What sflow software - Manage Engine Net flow analyzer or Plixer Scrutinizer with Analyzer

Sat Jan 1 12:12:39 UTC 2011

Alex Pinto <alex.pinto78 <at> hotmail.com> writes:

> 
> 
> Hi everyone, we currently are looking at sflow options for a commercial 
collector and analyzer. The core
> use is for visibility on our network, for quickly detecting source / 
destination IP addresses, ie where
> the traffic is going and where is it coming from, the type of traffic would 
be interesting also but to be
> honest all which really matters is source / destination.
> 
> The requirement of the sflow software is to give us options and data very 
quickly in the event of a DDOS attack
> so mitigation can occur quickly once we understand what’s happening on the 
network. The last thing we
> want is for the software not to work under a DDOS (too much data) thus 
leaving us blind upon an attack. The
> quicker the software can report on issues, the quicker we can do something 
about it. 
> Our current routers are fully sflow capable and both export nicely to both 
packages.
> 
> Our findings so far
> 
> Manage Engine Net flow analyzer has both a Linux and windows version, the 
software is very light and seems to
> perform very fast, although light on additional features such as custom 
reporting, and alerting / in
> depth packet information.  The concern is this software too simple, will it 
work under heavy load?
> Based on our needs Manage Engine Net flow costs $2000.00
> 
> Plixer Scrutinizer – based on windows the software seems resource intensive 
but has a MASSIVE amount of
> extra visibility built into the software including automatic alerts, that 
being said the software does
> seem extremely more complex to configure and understand, reports seem to 
take longer to produce and the
> information doesn’t seem to be reported as quickly. (ie lags by minutes or 
so compared to Manage Engine)  
> Based on our needs Plixer Scrutinizer Costs $4000.00
> 
> Does anyone have any real life experience on either package the cost 
different between the two packages
> doesn’t worry us, it’s all about selecting the correct package knowing the 
one time we need to access
> the flow information and get it quick that the package we choose preforms 
quickly and works.
> 
> I’d also like to hear from anyone else using another commercial solution, 
which they would recommend.
> 
> Thanks in advance
> 
> Alex 		 	   		  
> 

Hi Alex,

Scrutinizer saves 100% of the raw NetFlow data just like Wireshark.  Most 
collectors only keep what is in the tuple (e.g. src/dest IP, port, interface, 
protocol, autonomous system and few other fields). This makes the interface 
faster. If you export MAC address or VLANs, Scrutinizer will allow you to 
filter (and report in the next version) on these fields. Filtering and 
reporting is very important in traffic analysis.  We feel that the ability to 
Include/Exclude on any combination of fields is a must. ManageEngine can't do 
this.  

Scrutinizer saves much more flow data in the roll ups (up to 100K) than 
ManageEngine (e.g. ~1K) therefore the tables are much larger and slower to 
query in Scrutinizer although more accurate especially over time. I'm 
surprised that reports lag by minutes.  Here are some things to check:
 * is the router/switch sending > 3000 flows/second?
 * is the scrutinizer server under powered?
 * is antivirus running (it shouldn't be scanning the scrutinizer directory)

Did you see page 2 of this pdf: 
http://www.plixer.com/files/scrutinizer_netflow_challenge.pdf 

Does this help? 

Jake Wilson
plixer.com 