Flow-tools Tutorial

SANOG 6 Bhutan

Agenda
Network flows Cisco / Juniper implementation NetFlow Cisco / Juniper Configuration flow-tools programs overview and examples from Abilene and OhioGigapop

Network Flows
Packets or frames that have a common attribute. Creation and expiration policy what conditions start and stop a flow. Counters packets,bytes,time. Routing information AS, network mask, interfaces.

Network Flows
Unidirectional or bidirectional. Bidirectional flows can contain other information such as round trip time, TCP behavior. Application flows look past the headers to classify packets by their contents. Aggregated flows flows of flows.

Unidirectional Flow with Source/Destination IP Key

% telnet 10.0.0.2 10.0.0.1 login:

10.0.0.2

Active Flows
Flow Source IP Destination IP

1 10.0.0.1 2 10.0.0.2

10.0.0.2 10.0.0.1

Unidirectional Flow with Source/Destination IP Key

% telnet 10.0.0.2 % ping 10.0.0.2 10.0.0.1 login: ICMP echo reply 10.0.0.2

Active Flows
Flow Source IP Destination IP

1 10.0.0.1 2 10.0.0.2

10.0.0.2 10.0.0.1

Unidirectional Flow with IP, Port,Protocol Key

% telnet 10.0.0.2 % ping 10.0.0.2 10.0.0.1 login: ICMP echo reply 10.0.0.2

Active Flows
Flow Source IP Destination IP prot srcPort dstPort

1 2 3 4

10.0.0.1 10.0.0.2 10.0.0.1 10.0.0.2

10.0.0.2 10.0.0.1 10.0.0.2 10.0.0.1

TCP TCP ICMP ICMP

32000 23 0 0

23 32000 0 0

Bidirectional Flow with IP, Port,Protocol Key

% telnet 10.0.0.2 % ping 10.0.0.2 10.0.0.1 login: ICMP echo reply 10.0.0.2

Active Flows
Flow Source IP Destination IP prot srcPort dstPort

1 10.0.0.1 2 10.0.0.1

10.0.0.2 10.0.0.2

TCP 32000 23 ICMP 0 0

Application Flow
% netscape http://10.0.0.2/9090 10.0.0.1 Web server on Port 9090

Content-type:

10.0.0.2

Active Flows
Flow Source IP Destination IP Application

1 10.0.0.1

10.0.0.2

HTTP

Aggregated Flow
Main Active flow table
Flow Source IP Destination IP prot srcPort dstPort

1 2 3 4

10.0.0.1 10.0.0.2 10.0.0.1 10.0.0.2

10.0.0.2 10.0.0.1 10.0.0.2 10.0.0.1

TCP TCP ICMP ICMP

32000 23 0 0

23 32000 0 0

Source/Destination IP Aggregate
Flow Source IP Destination IP

1 10.0.0.1 2 10.0.0.2

10.0.0.2 10.0.0.1

Flow Descriptors
A Key with more elements will generate more flows. Greater number of flows leads to more post processing time to generate reports, more memory and CPU requirements for device generating flows. Depends on application. Traffic engineering vs. intrusion detection.

Flow Accounting
Accounting information accumulated with flows. Packets, Bytes, Start Time, End Time. Network routing information masks and autonomous system number.

Flow Collection
Passive monitor. Router other existing network device.

Passive Monitor Collection

Workstation A

Workstation B

Flow probe connected to switch port in traffic mirror mode

Campus

Router Collection
LAN LAN

LAN

LAN

Internet Flow collector stores exported flows from router.

Passive Monitor
Directly connected to a LAN segment via a switch port in mirror mode, optical splitter, or repeated segment. Generate flows for all local LAN traffic. Must have an interface or monitor deployed on each LAN segment. Support for more detailed flows bidirectional and application.

Router Collection
Router will generate flows for traffic that is directed to the router. Flows are not generated for local LAN traffic. Limited to simple flow criteria (packet headers). Generally easier to deploy no new equipment.

Cisco NetFlow
Unidirectional flows. IPv4 unicast and multicast. Aggregated and unaggregated. Flows exported via UDP. Supported on IOS and CatIOS platforms. Catalyst NetFlow is different implementation.

Cisco NetFlow Versions

4 Unaggregated types (1,5,6,7). 14 Aggregated types (8.x). Each version has its own packet format. Version 1 does not have sequence numbers no way to detect lost flows. The version defines what type of data is in the flow. Some versions specific to Catalyst platform.

NetFlow v1
Key fields: Source/Destination IP, Source/Destination Port, IP Protocol, ToS, Input interface. Accounting: Packets, Octets, Start/End time, Output interface Other: Bitwise OR of TCP flags.

NetFlow v5
Key fields: Source/Destination IP, Source/Destination Port, IP Protocol, ToS, Input interface. Accounting: Packets, Octets, Start/End time, Output interface. Other: Bitwise OR of TCP flags, Source/Destination AS and IP Mask. Packet format adds sequence numbers for detecting lost exports.

NetFlow v8
Aggregated v5 flows. 3 Catalyst 65xx specific that correspond to the configurable flow mask. Much less data to post process, but lose fine granularity of v5 no IP addresses.

NetFlow v8
AS Protocol/Port Source Prefix Destination Prefix Prefix Destination (Catalyst 65xx) Source/Destination (Catalyst 65xx) Full Flow (Catalyst 65xx)

NetFlow v8
ToS/AS ToS/Protocol/Port ToS/Source Prefix ToS/Destination Prefix Tos/Source/Destination Prefix ToS/Prefix/Port

NetFlow Packet Format

Common header among export versions. All but v1 have a sequence number. Version specific data field where N records of data type are exported. N is determined by the size of the flow definition. Packet size is kept under ~1480 bytes. No fragmentation on Ethernet.

NetFlow v5 Packet Example

IP/UDP packet NetFlow v5 header v5 record v5 record

NetFlow v5 Packet (Header)

struct ftpdu_v5 { /* 24 byte header */ u_int16 version; u_int16 count; u_int32 sysUpTime; u_int32 unix_secs; u_int32 unix_nsecs; u_int32 flow_sequence; u_int8 engine_type; u_int8 engine_id; u_int16 reserved; /* /* /* /* /* /* /* /* 5 */ The number of records in the PDU */ Current time in millisecs since router booted */ Current seconds since 0000 UTC 1970 */ Residual nanoseconds since 0000 UTC 1970 */ Seq counter of total flows seen */ Type of flow switching engine (RP,VIP,etc.) */ Slot number of the flow switching engine */

NetFlow v5 Packet (Records)

/* 48 byte payload */ struct ftrec_v5 { u_int32 srcaddr; /* Source IP Address */ u_int32 dstaddr; /* Destination IP Address */ u_int32 nexthop; /* Next hop router's IP Address */ u_int16 input; /* Input interface index */ u_int16 output; /* Output interface index */ u_int32 dPkts; /* Packets sent in Duration */ u_int32 dOctets; /* Octets sent in Duration. */ u_int32 First; /* SysUptime at start of flow */ u_int32 Last; /* and of last packet of flow */ u_int16 srcport; /* TCP/UDP source port number or equivalent */ u_int16 dstport; /* TCP/UDP destination port number or equiv */ u_int8 pad; u_int8 tcp_flags; /* Cumulative OR of tcp flags */ u_int8 prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ u_int8 tos; /* IP Type-of-Service */ u_int16 src_as; /* originating AS of source address */ u_int16 dst_as; /* originating AS of destination address */ u_int8 src_mask; /* source address prefix mask bits */ u_int8 dst_mask; /* destination address prefix mask bits */ u_int16 drops; } records[FT_PDU_V5_MAXFLOWS]; };

NetFlow v8 Packet Example (AS Aggregation)

IP/UDP packet NetFlow v8 header v8 record v8 record

NetFlow v8 AS agg. Packet

struct ftpdu_v8_1 { /* 28 byte header */ u_int16 version; /* 8 */ u_int16 count; /* The number of records in the PDU */ u_int32 sysUpTime; /* Current time in millisecs since router booted */ u_int32 unix_secs; /* Current seconds since 0000 UTC 1970 */ u_int32 unix_nsecs; /* Residual nanoseconds since 0000 UTC 1970 */ u_int32 flow_sequence; /* Seq counter of total flows seen */ u_int8 engine_type; /* Type of flow switching engine (RP,VIP,etc.) */ u_int8 engine_id; /* Slot number of the flow switching engine */ u_int8 aggregation; /* Aggregation method being used */ u_int8 agg_version; /* Version of the aggregation export */ u_int32 reserved; /* 28 byte payload */ struct ftrec_v8_1 { u_int32 dFlows; /* Number of flows */ u_int32 dPkts; /* Packets sent in duration */ u_int32 dOctets; /* Octets sent in duration */ u_int32 First; /* SysUpTime at start of flow */ u_int32 Last; /* and of last packet of flow */ u_int16 src_as; /* originating AS of source address */ u_int16 dst_as; /* originating AS of destination address */ u_int16 input; /* input interface index */ u_int16 output; /* output interface index */ } records[FT_PDU_V8_1_MAXFLOWS]; };

Cisco IOS Configuration

Configured on each input interface. Define the version. Define the IP address of the collector (where to send the flows). Optionally enable aggregation tables. Optionally configure flow timeout and main (v5) flow table size. Optionally configure sample rate.

Cisco IOS Configuration

interface FastEthernet0/0/0 ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast ip route-cache flow interface ATM1/0/0 no ip address no ip directed-broadcast ip route-cache flow interface Loopback0 ip address 10.10.10.10 255.255.255.255 no ip directed-broadcast ip flow-export version 5 origin-as ip flow-export destination 10.0.0.10 5004 ip flow-export source loopback 0 ip flow-aggregation cache prefix export destination 10.0.0.10 5555 enabled

Cisco IOS Configuration

krc4#sh ip flow export Flow export is enabled Exporting flows to 10.0.0.10 (5004) Exporting using source IP address 10.10.10.10 Version 5 flow records, origin-as Cache for prefix aggregation: Exporting flows to 10.0.0.10 (5555) Exporting using source IP address 10.10.10.10 3176848179 flows exported in 105898459 udp datagrams 0 flows failed due to lack of export packet 45 export packets were sent up to process level 0 export packets were punted to the RP 5 export packets were dropped due to no fib 31 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures 0 export packets were dropped enqueuing for the RP 0 export packets were dropped due to IPC rate limiting 0 export packets were dropped due to output drops

Cisco IOS Configuration

krc4#sho ip ca fl IP packet size distribution (106519M total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .002 .405 .076 .017 .011 .010 .007 .005 .004 .005 .004 .004 .003 .002 .002 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .002 .006 .024 .032 .368 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 4456704 bytes 36418 active, 29118 inactive, 3141073565 added 3132256745 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 2951815 0.6 61 216 42.2 26.6 21.4 TCP-FTP 24128311 5.6 71 748 402.3 15.0 26.3 TCP-FTPD 2865416 0.6 916 843 611.6 34.7 19.8 TCP-WWW 467748914 108.9 15 566 1675.8 4.9 21.6 TCP-SMTP 46697428 10.8 14 370 159.6 4.0 20.1 TCP-X 521071 0.1 203 608 24.7 24.5 24.2 TCP-BGP 2835505 0.6 5 94 3.3 16.2 20.7

Cisco IOS Configuration

krc4#sho ip ca fl TCP-other UDP-DNS UDP-NTP UDP-TFTP UDP-Frag UDP-other ICMP IGMP IPINIP GRE IP-other Total: SrcIf AT5/0/0.4 AT4/0/0.10 AT4/0/0.12 AT1/0/0.1 1620253066 125622144 67332976 37173 68421 493337764 243659509 18601 12246 125763 75976755 3176854246 377.2 29.2 15.6 0.0 0.0 114.8 56.7 0.0 0.0 0.0 17.6 739.6 47 2 1 2 474 17 3 96 69 235 2 33 631 78 76 76 900 479 166 35 52 156 78 619 18001.6 82.5 22.0 0.0 7.5 1990.3 179.7 0.4 0.1 6.9 45.4 24797.4 27.3 4.6 2.7 4.1 111.7 3.8 3.3 941.4 548.4 50.3 3.9 16.2 Pr 06 06 06 06 SrcP 0E4B 04BE 04BE 074C 23.4 24.7 23.4 24.6 21.6 20.2 23.3 8.1 15.2 21.1 22.8 22.6 DstP A029 074C 09BB 04BE Pkts 507 3 646 3

SrcIPaddress 206.21.162.150 132.235.174.9 131.123.59.33 137.99.166.126

DstIf AT1/0/0.1 AT1/0/0.1 AT1/0/0.1 AT4/0/0.10

DstIPaddress 141.219.73.45 137.99.166.126 137.229.58.168 132.235.174.9

Juniper Configration
Sample packets with firewall filter and forward to routing engine. Sampling rate is limited to 7000pps. Fine for traffic engineering, but restrictive for DoS and intrusion detection. Juniper calls NetFlow cflowd.

Juniper Configration
Firewall filter Enable sampling / flows
forwarding-options { sampling { input { family inet { rate 100; } } output { cflowd 10.0.0.16{ port 2055; version 5; } } } }

firewall { filter all { term all { then { sample; accept; } } } }

Juniper Configration
Apply firewall filter to each interface.
interfaces { ge-0/3/0 { unit 0 { family inet { filter { input all; output all; } address 192.148.244.1/24; } } }

Flow-tools
Collection of programs to post process Cisco NetFlow compatible flows. Written in C, designed to be fast (scales to large installations). Includes library (ftlib) for custom applications. Installation with configure;make;make install on most platforms (FreeBSD, Linux, Solaris, BSDi, NetBSD).

flow-capture
Collect NetFlow exports and stores to disk. Built in compression. Manages disk space by expiring older flow files at configurable limits. Detects lost flows by missing sequence numbers and stores with flow metadata.

flow-fanout
Replicate NetFlow UDP streams from one source to many destinations. Destination may be a multicast address.

flow-expire
Expire (remove) old flow files based on disk usage. Same functionality built in to flowcapture. Used when managing disk space in a distributed environment.

Collector Placement and configuration

NetFlow is UDP so the collector should ideally be directly connected to the router to minimize packet loss and IP spoofing risks. No flow control. Undersized collector will drop flows. Monitor netstat s | grep buf and configure syslog so dropped flows will be logged.

flow-print
Formatted output of flow files.
eng1:% flow-print < ft-v05.2002-01-21.093345-0500 | head -15 srcIP dstIP prot srcPort dstPort octets packets 131.238.205.199 194.210.13.1 6 6346 40355 221 5 192.5.110.20 128.195.186.5 17 57040 33468 40 1 128.146.1.7 194.85.127.69 17 53 53 64 1 193.170.62.114 132.235.156.242 6 1453 1214 192 4 134.243.5.160 192.129.25.10 6 80 3360 654 7 132.235.156.242 193.170.62.114 6 1214 1453 160 4 130.206.43.51 130.101.99.107 6 3226 80 96 2 206.244.141.3 128.163.62.17 6 35593 80 739 10 206.244.141.3 128.163.62.17 6 35594 80 577 6 212.33.84.160 132.235.152.47 6 1447 1214 192 4 132.235.157.187 164.58.150.166 6 1214 56938 81 2 129.1.246.97 152.94.20.214 6 4541 6346 912 10 132.235.152.47 212.33.84.160 6 1214 1447 160 4 130.237.131.52 130.101.9.20 6 1246 80 902 15

flow-cat
Concat many flow files or directories of files.
eng1:% ls ft-v05.2002-01-21.160001-0500 ft-v05.2002-01-21.161501-0500 ft-v05.2002-01-21.163001-0500 ft-v05.2002-01-21.164501-0500 eng1:% flow-cat . | flow-print srcIP 138.26.220.46 143.105.55.23 129.15.134.66 132.235.170.19 dstIP 192.5.110.20 18.123.66.15 164.107.69.33 152.30.96.188 prot 17 17 6 6 srcPort 62242 41794 1214 6346 dstPort 33456 41794 2222 1475 octets packets 40 1 40 1 4500 3 128 3 ft-v05.2002-01-21.170001-0500 ft-v05.2002-01-21.171501-0500 ft-v05.2002-01-21.173001-0500 tmp-v05.2002-01-21.174501-0500

flow-merge
Flow-merge is similar to flow-cat except it maintains relative ordering of flows when combining the files. Typically used when combining flows from multiple collectors.

flow-filter
Filter flows based on port, protocol, ASN, IP address, ToS bits, TCP bits, and tags.
eng1% flow-cat . | flow-filter -P119 | flow-print | head -10 srcIP 155.52.46.50 128.223.220.29 155.52.46.50 164.107.115.4 128.223.220.29 128.223.220.29 130.207.244.18 155.52.46.50 198.108.1.146 dstIP 164.107.115.4 129.137.4.135 164.107.115.4 192.58.107.160 129.137.4.135 129.137.4.135 129.22.8.64 164.107.115.4 129.137.4.135 prot 6 6 6 6 6 6 6 6 6 srcPort 33225 52745 33225 60141 52745 52714 36033 33225 17800 dstPort 119 119 119 119 119 119 119 119 119 octets 114 1438382 374 5147961 1356325 561016 30194 130 210720652 packets 2 1022 6 8876 965 398 121 2 216072

flow-split
Split flow files into smaller files. Typically used with flow-stat and graphing. For example if flow files are 1 hour and want 5 minute data points in graph, flow-split can take the 1 hour flow files and generate 5 minute files.

flow-tag
Adds a tag field to flows based on IP exporter, IP prefix, Autonomous System, or next hop. Like flow-filter used with other tools. Used to manage groups of prefixes or ASNs.

flow-header
Display meta information in flow file.
eng1:% flow-header < ft-v05.2002-01-21.093345-0500 # # mode: normal # capture hostname: eng1.oar.net # exporter IP address: 0.0.0.0 # capture start: Mon Jan 21 09:33:45 2002 # capture end: Mon Jan 21 09:45:01 2002 # capture period: 676 seconds # compress: on # byte order: little # stream version: 3 # export version: 5 # lost flows: 0 # corrupt packets: 0 # sequencer resets: 0 # capture flows: 341370 #

flow-stat
Generates reports from flow files. Output is readable and easily imported into graphing programs (gnuplot, etc). IP Address, IP address pairs, ports, packets, bytes, interfaces, next hop, Autonomous System, ToS bits, exporter, and tags.

flow-stat - summary
Total Flows : Total Octets : Total Packets : Total Time (1/1000 secs) (flows): Duration of data (realtime) : Duration of data (1/1000 secs) : Average flow time (1/1000 secs) : Average packet size (octets) : Average flow size (octets) : Average packets per flow : Average flows / second (flow) : Average flows / second (real) : Average Kbits / second (flow) : Average Kbits / second (real) : 24236730 71266806610 109298006 289031186084 86400 88352112 11925.0000 652.0000 2940.0000 4.0000 274.3201 280.5177 6452.9880 6598.7781

flow-stat Source AS % Total

# # src AS # NSFNETTEST14-AS ONENET-AS-1 UONET UPITT-AS CONCERT OHIOU CMU-ROUTER BOSTONU-AS PURDUE STANFORD UR UMN-AGS-NET-AS RISQ-AS PENN-STATE RIT-ASN flows 6.430 2.914 0.600 1.847 1.786 3.961 1.962 1.503 2.185 2.124 1.809 1.612 1.086 2.845 0.796 octets 6.582 4.417 4.052 3.816 2.931 2.601 2.577 2.126 1.994 1.950 1.919 1.895 1.849 1.641 1.601 packets 7.019 3.529 2.484 2.697 2.391 2.140 2.349 1.665 2.157 2.270 1.652 1.788 1.378 2.666 1.414 duration 5.693 3.566 1.979 2.552 1.955 1.655 2.075 1.914 2.507 2.636 1.532 1.938 1.367 2.190 0.830

flow-stat Dest AS % Total

# # dst AS # NSFNETTEST14-AS PENN-STATE CONCERT ONENET-AS-1 STANFORD JANET 0 DFN-WIN-AS CMU-ROUTER UONET PURDUE UMN-AGS-NET-AS UPITT-AS MIT-GATEWAYS RIT-ASN INDIANA-AS flows 6.202 2.037 2.628 2.818 1.915 2.508 0.831 2.349 1.383 0.537 2.029 1.608 1.507 0.677 0.644 0.899 octets 9.564 3.774 3.133 2.434 2.360 2.319 2.187 2.099 2.090 2.067 1.934 1.784 1.707 1.425 1.313 1.285 packets 8.005 2.712 2.888 2.906 2.122 2.150 2.431 1.938 1.972 1.699 1.983 1.664 2.067 1.175 1.243 0.996 duration 6.762 2.153 2.326 3.000 2.195 2.485 2.910 2.359 1.960 1.397 2.177 1.681 2.288 0.806 0.868 0.781

flow-stat Src/Dest AS % Total

# # src AS # GEORGIA-TECH NWU-AS UONET UCLA CONCERT BCNET-AS UONET MIT-GATEWAYS ONENET-AS-1 UONET NOAA-AS DENET NSFNETTEST14-AS ITALY-AS NSFNETTEST14-AS UONET dst AS PENN-STATE 0 CONCERT NSFNETTEST14-AS UONET MIT-GATEWAYS 0 STANFORD NSFNETTEST14-AS PENN-STATE NOAA-FSL UONET UC-DOM UONET CONCERT ITALY-AS flows 0.030 0.008 0.064 0.037 0.052 0.019 0.015 0.032 0.140 0.019 0.018 0.032 0.022 0.016 0.322 0.022 octets 0.965 0.734 0.698 0.568 0.543 0.538 0.536 0.477 0.451 0.439 0.438 0.410 0.365 0.358 0.349 0.349 packets 0.459 0.379 0.438 0.269 0.364 0.274 0.318 0.245 0.263 0.200 0.255 0.189 0.244 0.228 0.335 0.210 duration 0.071 0.170 0.290 0.111 0.221 0.134 0.200 0.073 0.159 0.063 0.031 0.188 0.081 0.117 0.228 0.130

flow-dscan
DoS detection / network scanning tool. Flag hosts which have flows to many other hosts. Flag hosts which are using a large number of TCP/UDP ports. Works better on smaller networks or with flow-filter to limit traffic. For example filter TCP port 25 to detect hosts infected with e-mail worm.

flow-gen
Debugging tool to generate flows.
eng1:% flow-gen -V8.1 | flow-print | head -10 srcAS 0 1 2 3 4 5 6 7 8 dstAS 65280 65281 65282 65283 65284 65285 65286 65287 65288 in 0 1 2 3 4 5 6 7 8 out 65280 65281 65282 65283 65284 65285 65286 65287 65288 flows 2 4 6 8 10 12 14 16 18 octets 1 2 3 4 5 6 7 8 9 packets 1 2 3 4 5 6 7 8 9 duration 4294901760 4294901760 4294901760 4294901760 4294901760 4294901760 4294901760 4294901760 4294901760

flow-send
Transmit flow files with NetFlow protocol to another collector. Can be used to take flow-tools files and send them to other NetFlow compatible collector.

flow-receive
Like flow-capture but does not manage disk space. Output is to standard out and can be used directly with other flowtools programs. Typically used for debugging.
eng1:% flow-receive 0/0/5555 | flow-print flow-receive: New exporter: time=1011652474 src_ip=199.18.112.114 dst_ip=199.18.97.102 d_version=8 srcPrefix srcAS dstPrefix dstAS input output 143.105/16 600 128.9/16 4 48 25 140.141/16 600 150.216/16 81 48 25 132.235/16 17135 130.49/17 4130 38 25 131.123/16 11050 129.59/16 7212 42 25 206.21/16 600 128.239/16 11975 48 25 199.218/16 600 128.255/16 3676 48 25

flows 1 4 25 1 2 1

flow-import
Import flows from other formats into flow-tools. Currently supports ASCII and cflowd formats.

flow-export
Export flows from flow-tools files to other formats. Currently supports ASCII and cflowd formats. ASCII output can be used with perl or other scripting languages (with a performance penalty).

flow-xlate
Translate flows among NetFlow versions. Originally intended for use with Catalyst switches since they export some flows in version 7 and others in version 5 format.

References
flow-tools: http://www.splintered.net/sw/flow-tools NetFlow Applications
http://www.inmon.com/technology/netflowapps.php http://www.linuxgeek.org/netflow-howto.php

Netflow HOW-TO

IETF standards effort: http://ipfix.doit.wisc.edu

References
flow-tools: http://www.splintered.net/sw/flow-tools Abilene NetFlow page http://www.itec.oar.net/abilene-netflow Flow-tools mailing list: [email protected] Cisco Centric Open Source Community
http://cosi-nms.sourceforge.net/related.html

More Info
e-mail : gaurab @ lahai.com On the web : http://lahai.com/netmgmt/