[rrd-users] Re: Big rrd files (too big !)

paul pluap at xs4all.nl
Thu May 19 23:55:17 MEST 2005 

I have done similar, however used a different approach.

using flowcat, flowfilter etc generated the output I needed. From the analysis of this data, I created a list of most frequent used ports (ssh, telnet, ftp, rdp etc)

make sure you have a totaldata variable somewhere, to have a reference on the data found.

create a job to update these specific ports. add rrd db for tcp, udp and icmp

create a graph where the data of all ports is stacked using different colors. On top, the line with totaldata and color the difference.

In the same graph, multiplied by -1, create a graph for tcp, udp and icmp

For me, this has given a great insight in traffic patterns and analysis if things were different than normal.

Additionally, I created a small job to display the top50 from netflow in a table on a webserver - combined with the rrd graph, the tooling to defend.

hth

paul

On Thu, 19 May 2005 15:41:54 -0500
"Vial, Sylvain" <Sylvain.Vial-1 at ou.edu> wrote:

> Hello,
>  
> I'm actually working on a perl script to provide the top ten for source
> ip addresses and destination ports for the tcp/udp protocols.
> I use the netflow tools (flow-cat, flow-report) to generate top ten and
> I've created rrd files to generate graph as you can find on the honeynet
> brazilian project 
> (http://www.honeypots-alliance.org.br/stats/flows/tcp-udp/).
> My problem is that I generate rrd for each ip address and each port I
> detect in my ft files (flow capture).
> Each file takes 3MB of hard disk space, so it takes finally a huge space
> on my pc.
> I'm like a rookie with rrdtool and perl, so if someone could explain me
> why it takes so much space and if it exits a better way to realize the
> same thing as brazilian.br, it will be great.
> Thanks for your help.
>  
> Sylvain VIAL
> --
> Unsubscribe mailto:rrd-users-request at list.ee.ethz.ch?subject=unsubscribe
> Help        mailto:rrd-users-request at list.ee.ethz.ch?subject=help
> Archive     http://lists.ee.ethz.ch/rrd-users
> WebAdmin    http://lists.ee.ethz.ch/lsg2.cgi
> 
> 

--
Unsubscribe mailto:rrd-users-request at list.ee.ethz.ch?subject=unsubscribe
Help        mailto:rrd-users-request at list.ee.ethz.ch?subject=help
Archive     http://lists.ee.ethz.ch/rrd-users
WebAdmin    http://lists.ee.ethz.ch/lsg2.cgi

More information about the rrd-users mailing list