[j-nsp] Traffic Information
matthias at commy.de
Wed Mar 4 08:44:14 EST 2009
I think this is the right topic to ask this. I am on CeBIT tomorrow
and I have the mission to get information about Flow accounting. So
does anyone know of any companies I could pay a visit there? Have
found Wildpackets for example. Any further tips?
Am 04.03.2009 um 06:59 schrieb Stefan Fouant:
> On Tue, Mar 3, 2009 at 9:45 PM, Brendan Mannella
> <bmannella at teraswitch.com> wrote:
>> Wondering what the best/preferred method of capturing network
>> traffic for analysis is. Using a mirrored port or actually sending
>> the flows directly to a collector. Looking for pros and cons of
>> each approach.
>> Also if you can give me some examples of whats used as a collector.
>> I have been looking at ntop on the open source side and inmon
>> traffic sentinel on the commercial side.
> The best/preferred method is to use both methods, if you can :)
> Sending flows directly to a collector definately has it's benefits -
> it usually scales a lot better and there are many tools out there that
> provide for excellent statistical analysis using sampling ratios as
> low as 1/100 or even 1/1000 - however unless your using some of the
> latest flow collection mechanisms, like Netflow v9 coupled with
> templates, most flow collection mechanisms are relegated to strictly
> Layer 3 and Layer 4 data. Often times this provides more than enough
> data, especially when dealing with your general run of the mill
> SYN/UDP/ICMP DoS flooding attacks. However, other times Layer 3/4
> data just simply doesn't provide enough usable information for the
> network operator to properly understand what is happening on the
> network. This is where having a box running tcpdump sitting on a
> mirrored or span'd port comes in handy. Usually, most operators rely
> on their flow analysis tools to trigger some type of alert based on
> statistical analysis of baseline activity to inform them of an anomaly
> which requires more active investigation. From there, the network
> operator can run tcpdump or their tool of choice in order to more
> fully understand the nature of the traffic. The point is there are no
> golden arrows or singular technology which is going to provide you
> with what you need, and you are going to want to have a wide variety
> of tools in your arsenal.
> In terms of commercial applications for Netflow collection and
> analysis - if you're only dealing with a small number of flows,
> something like Netflow Analyzer by Manage Engine or even Orion from
> Solarwinds would probably do. If you are dealing with a large number
> of flows throughout your network and need intelligent functions like
> data de-duplication and factoring of things like the sampling ratio in
> use on your devices then opt for something like Peakflow X or SP from
> Stefan Fouant
> Windows XP crashed.
> I am the Blue Screen of Death.
> No one hears your screams.
> juniper-nsp mailing list juniper-nsp at puck.nether.net
More information about the juniper-nsp