I was trying to track down some extra traffic we were seeing across a FDDI XP. Downgrading to 11.1.?? or whatever that supports cflowd with the right flow-export verion wasn't a quick option. So I wrote a little program... But first, an even quicker hack: Step (1) grab 'sho ip cache flow' output on the router to a file. Then: % grep "^Fd4/1/0" flow | grep " Fd4/1/0 " | more Will show you all flows (w/ source and dest IP, of course) which came in and went out your FDDI. If someone's defaulting to you, this should actually catch it. But to be more thorough, also grab your transit routes (for us it's 'sho ip bgp community-list 4') to a file. Then run the following little perl program. It'll spit out lines of flows that came in your Fddi interface destined to IPs that you're not transitting. Also, set the $srcif variable below to the appropriate value for your router. If I feel frisky I'll spend a few minutes and integrate chat2.pl stuff so you don't have to grab the data by hand - or someone else is welcome to... Avi --------------------- #!/usr/local/bin/perl # By Avi Freedman/Net Access (freedman@netaxs.com), 2/26/98 # Do with as you will. # Expand $cidrtable if you announce routes < /16. # Don't run with routes < /13 unless you have lots of time and swap space. # Put your transit routes in ./routes. # Put your 'sho ip cache flow' output in ./flow. # Set $srcif - it must be the EXACT way it's represented in the flow output. $srcif = "Fd4/1/0"; $cidrtable{16} = 256; $cidrtable{17} = 128; $cidrtable{18} = 64; $cidrtable{19} = 32; $cidrtable{20} = 16; $cidrtable{21} = 8; $cidrtable{22} = 4; $cidrtable{23} = 2; open(IN, "routes"); while (<IN>) { $new = substr($_, 3, 100); if ($new =~ /\//) { # set cidr routes if ($new =~ /^(\d*)\.(\d*)\.(\d*)\.0\/(\d*)/) { for ($i = $3; $i < $3 + $cidrtable{$4}; $i++) { $ok{"$1.$2.$i"} = 1; } } } else { if ($new =~ /^(\d*)\.(\d*)\.(\d*)\.0/) { # set an individual /24 unless it ends in ".0.0" - we should do better if ($3 != 0) { $ok{"$1.$2.$3"} = 1; } else { for ($i = 0 ; $i < 256 ; $i++) { $ok{"$1.$2.$i"} = 1; } } } } } close(IN); open(IN, "flow"); while (<IN>) { ($src, $srcip, $dst, $dstip) = split(' ', $_); if ($src eq $srcif && $dstip =~ /^(\d*)\.(\d*)\.(\d*)\.(\d*)$/) { if (!$ok{"$1.$2.$3"}) { print $_; } } }
participants (1)
-
Avi Freedman