Why do you use Netflow

Tue Aug 19 20:18:30 UTC 2003

On Tue, Aug 19, 2003 at 12:55:33PM -0700, lance_tatman at agilent.com wrote:
> 
> Are operators frequently using netflow nowadays?  I assume that if you are, you turn it on only for
> some limited duration to collect your data and then go back and do your analysis.  Is this assumption correct?
> 
> What are you looking at when you analyze this data?  I've seen uses such as
> top 10 destination AS's for peering evaluations.  What else?  Billing?

	i've seen netflow used in a few situations:

	1) it's actually kinda useful for DoS situations, you can easily
look at the data flowing through the router and get some general idea
of what the traffic looks like without a fancy sniffer, etc.. You can
also do "sh ip ca flow | inc K" to see large flows which are useful
in a flooding situation.
	2) i personally use netflow on my home network (with the max cache
size) to get an idea of what was going on a few minutes ago.  i have
a low enough set of traffic that this works.
	3) i've seen others use netflow for peering analysis in the past
but with transit costs so low, and other things unless you're peering
now it's not really worthwhile to try and get into that marketspace
as there's not a lot of money to be made.
	4) i've seen people feed the netflow data into various sql based
systems for analysis.  this allows them to track trends, any large
upticks in traffic (proto0, proto255, icmp, tcp/445 tcp/135) they are
seeing on their network and generate alerts if it exceeds some pre-existing
thresholds.

	you can always do more interesting things, the problem comes in
storage of data, insuring you are doing 1:1 sampling, etc.. (hard on
big pipes)

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.