[c-nsp] Netflow/NBAR (was: 6500 under DDoS)
Paul Kohler
pkohler at cisco.com
Wed Jul 28 13:41:11 EDT 2004
inline
At 09:43 AM 7/28/2004, Olav Langeland wrote:
> > From: Fredrik.Jacobsson at enskilda.se
> > [mailto:Fredrik.Jacobsson at enskilda.se]
> > Sent: 28. juli 2004 16:31
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Netflow/NBAR (was: 6500 under DDoS)
> >
> >
> > > Netflow will be in the hardware path, but it's not going to
> > give you
> > > nearly the same amount of information as NBAR as it won't
> > do any kind
> > > of payload analysis.
NetFlow classifies applications by way of protocol and port #s. Knowing the
well known port numbers you can identify the traffic:
http://www.iana.org/assignments/port-numbers
> >
> > Ok, thanks.
> > I'm primarily interested to monitor which type of traffic
> > that passes through the network aiding us to make decisions
> > regarding to our QoS policy/classifications. And for that I
> > think we're fine with just the port and source/dest.
> >
> > But perhaps someone out here can hint of a good and fairly
> > simple pc-application (Windows preferred but linux/solaris is
> > fine too) that can give out such info in a nice way, and
> > being able to sort on ports/subnets/packets/sizes and such?
> > (guess we can use Excel for that last thing if it creates
> > importable data)
> >
> > Best regards
> > /Fredrik Jacobsson
>
>Have a look at http://www.ntop.org, runs on Windows and most *NIX, can
>use a mirrored port or netflow as datasource and should give the
>information you want. For netflow, Flow-tools at
>http://www.splintered.net/sw/flow-tools/ is the bomb, the page has some
>good links with examples and addon programs.
Yes, these are good freeware apps. NetFlow partner information is at
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/netflow_nms_apps_part.shtml
Good, simple Windows apps I'd recommend you look at are Crannog and NetQoS.
Paul
>-olav
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list