1<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN"> 2<refentry> 3 4<refmeta> 5<refentrytitle> 6<application>flow-rpt2rrd</application> 7</refentrytitle> 8<manvolnum>1</manvolnum> 9</refmeta> 10 11<refnamediv> 12<refname> 13<application>flow-rpt2rrd</application> 14</refname> 15<refpurpose> 16Convert flow-report CSV output to RRDtool format. 17</refpurpose> 18</refnamediv> 19 20<refsynopsisdiv> 21<cmdsynopsis> 22<command>flow-rpt2rrd</command> 23<arg>-nv</arg> 24<arg>-d<replaceable> debug_level</replaceable></arg> 25<arg>-k<replaceable> keys</replaceable></arg> 26<arg>-K<replaceable> keys_file</replaceable></arg> 27<arg>-f<replaceable> fields</replaceable></arg> 28<arg>-p<replaceable> rrd_path</replaceable></arg> 29<arg>-P<replaceable> rrd_postfix</replaceable></arg> 30<arg>-r<replaceable> rrd_storage</replaceable></arg> 31</cmdsynopsis> 32</refsynopsisdiv> 33 34<refsect1> 35<title>DESCRIPTION</title> 36<para> 37The <command>flow-rpt2rrd</command> utility processes the CSV output of 38flow-report into RRDtool format. The aggregates for a key are each 39stored as a DS in RRD filename {rrd_path,"/",key,rrd_postfix,".rrd"}. 40By default a DS is created for flows, octets, and packets. The key 41must be specified, for example an ip-port report could use smtp,nntp,ssh,telnet 42as the keys which would create a separate RRD for each key. 43</para> 44</refsect1> 45 46<refsect1> 47<title>OPTIONS</title> 48<variablelist> 49 50<varlistentry> 51<term>-d<replaceable> debug_level</replaceable></term> 52<listitem> 53<para> 54Set debug level to debug_level (debugging code) 55</para> 56</listitem> 57</varlistentry> 58 59<varlistentry> 60<term>-h</term> 61<listitem> 62<para> 63Help. 64</para> 65</listitem> 66</varlistentry> 67 68<varlistentry> 69<term>-k<replaceable> keys</replaceable>|<replaceable>html</replaceable</term> 70<listitem> 71<para> 72Comma separated list of key values. If the report has symbols 73then the key must be the symbol, ie smtp not 25. The totals_* lines 74may be used if they are enabled in the report. There is no default, 75keys must be specified with -k or -K. 76</para> 77</listitem> 78</varlistentry> 79 80<varlistentry> 81<term>-K<replaceable> keys_file</replaceable></term> 82<listitem> 83<para> 84Load keys from <replaceable>keys_file</replaceable>. See -k. 85</para> 86</listitem> 87</varlistentry> 88 89<varlistentry> 90<term>-f</term> 91<listitem> 92<para> 93Comma separated list of columns to store. Each column maps to a DS in the 94RRD. Defaults to flows,octets,packets 95</para> 96</listitem> 97</varlistentry> 98 99<varlistentry> 100<term>-n</term> 101<listitem> 102<para> 103Enable symbol table lookups. For example TCP port 25 = smtp. This will 104result in RRD file names with the symbolic names if symbol lookups were 105not enabled in the report. 106</para> 107</listitem> 108</varlistentry> 109 110<varlistentry> 111 <term>-p<replaceable> rrd_path</replaceable></term> 112<listitem> 113<para> 114Set path to RRD files. Defaults to ".". 115</para> 116</listitem> 117</varlistentry> 118 119<varlistentry> 120<term>-P<replaceable> rrd_postfix</replaceable></term> 121<listitem> 122<para> 123Set RRD file name postfix. Defaults to "". 124</para> 125</listitem> 126</varlistentry> 127 128<varlistentry> 129<term>-r<replaceable> rrd_storage</replaceable></term> 130<listitem> 131<para> 132Set RRD storage for 5 minute, 30 minute, 2 hour, and 1 day databases. List 133items are : seperated. Defaults to 600:600:600:732. 134</para> 135</listitem> 136</varlistentry> 137 138<varlistentry> 139<term>-v</term> 140<listitem> 141<para> 142Enable verbose output. 143</para> 144</listitem> 145</varlistentry> 146 147</variablelist> 148</refsect1> 149 150<refsect1> 151<title>EXAMPLES</title> 152<informalexample> 153<screen> 154The following example shows the combined use of flow-nfilter (inline), 155flow-report, and flow-rpt2rrd to create an RRD depicting traffic 156from clmbo-r4 to AS 10796 and 6478 for 2004-11-08. rrdtool graph is 157then used to create a .png. 158 159#!/bin/sh 160 161cat << EOF>report.cfg 162 163include-filter nfilter.cfg 164 165stat-report CLMBO-R4-TO-INTERNET-BY-DESTINATION-AS 166 type destination-as 167 filter CLMBO-R4-INTERNET-OUT 168 scale 100 169 output 170 options +header,+xheader 171 fields -duration 172 173stat-definition 5min-summaries 174 report CLMBO-R4-TO-INTERNET-BY-DESTINATION-AS 175EOF 176 177cat << EOF>nfilter.cfg 178# ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifName.46 = so-0/0/0.0 179filter-primitive CLMBO-R4-INTERNET 180 type ifindex 181 permit 46 182 183# Match on traffic to the Internet 184filter-definition CLMBO-R4-INTERNET-OUT 185 match output-interface CLMBO-R4-INTERNET 186EOF 187 188mkdir rrds 189 190# 5 minute flow files from flow-capture are here 191FLOW_DATA=/flows/clmbo-r4/2004-11-08/ 192 193# for each 5 minute flow,aggregate with flow-report then store to RRD 194for name in $FLOW_DATA/*; do 195 echo working...$name 196 flow-report -s report.cfg -S5min-summaries < $name | flow-rpt2rrd -k10796,6478 -p rrds 197done 198 199# first flow - 0:1:23 11/8/2004 200START=1099890083 201# last flow - 0:1:25 11/9/2004 202END=1099976485 203 204rrdtool graph CLMBO-R4-TO-INTERNET.png --start $START --end $END \ 205 --vertical-label "Bits/Second" --title="CLMBO-R4 TO INTERNET BY AS" \ 206 DEF:AS10796in=rrds/10796.rrd:octets:AVERAGE \ 207 DEF:AS6478in=rrds/6478.rrd:octets:AVERAGE \ 208 CDEF:b_AS10796in=AS10796in,8,* \ 209 CDEF:b_AS6478in=AS6478in,8,* \ 210 LINE1:b_AS10796in#FF0000:AS10796-in \ 211 LINE1:b_AS6478in#555555:AS6478-in \ 212 213</screen> 214</informalexample> 215 216</refsect1> 217 218 219<refsect1> 220<title>BUGS</title> 221<para> 222Hard coded to expect 5 minute flow file intervals. Does not properly parse 223flow-report time-series output. 224</para> 225</refsect1> 226 227<refsect1> 228<title>AUTHOR</title> 229<para> 230<author> 231<firstname>Mark</firstname> 232<surname>Fullmer</surname> 233</author> 234<email>maf@splintered.net</email> 235</para> 236</refsect1> 237 238<refsect1> 239<title>SEE ALSO</title> 240<para> 241<application>flow-tools</application>(1) 242</para> 243</refsect1> 244 245</refentry> 246
