星期三, 11月 24, 2010

CISCO switch/router 與 ntop 配合監視網路流量的方法

CISCO switch/router 與 ntop 配合監視網路流量的方法

ntop 是一個流量監控程式 http://www.ntop.org/

* ntop 主機 http://192.168.1.1:3000 (FreeBSD Server)
* switch 為 CISCO GSR 12012 (機器名稱為 sw1)


(1) 先在 switch/router上做一些設置

在 IOS 下這個指令:

sw1# show ip flow export

Flow export is enabled
Exporting flows to 192.168.1.1 (2055)
Exporting using source interface POS4/0 <---------(重點)
Version 5 flow records
774916459 flows exported in 25831727 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
739 export packets were dropped due to IPC rate limiting
9241 export packets were dropped due to output drops


(2) 看是否為要監聽的 source, 若不是;

則在以下命令列下:(假設要監聽這個interface)

sw1(config)#ip flow-export source pos3/2


則在(1)步驟所列的(重點)會顯示為:

Exporting using source interface POS3/2 <---------(重點)


(3) 然後再進入 interface POS3/2 做設定:

sw1(config-if)#ip route-cache flow


(4) 進入 ntop 網頁, http://192.168.1.1:3000

上方的 Admin 選項 , 選 Switch NIC 進入頁面

點選已經設定好的 switch1 按 Switch NIC



(5) 點選上方 IP 選項, 選 Summary 選項, Traffic

然後看排序的最上方, 就知道兇手是誰了.


(補充一點,若是新加主機,務必對應到 ip&連接阜)

例:
sw1(config)#ip flow-export version 5
sw1(config)#ip flow-export destination 192.168.1.1(ntop主機ip) 2055(port)

沒有留言: