Free cisco netflow software for linux

Cisco::IPPhone is a package for creating Cisco IPPhone XML objects.

SYNOPSIS

use Cisco::IPPhone;

$mytext = new Cisco::IPPhone;

$mytext->Text({ Title => "My Title", Prompt => "My Prompt",
Text => "My Text" });
$mytext->AddSoftKeyItem( { Name => "Update", URL => "SoftKey:Update",
Position => "1" });
$mytext->AddSoftKeyItem( { Name => "Exit", URL => "SoftKey:Exit",
Position => "2" });

print $mytext->Content;

Cisco::IPPhone - Package for creating Cisco IPPhone XML applications
This Cisco IPPhone module was created to provide a simple convenient method to display Cisco IP Phone objects and gather input from a Cisco 7940 or 7960 IP Phone. This module supports all known Cisco XML objects for 7940 and 7960 phones. Knowledge of Cisco XML syntax is not a requirement.

This Perl module gives the ability to use simple PERL objects to display XML on the IP Phone unlike to Cisco Software Development Kit (SDK) which uses Microsoft IIS Server, ASPs, JSPs, Javascript, COM Objects, and requires knowledge of XML syntax.

The following list gives typical services that might be supplied to a phone:

- Weather
- Stock information
- Contact information
- Company news
- To-do lists
- Real-time NFL scores
- Daily schedule

Cisco IP Accounting Fetcher is a set of Perl scripts that allows you to fetch IP accounting data from Cisco routers. There is the only one config file - "getdata.conf for configuration.
Main features:
- fetch accounting data from the router
- generate the HTML statistics

Cimon is Perl program wich monitors the load (memory and CPU) on Cisco routers using SNMP, and generates graphics with statistics using rrdtool. Its good for information about your routers health.

It monitors and displays the cpu 5 minutes utilization in percents and free+used Processor memory. The I/O memory(usualy 2 MB) or Fast on high end routers is being monitored too, but there isnt graphic for it. Cimon is good source for information about your routers health. From version 0.2 cimon can do ip accounting using the cisco ip accounting feature.
The logfiles that it generates as the rrd files needed for the graphics are fully compatible with those produced by sasacct (SASs accounting statistics). So you can use its cgi interface also its posibility to generate graphics on demand or on a user defined interval (via crontab and -g option).

NetSPoC is a tool for security managment of large computer networks with different security domains. It generates configuration files for packet filters which are controlling the borders of security domains.
NetSPoC provides its own language for describing the security policy and topology of a network. The security policy is a set of rules that state which packets are allowed to pass the network and which not. NetSPoC is topology aware: a rule for traffic from A to B is automatically applied to all managed packet filters on the path from A to B.
Currently NetSPoC generates ACLs and static routing entries for
Cisco routers with or without firewall feature set,
PIX firewalls and
Linux iptables and ip route.
It supports network address translation, virtual IP addresses for redundancy protocols like VRRP and some dynamic routing protocols.
IPSec encryption is supported as well. A powerful syntax allows to easily define a large number of crypto tunnels of either a hub and spoke topology or a fully meshed topology. Crypto rules define which type of traffic needs to be encrypted. Crypto configuration for Cisco IOS routers and PIX firewalls is generated.
NetSPoCs text based specification language is well suited for integration with CVS or other version control systems. A script is provided for tagging a policy and saving it to a policy database.
This software is actively developed with perl 5.8 under linux. It should be portable to other platforms where perl is available.
Enhancements:
- VERSION:
- TODO:
- NEWS.html:
- Prepare version 3.0.
- index.html: Mentioned crypto. Removed links to email addresses to reduce SPAM. Removed CSPM stuff.
- Netspoc.pm:
- Made code 64 bit clean. This was necessary for complement and left-shift operations on 32 bit IP addresses.

glFlow is a (D)DoS logger written with speed in mind. glFlow detects attacks on high speed links through real-time flow aggregation and analysis.
What do I run it on ?
It was written on FreeBSD and tested on both FreeBSD and Linux. It should work on any OS to which libpcap and OpenSSL were ported. The rest of the code is perfectly portable.
How does it work ?
Cisco Systems have defined the flow as a four value tuplet: {srcaddr, srcport, dstaddr, dstport}. The format evolved over time. The complete structures for various NetFlow versions are available on Ciscos site. Now, lets assume that the attacker floods the victim with packets that keep the same characteristics throughout the duration of the attack. No source spoof, no
source port increments or randomizations. That would lead to a very large packet rate inside that flow. glFlow calculates the average packet rate in every flow and raises an alarm signal if the threshold is hit.
What about spoofed attacks ? How are they detected ? Simple. glFlow keeps a history for every destination host that it sees. When a new flow is created, the flow counter for that host is incremented. The average number of newly created flows corresponding to a specific host in a specific amount of time is calculated, and, as above, an alarm is raised if the threshold is hit.
To prevent attacks that dont hit any of the above thresholds, theres
a new one starting with v0.1, measuring the packet rate for a destination.
Cant other tools, like SNORT, do this ?
We sincereley believe not. Remember, glFlow was written with high
speeds in mind. Weve been using it at over 500Mbps. At that speed, with an
ordinary x86 machine, even with a strong motherboard/NIC combination, you cant
do anything fancy. glFlow was specifically designed for detecting large floods
in real time, or at least something close to that.
How is it that its so fast ?
Well, Andrei did a great job implementing a very fast binary tree. That allowed us to drop the threaded model and choose a single loop design. The new results were stunning. The tests were made on a P4 Xeon/3 GHz, with an Intel GigE NIC. The average traffic rate was about 500Mbps, with an average packet rate of 100kpps. That lead to about 200k active flows. glFlow managed to clean the inactive ones in less than 0.3 seconds. There was no alarm raised
after more than 5 seconds of flooding. glFlow ate ~50% of the CPU, while consuming about 40MB of system memory.
How do I install and run it ?
Run ./configure --help. Youll see two adjustable knobs: --with-hash and --enable-debug. The first one permits you to switch between MD4 and MD5 summing of the flow and host structures kept in the memory. The second lets you run glflow in the foreground, printing some statistics on stdout.
The thresholds are harcoded in defs.h. You shouldnt have any trouble tweaking them. However, weve observed that the best results are obtained when using the same values for flow lifetime and the time between flow cleanups. And they shouldnt be much over 20. The smaller the tree is, the faster it will be cleaned.
Finally, edit your /etc/syslog.conf and write something like this: "local6.*< tabs >/var/log/something". Restart sys[k]logd afterwards.
Fire glFlow up, like this: "./glFlow < interface > < bpf filter >" and watch /var/log/something for changes. You may play with nmap or some DoS programs to test it. The IPs in the syslog will be shown as integers rather than in dotted notation. We decided to leave this job to the log analyzer.
Can it go even faster ?
Sure. There are a few methods which permit you to improve the packet capture. For more info read Luca Deris paper: http://luca.ntop.org/Ring.pdf
Enhancements:
- This is a bugfix release.

FlowScan is a network analysis and reporting tool.[ COPYRIGHT=1]
Enhancements:
- The CampusIO and SubNetIO reports were enhanced with a new optional configuration directive: TopN. When defined, this directive causes ``Top Talker reports to be produced. These HTML reports contain the most active (i.e. ``top) source and destination addresses.
- The CampusIO and SubNetIO reports were enhanced to record the number of local IP addresses that where active for each network and subnet into the RRD files. This enables users to estimate the number of active hosts hosts over time, detect ``scans which systematically sweep across network address space, and to calculate the average bytes, packets, and flows per host.
- The template Makefile used to produce the graphs was enhanced to allow the inclusion of ``events in the graphs, similarly to what can be done with Cricket. This allows you to label events such as configuration changes and outages to discover correlations with traffic measurement.
- Two new utilities suitable for stand-alone use, are included. ip2hostname converts IP addresses to their respective hostnames. event2vrule adds ``events to rrdtool graphs.
- Added support for LFAP (Lightweight Flow Accouting Protocol) used by Riverstone and Enterasys (formerly Cabletron) routers. This currently requires slate (from http://www.nmops.org) and lfapd by Steven Premeau . lfapd produces time-stamped raw flow files in the same cflowd-defined format that is processed by FlowScan.
- Added the ability for the CampusIO report to identify outbound flows based solely on the flows destination IP address. While this is less trustworthy than using NextHops or OutputIfIndexes, it is now the default and will be useful for environments where the flow nexthop or output ifIndex values are not meaningful.
- The CampusIO report contains a new experimental feature which reads a BGP routing table, and therefore can determine which Autonomous systems source, transit, or sink most of your institutions traffic. The CampusIO report was enhanced with new optional configuration directives: BGPDumpFile, TopN, ReportPrefixFormat. When properly defined, these directives cause CampusIO to create tabular HTML reports named {origin|path}_{in|out}.html under OutputDir after analyzing each raw flow file. These reports show the ``top Autonomous Systems with which your site exchanges traffic.
- A WebProxyIfIndex directive was added to the CampusIO report. This allows one to specify the index of the interface to which HTTP traffic is being transparently redirected. This enables FlowScan to properly count HTTP flows even though NetFlow v5 does not accurately report the nexthop value for flows which are transparently redirected via a Cisco route-map.
- CampusIO now contains a fix for a bug introduced in FlowScan-1.005 which would sometimes cause perl to abort with this message: patricia.c:645: patricia_lookup: Assertion `prefix failed.

IpaLite for Cisco IOS DHCP provides monitoring of Cisco IOS DHnto CP and IP address management. It has a user-friendly and intuitive Web GUI, monitoring of Cisco IOS DHCP scopes, and reporting (IP utilization and history).
Ipanto Lite is quick and easy to implement, reduces manual repetitive operations, and can replace your spreadsheet
Major Features
User-friendly and intuitive Web GUI,
1 user profile with full admin rights,
Reporting (IP utilization and history).
Major Benefits
Quick and easy implementation,
Reduce manual repetitive operations,
Replace your speadsheet.
Enhancements:
- This version is a service release that provides miscellaneous corrections and improvements.
- The Ipanto Database has been updated to provide more accurate statistics and to improve log storage usage.
- The Ipanto WebGUI has been improved to provide localized settings, DHCP hosts listing per subnet, and optimized display for large subnet/location sets.