[c-nsp] network probes / netflow vendors

Mike Butash der.mikus at gmail.com
Mon Aug 7 19:39:40 EDT 2006


If you're looking for LAN traffic utilization and such per device, check 
out NMIS.  It's awesome for cisco networks, so/so for non-cisco.  It 
gives you detailed interface statistics, good about figuring out a 
router from a switch, when to poll l2 vlans and such, etc.  Also does 
some more advanced things for pixen like redundancy state and 
connections, as well as can do class-based weighted fair queuing when 
the device supports it.  Trick is if you have a ton of devices, you're 
going to want to think how to scale it early on in the equation.  It's 
all snmp based polling, but kinda kludgy and inefficient code for as 
large and versatile as the project is getting makes it rape the host 
system when it gets busy (don't share the server with anything else). 
It's actively developed for and they're always adding nice bells and 
whistles.  It's still damn nice, if only they'd rewrite it in C, clean 
up the code base, and add more/better modularity...  small things, ya 
know, but it is OSS and people are doing good things with it none the 
less.  All this, and it's still light years ahead of any commercial 
monitoring solution I've ever seen.

If you want a commercial bandwidth reporting appliance that can leverage 
netflow, check out Arbor Networks, their Peakflow SP is a tremendously 
useful product for carrier-type applications, and X is pretty good too 
for internal enterprise-type networks.  Peakflow SP lived to about 7.5 
gig of a ddos with 5 devices or so exporting to it with accurate history 
of netflow accounting during the time, so it's fairly robust and can 
take a beating.  I can't speak to multicast, as it's never really been a 
concern of mine, but I'd think they'd be inclined to work on it or at 
least have some not-so-basic support for it already.  Price is kinda 
steep, but it's a very nice product, and not nearly what it sounds like 
meeting trouts will probably set you back.

-mb


Roland Dobbins wrote:
> On Aug 7, 2006, at 4:15 AM, christian.macnevin at uk.bnpparibas.com wrote:
> 
>> We're using multicast heavily
>> (it's finance) so we need something that can handle that. We'd also  
>> like
>> some deep packet inspecting
>> abilities, and if possible, recording for post incident forensics. I'm
>> expecting inline probes to be the
>> biz there.
> 
> For an open-source solution, take a look at nfdump/nfsen, as well as  
> Stager.  nprobe can be used to generate NetFlow from portions of the  
> network where there isn't support in the hardware, given a SPAN  
> port.  Panoptis is an open-source anomaly-detection system which  
> leverages NetFlow, although it appears to be dormant in terms of  
> development.
> 
> Arbor, Lancope, and Narus are all commercial solutions which provide  
> anomaly-detection and correlation - they're pretty powerful, and have  
> lots of useful capabilities.
> 
> In terms of looking into the packets themselves, we've just released  
> Flexible NetFlow, which allows information about header fields and  
> packet payload information to be cached and exported to the  
> collection/analysis system.  Right now, it's available on software- 
> based platforms running T-train.  Support for its full capabilities  
> is being worked on by the various collection/analysis vendors now, we  
> expect support for it towards the end of this calendar year.
> 
> I'm not a multicast person and can't really speak to the multicast  
> capabilities of the above, but I'm sure a bit of digging should be  
> informative.
> 
> ----------------------------------------------------------------------
> Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
> 
>       Everything has been said.  But nobody listens.
> 
>                     -- Roger Shattuck
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


More information about the cisco-nsp mailing list