[c-nsp] Netflow/NBAR (was: 6500 under DDoS)
Olav Langeland
Olav.Langeland at activeisp.com
Wed Jul 28 12:43:59 EDT 2004
> From: Fredrik.Jacobsson at enskilda.se
> [mailto:Fredrik.Jacobsson at enskilda.se]
> Sent: 28. juli 2004 16:31
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Netflow/NBAR (was: 6500 under DDoS)
>
>
> > Netflow will be in the hardware path, but it's not going to
> give you
> > nearly the same amount of information as NBAR as it won't
> do any kind
> > of payload analysis.
>
> Ok, thanks.
> I'm primarily interested to monitor which type of traffic
> that passes through the network aiding us to make decisions
> regarding to our QoS policy/classifications. And for that I
> think we're fine with just the port and source/dest.
>
> But perhaps someone out here can hint of a good and fairly
> simple pc-application (Windows preferred but linux/solaris is
> fine too) that can give out such info in a nice way, and
> being able to sort on ports/subnets/packets/sizes and such?
> (guess we can use Excel for that last thing if it creates
> importable data)
>
> Best regards
> /Fredrik Jacobsson
Have a look at http://www.ntop.org, runs on Windows and most *NIX, can
use a mirrored port or netflow as datasource and should give the
information you want. For netflow, Flow-tools at
http://www.splintered.net/sw/flow-tools/ is the bomb, the page has some
good links with examples and addon programs.
-olav
More information about the cisco-nsp
mailing list