• Created by Unknown User (akbar), last modified on Apr 15, 2007

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

The netflow accounting system based on JKFlow is a dynamic and XML-configurable reporting tool for network traffic. This page describes a logic flow of the program, including the behaviour of the code contained in flowscan and JKFlow.pm as well as how the configuration in JKFlow.xml and flowscan.cf affects this behaviour.

Flowscan

This is the main executable file. All other modules and dependent sub-routines are called from within this file. Flowscan assumes that flow-files containing raw flow information are being constantly generated in a folder on the system. The location of this folder is specified in the flowscan.cf by the identifier FlowFileGlob. Generally flow-files are named so that their names indicate a timestamp for when that file was generated. In the current configuration flow-files are being generated every minute. For example the following listing of /var/flows/flows shows two flow-files currently in the directory.

Sample listing of a flow-file directory
akbar@iepm-resp $ ls -rtl /var/flows/flows
total 552
-rw-r--r--    1 akbar    sg         224688 Apr 11 19:06 USA-ft-v05.2007-03-21.121300-0400
-rw-r--r--    1 akbar    sg         261616 Apr 11 19:06 USA-ft-v05.2007-03-21.121200-0400

The basic job of flowscan is to take up the files present in the flow-file folder (such as /var/flows/flows) and process them using a reporting module such as JKFlow.pm in order of their timestamps. It runs in an infinite loop and keeps checking /var/flows/flows for new flow-files and if there are any present it processes them and deletes each flow-file as it is processed by the reporting module. The choice of reporting module is also configurable and can be specified in flowscan.cf using the identifier ReportClasses.

As shown in the code below, flowscan loads the names of the classes into an array and then later "includes" them by doing an eval on all the classes in the array. Usually only one reporting module such as JKFlow.pm is used.

# Set the default options from the configuration file:
$c = new ConfigReader::DirectiveStyle;
$c->directive('Verbose');
$c->directive('WaitSeconds');
$c->required('FlowFileGlob');
$c->required('ReportClasses');

# terapaths monitoring
$c->required('SyslogFacility');

$c->load("${FindBin::Bin}/${FindBin::Script}.cf");
$flowfileglob = $c->value('FlowFileGlob');
$opt_w        = $c->value('WaitSeconds');
$opt_v        = $c->value('Verbose');
@classes      = split( m/\s*,\s*/, $c->value('ReportClasses') ); # loads all the class names given in flowscan.cf into an array

|   |
|   |
|   |

foreach my $class (@classes) { # includes each of the classes
    eval "use $class";
    die "$@" if $@;
}
  • No labels