[c-nsp] Netflow tools

Fri Mar 10 10:33:41 EST 2006

If you're looking for an open source solutions try using the following set
of tools:

Mark Fullmer's excellent Flow-Tools software: It has a netflow collector,
filters, and very versatile report generation tools.
http://www.splintered.net/sw/flow-tools/ 

Also I recommend Caida's Flowscan framework written by Dave Plonka combined
with Columbia University's CUFlow and CUFlowMonitor Flowscan modules written
by Johan Anderson and Matt Selsk. These Flowscan modules can be used to
generate graphs and to collect information for enforcing bandwidth usage
policies. If you are a moderate to advanced PERL programmer you can use
these modules as a basis to build your own Flowscan Modules (I wrote a
module to summarize flow data and put it in a MySql database.
http://www.caida.org/tools/utilities/flowscan/
http://www.columbia.edu/acis/networks/advanced/CUFlow/ 

There is an excellent document how to glue all these tools together written
by Robert Galloway.
http://www.dynamicnetworks.us/netflow/ 

If you want collect netflow data, but your routers have performance issues,
you can use a dedicated server that captures raw traffic and then generates
netflow data. There are many out there. I'm using Luca Deri's nProbe
product. It's written under the GPL, but he does charge a fee to get the
source code.
http://www.ntop.org/nProbe.html 

Also, he and others are supporting a kernel module and library called
PF_RING that greatly improves the performance of packet captures (especially
on 1 GB connections). It involves installing patches to the kernel,
compiling libraries, and patching libpcap. It can also be used to enhance
the packet capture performance of any app that uses the libpcap library
(ethereal). PF_RING is free. (CAUTION: installation of PF_RING is not for
the faint of heart. Installation is not very well documented. Check the
ntop-misc mail list archives. I posted a document there listing the steps I
went through to install PF_RING on a Fedora Core 4 system).
http://www.ntop.org/PF_RING.html 

Luca has an excellent piece of software called ntop that can collect and
summarize netflow data in real-time. It's pretty comprehensive, but not as
customizable as the former tools and I don't believe that it keeps the raw
netflow data for you to use for other analysis.
http://www.ntop.org 

Recommendations: If you want to setup something quickly use ntop and use its
netflow collector module. If you want to collect and archive netflow data
for offline analysis or create your own "real-time" data analysis I would
use the flow-tools, flowscan, and CUFlow flowscan modules.

Other interesting links:
- Internet 2's Weekly Netflow Report summaries:
http://netflow.internet2.edu/weekly/ 

- Document on how the Abilene (Part of Internet 2) archives data (Access to
flow data requires a research proposal, but it's a good template if you want
to archive large amounts of netflow data from multiple routers). Abilene has
a collector (using flow-tools) at each POP and then collects flow files to a
central location via rsync:
http://www.itec.oar.net/abilene-netflow/datastore.txt  

Probably more information than you need, but I hope at least some of it is
useful.

--
Neil Johnson
Telecommunications and Network Services
University of Iowa
319 384-0938
GPG Public Key available upon request.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Zingale (tomz)
Sent: Thursday, March 09, 2006 1:45 PM
To: Nick Shah; Atiqur Rahman Mohammed; cisco-nsp
Subject: Re: [c-nsp] Netflow tools

NetFlow software partner links:
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/applicati
ons/
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/freeware/
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercia
l/

Cisco NetFlow collector also supports Solaris.

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Nick Shah
> Sent: Thursday, March 09, 2006 2:28 AM
> To: Atiqur Rahman Mohammed; cisco-nsp
> Subject: Re: [c-nsp] Netflow tools
> 
> Also check out flow tools. For a reasonably good article on flow tools
> deployment check out www.apricot.net and check one of the
presentations
> therein.
> 
> rgds
> 
> ________________________________
> 
> From: cisco-nsp-bounces at puck.nether.net on behalf of Atiqur Rahman
> Mohammed
> Sent: Thu 3/9/2006 6:53 PM
> To: cisco-nsp
> Subject: [c-nsp] Netflow tools
> 
> 
> 
> I am enabling Netflow feature in Cisco 7609 routers.
> 
> Can anyone tell which netflow software to use for monitroing and
reporting
> on the solaris machine.
> --
> Regards,
> Atiqur Rahman
> Infocomm Technlogy Innovation Cente
> Reliance Infocomm
> Mobile: 09324621784
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> 
> This communication, including any attachments, is confidential. If you
are
> not the intended recipient, you should not read it - please contact me
> immediately, destroy it, and do not copy or use any part of this
> communication or disclose anything about it.
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3088 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20060310/854687ac/attachment.bin 