OVERVIEW
What?
This is version 0.3 of EHNT, the Extreme Happy Netflow Tool.  The purpose
of this software is to get some useful information from netflow without
too much trouble.  It was originally intended to store flow summaries
(such as top n ASes, protocols, etc per m minutes) in a database, and use
the database to create charts in a fancy web interface.  However, first I
got flow reports in text on my screen, and I realized that this was giving
me 95% of what I wanted, and was tons easier to write! Plus I love text.  
Cmon, wipe the crust off your your VT100!  You know you want it sitting on
your desk showing you flow statistics for your
seven-hundred-thousand-dollar routers!

Why? 
Either I am not bright enough to figure out how to use cflowd & friends
effectively, or they are too complicated and slow to do what I want.  I'm
really not sure which.  That's OK, because alternatives are good.

How?
Thank you, W. Richard Stevens.  (His books make everything easy, in this
case particularly Unix Network Programming, Volume 1, 2nd Edition.)

DETAILS
Anyway, here is an functional overview diagram of EHNT.

               +-----+  +------+  +-----+
               |     |  |      |  |     |
               |rtr1 |  |rtr2  |  |rtr3 |  Devices send netflow packets via
               |     |  |      |  |     |  UDP to ehntserv.
               +-----+  +------+  +-----+
                     \      |     /
                      \     |    /
                       \    |   /
                        +--------+
                        |        |
                        |ehntserv|    ehntserv listens to netflow packets,
                        |        |    prepends device IP addr, and sends a 
                        +--------+    copy to each client via TCP. 
                       /   |    \
                      /    |     \
                     /     |      \
               +-----+  +------+  +-----+  Clients connect to ehntserv via
               |     |  |      |  |     |  TCP and recieve, process, and
               |c1   |  |c2    |  |c3   |  display flows.  There is currently
               |     |  |      |  |     |  only one client, "ehnt".  But you
               +-----+  +------+  +-----+  may want to run multiple instances.

The purpose of separating ehntserv from its clients is to allow different
types of clients to do different things with the data independently, and to
allow the server and clients to be on different machines.  If a GUI or some
other new client is written, for example, it simply plugs in as a client
without affecting any other existing clients.

Everything is written in C.  Performance is good for my modest flow
frequency (400 kbits/s of flow data).  I'd be interested to hear any anecdotes
about performance.

Component programs are:

1. 'ehntserv' listens to netflow version 5 UDP packets, and also listens
for client TCP connections.  When a TCP client connects, the server starts
forwarding all the netflow packets it receives (plus the IP address of the
originating device) to that client.

ehntserv does not currently do any IP access control.  I suggest that you
use ipchains or iptables on your linux box, or IP Filter (ipf)
(http://coombs.anu.edu.au/ipfilter/) on your Solaris or BSD box.  I don't
know what the current state of packet filtering is on other Unixes; IP
Filter seems to support several.

2. 'ehnt' connects to ehntserv and displays the flows it receives in 
various ways.  It currently has four modes (-m <mode>):

 - top mode displays average utilization by top ASes, IP protocols, or
	tcp/udp ports  over a given interval (from 1 minute to 1 day).

	Top mode is different when it focuses on a single interface
	on a single router, because then you get to see summaries of
	source and destionation for both inbound and outbound traffic.
	Otherwise, you just get summaries of source and destination.
 - dump mode displays individual flows
 - shortdump mode display individual flows in a more compact but hard
	to read fashion
 - colondump mode display individual flows in a machine-readable format.
	And yes, I recognize that the name of this mode is unpleasant.

In all three modes, simple (REALLY simple) filtering can be done for AS
number, TCP/UDP port, IP protocol number, device sending the flow record,
and SNMP interface index.

You may think of ehnt in the three dump modes as a brain-dead and incredibly
simple tcpdump for netflow.

ehnt also has the silly and uninspiredly-named 'big' filter, in which it
only displays flows with are bigger (in packets or bytes) than any flow
received before it.  This only makes sense in the three dump modes.


CONCLUSION

I have found EHNT to be useful for my network operations needs.  There is
still some work to be done to flesh out the project's current scope.  
Once that work is finished, a non-alpha release will be created.  After
that, it will be time to identify additional features to be added.

If you find EHNT useful, would like to see a feature added, have any
suggestions, or would like to contribute code to the project, please let
me know.

Nik Weidenbacher
nikw@martnet.com
