Open source Netflow analysis for monitoring AS-to-AS traffic

• Previous message (by thread): Open source Netflow analysis for monitoring AS-to-AS traffic
• Next message (by thread): Open source Netflow analysis for monitoring AS-to-AS traffic
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I hope my comments were useful. I was trying to raise awareness that bgp
as-path information is an option and might be helpful in addressing Brian's
requirements, "I want to see with which ASes I am exchanging the most
traffic across my transits and IX links. I want to look for opportunities
to peer so I can better sell expansion of peering to upper management."

Possible reports that could be of interest are:
1. destination AS numbers by traffic volume and as-path length
2. destination AS numbers by traffic volume and second to last AS in path
(AS of peering with destination).
3. traffic volume by transit AS
4. traffic volume passing through AS allow / deny ASN list.

What other types of report might be interesting?

sFlow was mentioned because I believe Brian's routers support the feature
and may well export the as-path data directly via sFlow (I am not aware
that it is a feature widely supported in vendor NetFlow/IPFIX
implementations?). However, some of the tools mentioned (pmacct, Kentik,
Akvorado) can enrich flow data downstream (through BGP / BMP peering
session with router) if it isn't present in the sFlow/Netflow/IPFIX
records, although downstream enrichment does add a level of operational
complexity.

On Wed, Mar 27, 2024 at 11:03 PM Saku Ytti <saku at ytti.fi> wrote:

> On Wed, 27 Mar 2024 at 21:02, Peter Phaal <peter.phaal at gmail.com> wrote:
>
> > Brian, you may want to see if your routers support sFlow (vendors have
> added the feature over the last few years).
>
> Why is this a solution, what does it solve for OP? Why is it
> meaningful what the wire-format of the records are? I read OP's
> question at a much higher level, about how to interact and reason
> about data, rather than how to emit it.
>
> Ultimately sFlow is a perfect subset of IPFIX, when you run IPFIX
> without caching you get the functional equivalent of sFlow (there is
> an IPFIX entity for emitting n bytes from frame as well as data).
>
> --
>   ++ytti
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20240328/c20d9329/attachment.html>

• Previous message (by thread): Open source Netflow analysis for monitoring AS-to-AS traffic
• Next message (by thread): Open source Netflow analysis for monitoring AS-to-AS traffic
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]