
COMPILING THE TOOLKIT
---------------------------

To compile the toolkit, you'll first need to install zlib1.0.4 or greater
and tcp_wrappers 7.6.

zlib -         ftp://ftp.cdrom.com/pub/infozip/zlib/zlib-1.1.3.tar.gz
tcp_wrappers   ftp://ftp.win.tue.nl pub/security/tcp_wrappers_7.6.tar.gz

Run make with no arguments to list the supported platforms, then
make <OSType>.  For example make i386-fbsd

CONFIGURING THE ROUTER
----------------------------

You'll need a cisco router with an RSP, currently a 75XX or 72XX, or
RSP 7000.  The latest 11.1CA or CC image is recommended until 12.0
matures.

Turn on flow switching for each input interface with the interface command
 ip route-cache flow.

interface Fddi3/0
 ip route-cache flow

You should see some stats accumulating with the show ip cache flow command

kc2>sh ip ca fl
IP packet size distribution (7072M total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .001 .492 .060 .023 .018 .011 .007 .009 .014 .011 .005 .007 .003 .003 .002

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .004 .005 .141 .000 .084 .092 .000 .000 .000 .000 .000

IP Flow Switching Cache, 15582 active, 49954 inactive, 419896623 added
  419881041 flows exported, 0 not exported, 18620587 export msgs sent
  3 cur max hash, 256 worst max hash, 15239 valid buckets
  51694 flow alloc failures
  statistics cleared 2347686 seconds ago


Protocol         Total  Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows   /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet     4040901    1.7       107   102    185.4      78.9      44.2
TCP-FTP        2418181    1.0        12    73     12.6      16.6      45.8
TCP-FTPD       1462928    0.6       337   430    210.4      39.8      45.7
TCP-WWW      199137808   84.8        15   349   1303.1       8.5      46.0
TCP-SMTP      14895553    6.3        17   198    108.8      11.8      45.9
TCP-X           213509    0.0       464   264     42.2     107.3      43.5
TCP-BGP             58    0.0         4   271      0.0       2.6      48.0
TCP-Frag          6222    0.0        34   300      0.0      18.3      45.8
TCP-other     26095870   11.1        71   381    796.5      35.0      45.3
UDP-DNS       98983253   42.1         2   124    123.2       4.6      45.9
UDP-NTP       12005540    5.1         2    75     10.3       0.2      46.1
UDP-TFTP           626    0.0         2    76      0.0       0.3      45.9
UDP-Frag          8707    0.0        49   384      0.1      37.0      45.8
UDP-other     53517617   22.7        15   148    350.5       6.9      45.9
ICMP           7024973    2.9         8   145     25.0      22.7      45.2
IGMP             72354    0.0         8    56      0.2      65.0      44.5
GRE               2621    0.0     19606   476     21.8    1799.4       2.6
IP-other            31    0.0        75   105      0.0       6.5      43.6
Total:       419886752  178.8        17   308   3191.0      10.0      45.9
          
SrcIf    SrcIPaddress    DstIf    DstIPaddress    Pr DstP SrcP Pkts B/Pk Active
AT0/0    128.146.214.32  Fd3/0    152.2.25.17     06 0019 D1B9   12   82   10.6
Fd3/0    152.2.25.17     AT0/0    128.146.214.32  06 D1B9 0019   10  269   10.7
AT0/0    128.146.223.61  Fd3/0    207.8.140.42    06 0E80 141E  131   41  127.4
...

Enable the exports of flows with the global command 'ip flow-export A.B.C.D p'

 ip flow-export 10.0.0.1 9991

If you have tcpdump installed on or near the host you're using to capture
flows, the exports can be verified.

shattered:~% /usr/local/etc/tcpdump -n udp port 9991
/usr/local/etc/tcpdump: listening on le0
12:11:29.953100 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.962551 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.975115 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.984444 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:29.993956 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.003252 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.015483 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.024852 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.034182 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.043545 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168
12:11:30.053239 10.0.0.1.1868 > 10.0.0.2.9991: udp 1168


or use flow-receive and flow-print

shattered:~/src/flow% ./flow-receive | ./flow-print | head -10
Sif SrcIPaddress     Dif DstIPaddress    Pr SrcP DstP Pkts       Octets
60  206.204.84.9     00  10.0.135.63     06 15   5f0  2          88        
00  10.0.135.63      60  206.204.84.9    06 5f0  15   16         787       
60  206.204.84.9     00  10.0.135.63     06 15   5f0  13         1742      
00  10.0.155.25      60  204.62.245.167  06 50   bae5 15         948       
60  204.62.245.167   00  10.0.155.25     06 bae5 50   13         681       
60  206.204.84.20    00  10.0.135.63     06 50   5ed  7          3494      
60  206.204.84.20    00  10.0.135.63     06 50   5ef  6          401       
60  206.204.84.20    00  10.0.135.63     06 50   5eb  11         9413      
00  10.0.135.63      60  206.204.84.20   06 5ed  50   9          637       


