The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Steve Romig - Ohio State University

Students: Spring 2023, unless noted otherwise, sessions will be virtual on Zoom.

The OSU Flow-tools Package and Cisco NetFlow Logs

Mar 21, 2001


Many Cisco routers and switches support NetFlow services which provides a detailed source of data about network traffic. The Office of Information Technology Enterprise Networking Services group (OIT/ENS) at The Ohio State University (OSU) has written a suite of tools called flow-tools to record, filter, print and analyze flow logs derived from exports of NetFlow accounting records. We use the flow logs for general network planning, performance monitoring, usage based billing, and many security related tasks including incident response and intrusion detection. I'll describe in more detail what the flow logs contain, the tools we have written to store and process these logs, and I'll discuss how we have used the logs and the tools to perform network management and security functions at OSU. I will also discuss some related projects and our future plans.

As an added bonus, I'll also give a demo of a quake session that was reconstructed from a tcpdump log from an investigation 4 years ago...don't miss it!

About the Speaker

Steve Romig in charge of the Ohio State University Incident Response Team, which provides incident response assistance, training, consulting, and security auditing service for The Ohio State University community. He is also working with a group of people from Central Ohio businesses to improve internet security response and practices in the Ohio area. Steve received his Bachelor\'s degree in Math (Computer Science Track) from Carnegie Mellon University in 1983. In years past Steve has worked as lead UNIX system administrator at one site with 40,000 users and 12 hosts and another site with 3,000 users and over 500 hosts. You can reach him by phone at 1-614-688-3412 (we\'re in GMT-0400/0500, I\'m generally in the office \"for sure\" between 10 AM and 6 PM) or by email at

Most recently Steve has been working on tools to make it easier to investigate network related evidence of computer security incidents, such as the Review package for viewing the contents of tcpdump logs, and the Netflow package from Mark Fullmer for looking at Cisco net flow logs.

Ways to Watch


Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!