[c-nsp] network probes / netflow vendors
Mike Butash
der.mikus at gmail.com
Mon Aug 7 19:39:40 EDT 2006
If you're looking for LAN traffic utilization and such per device, check
out NMIS. It's awesome for cisco networks, so/so for non-cisco. It
gives you detailed interface statistics, good about figuring out a
router from a switch, when to poll l2 vlans and such, etc. Also does
some more advanced things for pixen like redundancy state and
connections, as well as can do class-based weighted fair queuing when
the device supports it. Trick is if you have a ton of devices, you're
going to want to think how to scale it early on in the equation. It's
all snmp based polling, but kinda kludgy and inefficient code for as
large and versatile as the project is getting makes it rape the host
system when it gets busy (don't share the server with anything else).
It's actively developed for and they're always adding nice bells and
whistles. It's still damn nice, if only they'd rewrite it in C, clean
up the code base, and add more/better modularity... small things, ya
know, but it is OSS and people are doing good things with it none the
less. All this, and it's still light years ahead of any commercial
monitoring solution I've ever seen.
If you want a commercial bandwidth reporting appliance that can leverage
netflow, check out Arbor Networks, their Peakflow SP is a tremendously
useful product for carrier-type applications, and X is pretty good too
for internal enterprise-type networks. Peakflow SP lived to about 7.5
gig of a ddos with 5 devices or so exporting to it with accurate history
of netflow accounting during the time, so it's fairly robust and can
take a beating. I can't speak to multicast, as it's never really been a
concern of mine, but I'd think they'd be inclined to work on it or at
least have some not-so-basic support for it already. Price is kinda
steep, but it's a very nice product, and not nearly what it sounds like
meeting trouts will probably set you back.
-mb
Roland Dobbins wrote:
> On Aug 7, 2006, at 4:15 AM, christian.macnevin at uk.bnpparibas.com wrote:
>
>> We're using multicast heavily
>> (it's finance) so we need something that can handle that. We'd also
>> like
>> some deep packet inspecting
>> abilities, and if possible, recording for post incident forensics. I'm
>> expecting inline probes to be the
>> biz there.
>
> For an open-source solution, take a look at nfdump/nfsen, as well as
> Stager. nprobe can be used to generate NetFlow from portions of the
> network where there isn't support in the hardware, given a SPAN
> port. Panoptis is an open-source anomaly-detection system which
> leverages NetFlow, although it appears to be dormant in terms of
> development.
>
> Arbor, Lancope, and Narus are all commercial solutions which provide
> anomaly-detection and correlation - they're pretty powerful, and have
> lots of useful capabilities.
>
> In terms of looking into the packets themselves, we've just released
> Flexible NetFlow, which allows information about header fields and
> packet payload information to be cached and exported to the
> collection/analysis system. Right now, it's available on software-
> based platforms running T-train. Support for its full capabilities
> is being worked on by the various collection/analysis vendors now, we
> expect support for it towards the end of this calendar year.
>
> I'm not a multicast person and can't really speak to the multicast
> capabilities of the above, but I'm sure a bit of digging should be
> informative.
>
> ----------------------------------------------------------------------
> Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
>
> Everything has been said. But nobody listens.
>
> -- Roger Shattuck
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list