[c-nsp] Netflow analysis tools?

Mon May 19 10:30:03 EDT 2014

> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Scott Granados
> Sent: Friday, May 16, 2014 10:16 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Netflow analysis tools?
> 
> Good morning,
> 	I'm starting to work with Net Flow data and am looking for both good
> background documentation to get more familiar and suggestions for an
> analyzer.  

Scott,

Disclaimer: Long email, no financial stake in any company discussed.

We recently went through a Netflow comparison between Plixer Scrutinizer and Solarwinds NTA after evaluating some open source tools which we were not quite satisfied with.  We ended up going with Scrutinizer for a few reasons:

Better pricing model (for us) - we only needed a small number of exporters (under 25).  The SW pricing model is such that the NTA license must follow the NPM license, so if you have an SLX (unlimited) license (like we have), you need an SLX NTA license ($15K list).  The alternative is that you can purchase another small 25-node license of Orion *and* NTA.  Scrutinizer 25-node license was less expensive (with appropriate end-of-quarter discounts) and supports unlimited number of interfaces per exporter.  Yearly software maintenance is less expensive, too.

More version support - Plixer supports v5, v8, v9, and IPFIX formats and IP/IPv6/MPLS Netflow data.  Solarwinds has no plans on supporting IPv6 or MPLS - IPv6 has been a feature request for more at least 3 years on their support forum and unless one of their Fortune 500 enterprise customers absolutely demands MPLS support, forget about that getting added.

Reporting - Scrutinizer supports dozens of reports right out of the box.  NTA only had a dozen or so.  The process by which you can build reports in NTA was more tedious than it is in Scrutinizer.  

Analyzation - Scrutinizer has the ability to do "flow analytics" that can examine the incoming data and identify things like suspected DDoS attacks, botnet activity, brute force attacks, etc. and alert you based on criteria you set.

OS - NTA requires Windows, obviously, whereas Scrutinizer's virtual appliance uses ESXi host and is a CentOS guest install.  They do have a less-expensive standalone Windows installer, but it does not support more than around 10K flows per second (fps), but this may suit you.

Sales - The Plixer sales person was very respectful of my time to make a decision.  He gave me the end-of-quarter parameters and checked in with me once every week or two weeks or whenever I had a question.  The Solarwinds sales person kept calling and emailing, and just plain being a damned pest about it.  He pissed me off, and to be honest, this was one of the biggest reasons I went with Plixer.  Note to sales people - I don't give a s**t how tenacious you are - when I tell you not to bug me and flat out tell you that you are being a pest, you can be sure I won't purchase your product.

Both supply web-based GUIs, configurable dashboards, configurable alerting, and mapping capabilities.  Solarwinds has a more "polished" interface and is definitely a lot more "pretty" to look at, but when it came right down to it, we felt that Scrutinizer was the better choice, given the above points.  That said, SW NTA is a great product and might be a good choice if you have executives or non-technical people that like great-looking reports and/or if you are lonely and feel like talking to a sales droid whose only motivation is to sell you NTA with the ingrained tenacity of a T-1000 looking for John Connor.

-evt