ipfix/netflow/sflow generator for Linux
straterra at fuhell.com
Mon Dec 6 15:15:59 CST 2010
Never heard of it. I'll give it a shot. Another project that uses argus also
looks interesting.. http://nautilus.oshean.org/wiki/Periscope
From: Ken A [mailto:ka at pacific.net]
Sent: Monday, December 06, 2010 4:04 PM
To: nanog at nanog.org
Subject: Re: ipfix/netflow/sflow generator for Linux
Have you considered argus?
It can deliver "argus flows" from multiple interfaces.
From http://www.qosient.com/argus/ :
> Argus can be considered an implementation of the architecture
> described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and
> the project has actively contributed to the IPFIX effort, however,
> Argus technology should be considered a superset of the IPFIX
> architecture, providing "proof of concept" implementations for most
> aspects of the IPFIX applicability statement. Argus technology can
> read and process Cisco Netflow data, and many sites develop audits
> using a mixture of Argus and Netflow records.
On 12/6/2010 2:44 PM, Thomas York wrote:
> fprobe doesn't work properly because it has the input and output
> interface IDs as both 0. In Scrutinizer, this makes the flow look like
> all the data came in the interface and immediately left via the same
> interface. Also, this causes problems when running multiple instances
> of fprobe.
> This seems to be the issue with most of the flow software I've tried.
> -----Original Message----- From: Samuel Petreski
> [mailto:sp446 at georgetown.edu] Sent: Monday, December 06, 2010 3:38 PM
> To: 'Thomas York'; nanog at nanog.org Subject: RE:
> ipfix/netflow/sflow generator for Linux
> I've used fprobe with great success. You can run multiple instances of
> fprobe for the different interfaces.
> fprobe: a NetFlow probe - libpcap-based tool that collects network
> traffic data and emit it as NetFlow flows towards the specified
> WWW: http://sourceforge.net/projects/fprobe
> -- Samuel Petreski Sr. Security Analyst Georgetown University
>> -----Original Message----- From: Thomas York
>> [mailto:straterra at fuhell.com] Sent: Monday, December 06, 2010 2:15 PM
>> To: nanog at nanog.org Subject: ipfix/netflow/sflow generator for Linux
>> At my current place of work, we use all Linux routers. I need to do
>> accounting/reporting and am currently trying to use Scrutinizer.
>> can use netstream, jstream, ipfix, netflow, and sflow data without
>> qualms. My only issue is that I can't seem to find any good software
>> for Linux
>> works with multiple interfaces to generate the flow information.
>> ndsad, nprobe, softflowd, host sflow, and ipcad without much luck.
>> Most of the software only works on one interface (which is useless as
>> I need to do accounting for numerous interfaces).
>> I've had the best luck with ipcad. The only thing that seems to not
>> it is that it doesn't correctly give the interface number in the flow
>> information. It refers to all interfaces as interface 65535.
>> I've tried
> the config
>> option for ipcad to map an interface directly to an SNMP interface
>> ID, but that option of the config file seems to be ignored.
>> Ntop functionally does exactly what I need, but it's extremely buggy.
>> It segfaults after a few minutes, regardless of Linux distro or Ntop
>> So..any ideas on what I can do to get good flow information from our
>> Linux routers?
Pacific Internet - http://www.pacific.net
More information about the NANOG