval 8
　　ip cef
　　!
　　!
　　ip auth-proxy max-nodata-conns 3
　　ip admission max-nodata-conns 3
　　!
　　!
　　no ip domain lookup
　　ip sla monitor 101
　　type http operation get url http://172.16.100.8:88/ source-ipaddr 172.16.100.254 cache disable
　　threshold 500
　　tag UNI
　　ip sla monitor schedule 101 life forever start-time now
　　!
　　!
　　!
　　!
　　username cisco privilege 15 secret 5 $1$wJN1$ufsPnRdNErXx1HGtK0kHi1
　　!
　　!
　　!
　　!
　　!
　　!
　　interface FastEthernet0/0
　　description Internet
　　ip address 172.16.63.247 255.255.255.0
　　ip flow ingress
　　ip nat outside
　　ip virtual-reassembly max-fragments 64 max-reassemblies 64
　　duplex auto
　　speed auto
　　!
　　no ip forward-protocol nd
　　ip route 0.0.0.0 0.0.0.0 172.16.63.1
　　ip flow-export source FastEthernet0/1
　　ip flow-export version 5 peer-as
　　ip flow-export destination 172.16.100.8 2055
　　!
　　no ip http server
　　no ip http secure-server
　　no ip nat service sip udp port 5060
　　ip nat inside source list 101 interface FastEthernet0/0 overload
　　ip nat inside source static 172.16.100.2 interface FastEthernet0/0
　　ip nat inside source static tcp 172.16.100.10 22 172.16.63.245 22 extendable
　　ip nat inside source static tcp 172.16.100.10 80 172.16.63.245 80 extendable
　　ip nat inside source static tcp 172.16.100.9 7900 172.16.63.245 7900 extendable
　　ip nat inside source static tcp 172.16.100.8 13579 172.16.63.245 13579 extendable
　　ip nat inside source static tcp 172.16.100.7 22228 172.16.63.245 22228 extendable
　　ip nat inside source static tcp 172.16.100.7 22229 172.16.63.245 22229 extendable
　　ip nat inside source static 172.16.100.5 172.16.63.246 extendable
　　!
　　no logging trap
　　access-list 5 permit 172.16.100.5
　　access-list 101 permit ip 172.16.100.0 0.0.0.255 any
　　snmp-server community public RO
　　no cdp run
　　!
　　!
　　control-plane
　　!
　　!
　　!
　　line con 0
　　login local
　　line aux 0
　　line vty 0 4
　　privilege level 15
　　login local
　　transport input telnet
　　!
　　!
　　end
　　

　　Camp#
　　

　　5. Web界面展现
　　5.1. Web界面布局
　　

　　Suse11:~ # ls -al /srv/www/
　　total 16
　　drwxr-xr-x  4 root root 4096 Apr 30 11:59 .
　　drwxr-xr-x  4 root root 4096 Dec 31  2011 ..
　　drwxr-xr-x  3 root root 4096 Apr 30 19:02 cgi-bin
　　drwxr-xr-x 10 root root 4096 Apr 30 18:25 htdocs
　　Suse11:~ # ls -al /srv/www/cgi-bin/
　　total 92
　　drwxr-xr-x 3 root   root  4096 Apr 30 19:02 .
　　drwxr-xr-x 4 root   root  4096 Apr 30 11:59 ..
　　-rwxr-xr-x 1 root   root 38580 Apr 30 16:21 CUGrapher.pl
　　drwxr-xr-x 7 wwwrun www   4096 Apr 24 21:26 FV
　　-rwxr-xr-x 1 root   root 26284 Feb 24  2009 info2html
　　-rw-r--r-- 1 root   root  3233 Feb 24  2009 info2html.conf
　　-rwxr-xr-x 1 root   root  5381 Feb 24  2009 infocat
　　Suse11:~ # ls -al /srv/www/htdocs/
　　total 92
　　drwxr-xr-x 10 root   root 4096 Apr 30 18:25 .
　　drwxr-xr-x  4 root   root 4096 Apr 30 11:59 ..
　　drwxr-xr-x  2 wwwrun www  4096 Apr 30 09:54 FlowGrapher
　　drwxr-xr-x  2 wwwrun www  4096 Apr 24 18:45 FlowMonitor
　　drwxr-xr-x  2 wwwrun www  4096 Apr 24 21:25 FlowSaves
　　drwxr-xr-x  2 wwwrun www  4096 Apr 24 19:21 FlowViewer
　　drwxr-xr-x  2 wwwrun www  4096 Apr 24 18:46 FlowViewer_Dashboard
　　-rw-r--r--  1 root   root 2326 Nov 21  2004 apache_pb.gif
　　-rw-r--r--  1 root   root 2088 Nov 26  2008 apache_pb.png
　　-rw-r--r--  1 root   root 1797 Nov 26  2008 apache_pb2.gif
　　drwxr-xr-x 13 root   root 4096 Apr 19 17:54 cacti
　　-rw-r--r--  1 root   root 1406 Apr 24 21:11 favicon.ico
　　drwxr-xr-x  2 root   root 4096 Dec 31  2011 gif
　　-rw-r--r--  1 root   root   44 Nov 21  2004 index.html
　　-rw-r--r--  1 root   root   30 Apr 19 17:45 index.php
　　-rw-r--r--  1 root   root 2356 Feb 24  2009 info2html.css
　　-rw-r--r--  1 root   root 5116 Apr 30 18:25 overall.html
　　drwxr-xr-x  3 wwwrun www  4096 Apr 30 13:39 reports
　　-rw-r--r--  1 root   root   26 Mar 28  2013 robots.txt
　　lrwxrwxrwx  1 root   root   62 Apr 30 18:25 topten.html -> /srv/www/htdocs/reports/scoreboard/2015-04-30/18/18:23:01.html
　　Suse11:~ # ls -al /srv/www/htdocs/reports/
　　total 40
　　drwxr-xr-x   3 wwwrun www   4096 Apr 30 13:39 .
　　drwxr-xr-x  10 root   root  4096 Apr 30 18:25 ..
　　drwxr-xr-x 842 wwwrun www  32768 Apr 30 18:10 scoreboard
　　

　　5.2 Web界面配置
　　主要在于CUGrapher.pl中的$rrddir目录配置
　　Suse11:~ # head -30 /srv/www/cgi-bin/CUGrapher.pl
　　#! /usr/bin/perl -w
　　

　　# CUGrapher.pl
　　# $Revision: 1.53 $
　　# Author: Matt Selsky <selsky@columbia.edu>
　　# Contact for help: <cuflow-users@columbia.edu>
　　

　　# (c) 2002 - 2005 The Trustees of Columbia University in the City of New York
　　# License restrictions apply, see COPYING for details.
　　

　　use strict;
　　use CGI::Pretty qw(-nosticky :standard);
　　use RRDs;
　　use Digest::MD5 qw(md5_hex);
　　

　　### Local settings ###
　　

　　# directory with rrd files
　　#my $rrddir = "/srv/www/htdocs/graphs";
　　my $rrddir = "/var/netflow/flowscan/graphs";
　　# default number of hours to go back
　　my $hours = 48;
　　# duration of graph, starting from $hours ago
　　my $duration;
　　# organization name
　　my $organization = "Camp Net";
　　# default graph width
　　my $width = 640;
　　# default graph height
　　my $height = 320;
　　Suse11:~ # cat -n  /srv/www/cgi-bin/CUGrapher.pl |grep hours
　　21  # default number of hours to go back
　　22  my $hours = 48;
　　23  # duration of graph, starting from $hours ago
　　143      my %hours = ( 3 => '3 hours',
　　144                    6 => '6 hours',
　　145                    12 => '12 hours',
　　146                    24 => '24 hours',
　　147                    36 => '36 hours',
　　148                    48 => '48 hours',
　　154                    $q->popup_menu( -name => 'hours',
　　155                                    -values => [sort {$a <=> $b} keys %hours],
　　156                                    -default => $hours,
　　157                                    -labels => \%hours ) );
　　184                                    -values => ['', sort {$a <=> $b} keys %hours],
　　185                                    -labels => \%hours ) );
　　324      if( param('hours') ) {
　　325          if( param('hours') =~ /^\d+$/ ) { $hours = param('hours') }
　　326          else { &browserDie( "Invalid hours parameter" ) }
　　334      } else { $duration = $hours; }
　　661                   "--start=".(time - $hours*60*60),
　　662                   "--end=".(time - $hours*60*60 + $duration*60*60),
　　Suse11:~ # grep -v \#  /etc/apache2/default-server.conf |more
　　

　　DocumentRoot "/srv/www/htdocs"
　　

　　<Directory "/srv/www/htdocs">
　　Options FollowSymLinks
　　AllowOverride None
　　Order allow,deny
　　Allow from all
　　</Directory>
　　

　　Alias /icons/ "/usr/share/apache2/icons/"
　　

　　<Directory "/usr/share/apache2/icons">
　　Options Indexes MultiViews
　　AllowOverride None
　　Order allow,deny
　　Allow from all
　　</Directory>
　　

　　ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
　　

　　<Directory "/srv/www/cgi-bin">
　　AllowOverride None
　　Options +ExecCGI -Includes
　　Order allow,deny
　　Allow from all
　　</Directory>
　　

　　<IfModule mod_userdir.c>
　　UserDir public_html
　　Include /etc/apache2/mod_userdir.conf
　　</IfModule>
　　

　　Include /etc/apache2/conf.d/*.conf
　　Include /etc/apache2/conf.d/apache2-manual?conf
　　

　　Suse11:~ #
　　

　　5.3 Web界面地址
　　http://172.16.100.8:88/cgi-bin/CUGrapher.pl
　　http://172.16.100.8:88/overall.html
　　http://172.16.100.8:88/topten.htm