?[IPNet]


NetFlow is a sort of ?IP accounting data spat out by Cisco routers. There's lots of stuff out there that works with NetFlow data, most of it abysmally documented. "flow-tools" is the exception and is fairly easy to use.

Once you've turned on NetFlow on your router, you can point "flow-capture" at its IP address and port. That should immediately start accumulating reams of data (in /var/flow/myrouter/... by default). To see what it's doing, try something like "flow-print < /var/flow/myrouter/... || less"

You do need lots of disk space for this. Depending on the amount of traffic on your site, this can produce tens (hundreds?) of Mb/day!

An alternative to flow-tools might be something called "New NetFlow Collector" (nnfc), which can even write NetFlow data to an rdb. Do a "make --with-mysql" [that's "dash-dash-with-mysql"] and edit its config file. I found I needed to add "modules/mysql.so" to its modules stanza. Since conversing with nnfc's author, he now even has a Debian init script that should come with future releases.

The latest, sexy new tool related to NetFlow data is Cacti, which prettifies NetFlow output using PHP and Apache.