[c-nsp] network probes / netflow vendors
Roland Dobbins
rdobbins at cisco.com
Mon Aug 7 11:00:56 EDT 2006
On Aug 7, 2006, at 4:15 AM, christian.macnevin at uk.bnpparibas.com wrote:
> We're using multicast heavily
> (it's finance) so we need something that can handle that. We'd also
> like
> some deep packet inspecting
> abilities, and if possible, recording for post incident forensics. I'm
> expecting inline probes to be the
> biz there.
For an open-source solution, take a look at nfdump/nfsen, as well as
Stager. nprobe can be used to generate NetFlow from portions of the
network where there isn't support in the hardware, given a SPAN
port. Panoptis is an open-source anomaly-detection system which
leverages NetFlow, although it appears to be dormant in terms of
development.
Arbor, Lancope, and Narus are all commercial solutions which provide
anomaly-detection and correlation - they're pretty powerful, and have
lots of useful capabilities.
In terms of looking into the packets themselves, we've just released
Flexible NetFlow, which allows information about header fields and
packet payload information to be cached and exported to the
collection/analysis system. Right now, it's available on software-
based platforms running T-train. Support for its full capabilities
is being worked on by the various collection/analysis vendors now, we
expect support for it towards the end of this calendar year.
I'm not a multicast person and can't really speak to the multicast
capabilities of the above, but I'm sure a bit of digging should be
informative.
----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Everything has been said. But nobody listens.
-- Roger Shattuck
More information about the cisco-nsp
mailing list