[c-nsp] Open Source netflow recommendations
Jerimiah Cole
jcole at thend.org
Fri May 20 13:06:44 EDT 2011
On Wed, 2011-05-18 at 16:04 -0400, Justin M. Streiner wrote:
> On Wed, 18 May 2011, Ge Moua wrote:
>
> > If vendors start playing games with license fees per feature (to pad their
> > revenues), then one either conform or work-around them. If this pertains to
> > netflow, I've done something like the following in the past:
> > * span traffic to pkt collector
> > * on pkt collector, run something like "fprobe" to convert raw pkt to flow
> > format
> > * export flow to said flow collector.
>
> If someone needed to do that, they certainly could. One thing that could
> become more difficult in that scenario is the ability to view and
> manipulate Netflow data based on AS number. To get that from a packet
> collector, the collector would need to be able to speak BGP with the
> appropriate devices on your network, and then insert the AS data into the
> exported Netflow packets.
I patched fprobe to pull the prefix-to-AS data from a CDB file which
gets updated periodically.
> As others have mentioned you'd also lose ifIndex, which could make tracing
> a flow across the network more involved.
ifIndex could be added easily, assuming of course that your span or
monitor includes traffic to/from a single interface.
May not scale to, as somebody mentioned, a 10 gig link fully saturated
in both directions, but if your demands aren't quite so high it may beat
paying the license fees.
Jerimiah
More information about the cisco-nsp
mailing list