[Orca-users] Newbie : starting with orca, fist use of this tool, how to write correctly the configuration file

[Vial, Sylvain]

Hi all,
I'm currently working on a project which consists of generate graphs as
you can found on the Brazilian Honeynet project at the following
address: http://www.honeypots-alliance.org.br/stats/flows/tcp-udp/
 
I have to create graphs for tcp/udp destination ports and source ip
addresses (Top 10).
So, I use flow-tools to generate reports in text files format.
 
My problem is I don't know exactly what structure of the text files I
have to use. How Orca reads the data files?
I know I have to write a configuration file with group options and plot
options.
 
The structure of my reports is like that:
 
Header:
# name of the report : dest_port_report
# type : ip-destination-port 
# options : +header, + totals (options of flow-tools)
# sort_field : +packets (in order to have the Top 10)
# fields : +keys,+flows,+octets,+packets,+duration,+other
# pre_filter : tcp (or udp (I use a configuration file for the filter
(cf flow-tools options)))
# records : "number of records"
# first-flow : unix time since epoch + date time (nameday, month, day,
hh:mm:ss, year)
# last-flow : unix time since epoch + date time (nameday, month, day,
hh:mm:ss, year)
# now : unix time + date time of the report file
# rec1: ignores,flows,octets,packets,duration (rec1 is a key word to
indicate the totals options)
0,81,37507,81,0
#recn: ip-destination-port,flows,octets,packets,duration
1613,78,37146,78,0
39848,1,58,1,0
35716,1,145,1,0
1248,1,147,1,0
etc...
 
 
So for the configuration file, I think that :
-          My source file is the name of my report file (find_files).
-          Column_description is destination_port flows octets
-          Date_source is the unix time indicated after the key word
first-flow or last-flow (I use flow-capture to record the captured
packets on my hard drive disk)
-          Interval 300 (new record files are generated every 5 minutes)
 
I'm not really sure of my configuration file. The character "#" is read
or not?
Each port number (ip-destination-port) has to be the legend in the plot
options but data type for the legend option (multiple plot plotting
options) is text. So perhaps the configuration file has to be dynamic
and rewritten for each report?
 
If I generate a report like the following do you think it's correct: 
 
date               ip-destination-port    flows   octets
1115740533    1613                       78       37146
1115740533    39848                     1         58
1115740533    35716                     1         145
1115740533    1248                       1         147
 
 
and then write the following group:
goup ip_dest_port_group {
   find_files dest_port_source
   column_description date ip-destination-port flows octets
   date_source column_name date
   date_format '' this argument is not used by orca but required because
the column_name argument is used''
   interval 300
}
 
 
And then my major problem because of the legend option
I think I have to create a plot group for each port I want to plot
 
plot {
   source ip_dest_port_group
   data flows
   data_type COUNTER
   color rrggbb
   plot_width 640
   plot_height 480
   logarithmic
   title destination port graph
   y_legend Flows
   line_type AREA (for the next plot I will be the STACK option)
   legend "port number"
}
 
 
I someone can help me, it will be great, I don't know exactly if I have
to rewrite the report file I generate or if I just to write correctly my
configuration file or the both.
 
Thanks for your help.
Sylvain VIAL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/orca-users/attachments/20050525/a18bcc31/attachment.html>