ipfix/netflow/sflow generator for Linux

• Previous message (by thread): ipfix/netflow/sflow generator for Linux
• Next message (by thread): ipfix/netflow/sflow generator for Linux
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Have you considered argus?
It can deliver "argus flows" from multiple interfaces.
 From http://www.qosient.com/argus/ :

> Argus can be considered an implementation of the architecture
> described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and
> the project has actively contributed to the IPFIX effort, however,
> Argus technology should be considered a superset of the IPFIX
> architecture, providing "proof of concept" implementations for most
> aspects of the IPFIX applicability statement. Argus technology can
> read and process Cisco Netflow data, and many sites develop audits
> using a mixture of Argus and Netflow records.

Ken


On 12/6/2010 2:44 PM, Thomas York wrote:
> fprobe doesn't work properly because it has the input and output
> interface IDs as both 0. In Scrutinizer, this makes the flow look
> like all the data came in the interface and immediately left via the
> same interface. Also, this causes problems when running multiple
> instances of fprobe.
>
> This seems to be the issue with most of the flow software I've
> tried.
>
> -----Original Message----- From: Samuel Petreski
> [mailto:sp446 at georgetown.edu] Sent: Monday, December 06, 2010 3:38
> PM To: 'Thomas York'; nanog at nanog.org Subject: RE:
> ipfix/netflow/sflow generator for Linux
>
> I've used fprobe with great success. You can run multiple instances
> of fprobe for the different interfaces.
>
> --Samuel
>
> fprobe: a NetFlow probe - libpcap-based tool that collects network
> traffic data and emit it as NetFlow flows towards the specified
> collector.
>
> WWW: http://sourceforge.net/projects/fprobe
>
> -- Samuel Petreski Sr. Security Analyst Georgetown University
>
>> -----Original Message----- From: Thomas York
>> [mailto:straterra at fuhell.com] Sent: Monday, December 06, 2010 2:15
>> PM To: nanog at nanog.org Subject: ipfix/netflow/sflow generator for
>> Linux
>>
>> At my current place of work, we use all Linux routers. I need to
>> do some
> IP
>> accounting/reporting and am currently trying to use Scrutinizer.
> Scrutinizer
>> can use netstream, jstream, ipfix, netflow, and sflow data without
>> qualms. My only issue is that I can't seem to find any good
>> software for Linux
> that
>> works with multiple interfaces to generate the flow information.
>> I've
> tried
>> ndsad, nprobe, softflowd, host sflow, and ipcad without much luck.
>> Most of the software only works on one interface (which is useless
>> as I need to do accounting for numerous interfaces).
>>
>>
>>
>> I've had the best luck with ipcad. The only thing that seems to
>> not work
> with
>> it is that it doesn't correctly give the interface number in the
>> flow information. It refers to all interfaces as interface 65535.
>> I've tried
> the config
>> option for ipcad to map an interface directly to an SNMP interface
>> ID, but that option of the config file seems to be ignored.
>>
>>
>>
>> Ntop functionally does exactly what I need, but it's extremely
>> buggy. It segfaults after a few minutes, regardless of Linux distro
>> or Ntop
> version.
>> So..any ideas on what I can do to get good flow information from
>> our Linux routers?
>
>
>
>
>

-- 
Ken Anderson
Pacific Internet - http://www.pacific.net

• Previous message (by thread): ipfix/netflow/sflow generator for Linux
• Next message (by thread): ipfix/netflow/sflow generator for Linux
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]