ipfix/netflow/sflow generator for Linux

• Previous message (by thread): ipfix/netflow/sflow generator for Linux
• Next message (by thread): ipfix/netflow/sflow generator for Linux
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

fprobe doesn't work properly because it has the input and output interface
IDs as both 0. In Scrutinizer, this makes the flow look like all the data
came in the interface and immediately left via the same interface. Also,
this causes problems when running multiple instances of fprobe. 

This seems to be the issue with most of the flow software I've tried.

-----Original Message-----
From: Samuel Petreski [mailto:sp446 at georgetown.edu] 
Sent: Monday, December 06, 2010 3:38 PM
To: 'Thomas York'; nanog at nanog.org
Subject: RE: ipfix/netflow/sflow generator for Linux

I've used fprobe with great success. You can run multiple instances of
fprobe for the different interfaces.  

--Samuel

fprobe: a NetFlow probe - libpcap-based tool that collects network traffic
data and emit it as NetFlow flows towards the specified collector.

WWW: http://sourceforge.net/projects/fprobe

--
Samuel Petreski
Sr. Security Analyst
Georgetown University

> -----Original Message-----
> From: Thomas York [mailto:straterra at fuhell.com]
> Sent: Monday, December 06, 2010 2:15 PM
> To: nanog at nanog.org
> Subject: ipfix/netflow/sflow generator for Linux
> 
> At my current place of work, we use all Linux routers. I need to do 
> some
IP
> accounting/reporting and am currently trying to use Scrutinizer.
Scrutinizer
> can use netstream, jstream, ipfix, netflow, and sflow data without qualms.
> My only issue is that I can't seem to find any good software for Linux
that
> works with multiple interfaces to generate the flow information. I've
tried
> ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. 
> Most of the software only works on one interface (which is useless as 
> I need to do accounting for numerous interfaces).
> 
> 
> 
> I've had the best luck with ipcad. The only thing that seems to not 
> work
with
> it is that it doesn't correctly give the interface number in the flow 
> information. It refers to all interfaces as interface 65535. I've 
> tried
the config
> option for ipcad to map an interface directly to an SNMP interface ID, 
> but that option of the config file seems to be ignored.
> 
> 
> 
> Ntop functionally does exactly what I need, but it's extremely buggy. 
> It segfaults after a few minutes, regardless of Linux distro or Ntop
version.
> So..any ideas on what I can do to get good flow information from our 
> Linux routers?

• Previous message (by thread): ipfix/netflow/sflow generator for Linux
• Next message (by thread): ipfix/netflow/sflow generator for Linux
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]