[c-nsp] Speaking of Netflow: how about a tcpreplay for netflow?

Joel M Snyder Joel.Snyder at Opus1.COM
Fri Jan 11 12:34:39 EST 2008


 > One option would be to use tcpreplay to replay packet captures which
 > would then traverse NetFlow exporters which would generate the NetFlow
 > in question, heh.
 >
 > ;>
 >
 > What's the application, if you don't mind sharing?  Most

The application is a training and testing environment (that's what we do, in 
addition to running a small Cisco-based ISP).  If I want to test, for example, 
the Lancope box (just as an example), then I have to have a nice, consistent, 
and completely repeatable set of Netflows that I can throw at it over and over 
and over again.  However, the timestamps have to be "right" because it might be 
correlating that data with some IDS feed or Nessus traffic that is also properly 
timestamped.  I've solved the IDS & Nessus problems pretty well.

The exporter idea is a great one, and I've thought of doing that, but it adds 
another piece of test gear to the mix and just makes things more complex.  And 
if we take this show on the road (which happens once in a while), it also adds 
to costs.  I've already got a big infrastructure for doing tcpreplay; I was 
hoping to just add a few more shell scripts to get netflow-replay going.

Another piece of the application is combining and speeding up data.  For 
example, I might have one particular kind of traffic that I'm creating today, 
and a different profile tomorrow, but then want to combine the Netflows for a 
larger test that shows different characteristics.  For example, you might have 
short packets/short flows, then long packets/long flows, and finally a "mix" of 
all of them.  So being able to merge and concatenate the files around makes life 
a lot easier.

I am sure that the Netflow analyzer guys out there must have some internal tool 
for doing this (although maybe they don't care about the timestamps the way I 
do), but no one is kicking it out to open source---at least as far as I can tell.

jms


-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms


More information about the cisco-nsp mailing list