summary of ipflow/netflow appliance

Stefan Hegger Stefan.Hegger at lycos-europe.com
Wed Jan 16 07:54:59 UTC 2008


Here a summary of the answers I got. Again thanks for your help.

mail from Joe 
>-Try fprobe, open source:  http://sourceforge.net/projects/fprobe 

reply from Samuel
>-nProbe by ntop.org is pretty robust tool for generating v5/v9 flows and 
>fairly inexpensive. http://www.ntop.org/nProbe.html

mail from Roland 
>-Lancope offer a productized version of this, I believe Endace too, too.

I talked to Lancope, they might provide me in 1 or 2 years with a 10G 
interface.

mail from Frank
>I just had an extended briefing with a company called Xangati.  Very
>interesting stuff, but they didn't talk about ways to obtain netflows if
>your router isn't able to natively generate them.

answer from Adam
>I can attest to this. nProbe is your best bet for a “virtual NetFlow 
>exporter”. It performs well and has tons of export formats and features. We 
>use it extensively for QA and testing. You do, however, have to pay a bit 
>or it whereas fprobe and others are free.

I talked to Peter Shaw peter at npulsenetworks.com
here his answer

>Thanks for contacting us.  Yes, our Probe can handle the traffic level you
>describe. Our typical, hardware-accelerated Probe has 2 Gigabit ports, and
>shows less than 10% CPU utilisation when generating NetFlow records at the
>full 2Gbps.  We can readily build a Probe using 10Gig ports, and do not
>expect any performance challenge at the traffic level you describe.
>I have a couple of further questions/comments for you;
>1) what Collector system do you plan to send the NetFlow records to ?  We
>can work with any NetFlow-aware collector, but we do find that many of them
>struggle to keep up with the high volume of records from our Probe.  We are
>working on our own Collector/buffer system to reduce this problem, and
>expect this to be available in Q2'08.

I talked also to Luca Deri <deri at ntop.org>
here the answer

>the nPulse appliance is based on an old version of nProbe I have  
>developed years ago. We offer nBox appliances (http://www.nmon.net/nBox.html 
>) with a new accelerated nProbe version not available to anyone but  
>us. Next month we plan to introduce a new model based on a accelerated  
>card developed with a a twin company, able to outperform existing  
>solutions but with a lower price.

>for 10G at the moment we use the Endace platform (NinjaProbe) or  
>Tilera (see http://www.tilera.com/pdf/ProductBrief_TILExpress_V1.pdf  
>and search for nProbe) cards for wire rate. If you have a few Gbits, a  
>software nBox can also be enough, but if you go above a hardware card  
>is definitively needed.
>In late 2008 we should have our custom 10G card available but until  
>then we rely on external hardware solutions.

>unless you want to buy the appliance from Endace and the software from  
>me, I can currently offer an nbox with dual 10G capability featuring  
>software packet capture acceleration for about 6K Euro. This model is  
>suitable for monitoring 2-3 Gbit of traffic. As I have stated before,  
>10G hardware capture acceleration still needs some time.

next mail from gert
>Has any of you done a reality-check before recommending these tools,
>whether one of them can actually *handle* a 10G-link?
>Sniffing 10G without losing packets is *hard*.
>Sniffing 10G and doing any sort of math with it is *very hard*.
>Any "sniff packets and do flow exports from there" application that 
>aims to do better than the flow hardware on the PFC3 needs to be really,
>really, *really* good.


conclusion:

It is not easy to find a device to capture a 10G interface and generate the 
netflow.

When I have news, I will will inform you.

Best Stefan

-- 
Stefan Hegger
Internet System Engineer

Lycos Europe GmbH
Carl-Bertelsmann Str. 29
Postfach 315
33312 Gütersloh 

Phone:
Tel: +49 5241 8071 334
Fax: +49 5241 80671 334
Mobile: +49 170 1892720

Sitz der Gesellschaft: Gütersloh
Amtsgericht Gütersloh, HRB 2157
Geschäftsführer: Christoph Mohn 

  <http://www.lycos-europe.com/L/A/>



More information about the NANOG mailing list