The netflow accounting system based on JKFlow is a dynamic and XML-configurable reporting tool for network traffic. This page describes a logic flow of the program, including the behaviour of the code contained in flowscan and JKFlow.pm as well as how the configuration in JKFlow.xml and flowscan.cf affects this behaviour.
Flowscan
This is the main executable file. All other modules and dependent sub-routines are called from within this file. Flowscan assumes that flow-files containing raw flow information are being constantly generated in a folder on the system. The location of this folder is specified in the flowscan.cf by the identifier FlowFileGlob. Generally flow-files are named so that their names indicate a timestamp for when that file was generated. In the current configuration flow-files are being generated every minute. For example the following listing of /var/flows/flows shows two flow-files currently in the directory.
akbar@iepm-resp $ ls -rtl /var/flows/flows total 552 -rw-r--r-- 1 akbar sg 224688 Apr 11 19:06 USA-ft-v05.2007-03-21.121300-0400 -rw-r--r-- 1 akbar sg 261616 Apr 11 19:06 USA-ft-v05.2007-03-21.121200-0400
The basic job of flowscan is to take up the files present in the flow-file folder (such as /var/flows/flows) and process them using a reporting module such as JKFlow.pm in order of their timestamps. It runs in an infinite loop and keeps checking /var/flows/flows for new flow-files and if there are any present it processes them and deletes each flow-file as it is processed by the reporting module. The choice of reporting module is also configurable and can be specified in flowscan.cf using the identifier ReportClasses.