summary of ipflow/netflow appliance
Stefan Hegger
Stefan.Hegger at lycos-europe.com
Wed Jan 16 07:54:59 UTC 2008
Here a summary of the answers I got. Again thanks for your help.
mail from Joe
>-Try fprobe, open source: http://sourceforge.net/projects/fprobe
reply from Samuel
>-nProbe by ntop.org is pretty robust tool for generating v5/v9 flows and
>fairly inexpensive. http://www.ntop.org/nProbe.html
mail from Roland
>-Lancope offer a productized version of this, I believe Endace too, too.
I talked to Lancope, they might provide me in 1 or 2 years with a 10G
interface.
mail from Frank
>I just had an extended briefing with a company called Xangati. Very
>interesting stuff, but they didn't talk about ways to obtain netflows if
>your router isn't able to natively generate them.
answer from Adam
>I can attest to this. nProbe is your best bet for a “virtual NetFlow
>exporter”. It performs well and has tons of export formats and features. We
>use it extensively for QA and testing. You do, however, have to pay a bit
>or it whereas fprobe and others are free.
I talked to Peter Shaw peter at npulsenetworks.com
here his answer
>Thanks for contacting us. Yes, our Probe can handle the traffic level you
>describe. Our typical, hardware-accelerated Probe has 2 Gigabit ports, and
>shows less than 10% CPU utilisation when generating NetFlow records at the
>full 2Gbps. We can readily build a Probe using 10Gig ports, and do not
>expect any performance challenge at the traffic level you describe.
>I have a couple of further questions/comments for you;
>1) what Collector system do you plan to send the NetFlow records to ? We
>can work with any NetFlow-aware collector, but we do find that many of them
>struggle to keep up with the high volume of records from our Probe. We are
>working on our own Collector/buffer system to reduce this problem, and
>expect this to be available in Q2'08.
I talked also to Luca Deri <deri at ntop.org>
here the answer
>the nPulse appliance is based on an old version of nProbe I have
>developed years ago. We offer nBox appliances (http://www.nmon.net/nBox.html
>) with a new accelerated nProbe version not available to anyone but
>us. Next month we plan to introduce a new model based on a accelerated
>card developed with a a twin company, able to outperform existing
>solutions but with a lower price.
>for 10G at the moment we use the Endace platform (NinjaProbe) or
>Tilera (see http://www.tilera.com/pdf/ProductBrief_TILExpress_V1.pdf
>and search for nProbe) cards for wire rate. If you have a few Gbits, a
>software nBox can also be enough, but if you go above a hardware card
>is definitively needed.
>In late 2008 we should have our custom 10G card available but until
>then we rely on external hardware solutions.
>unless you want to buy the appliance from Endace and the software from
>me, I can currently offer an nbox with dual 10G capability featuring
>software packet capture acceleration for about 6K Euro. This model is
>suitable for monitoring 2-3 Gbit of traffic. As I have stated before,
>10G hardware capture acceleration still needs some time.
next mail from gert
>Has any of you done a reality-check before recommending these tools,
>whether one of them can actually *handle* a 10G-link?
>Sniffing 10G without losing packets is *hard*.
>Sniffing 10G and doing any sort of math with it is *very hard*.
>Any "sniff packets and do flow exports from there" application that
>aims to do better than the flow hardware on the PFC3 needs to be really,
>really, *really* good.
conclusion:
It is not easy to find a device to capture a 10G interface and generate the
netflow.
When I have news, I will will inform you.
Best Stefan
--
Stefan Hegger
Internet System Engineer
Lycos Europe GmbH
Carl-Bertelsmann Str. 29
Postfach 315
33312 Gütersloh
Phone:
Tel: +49 5241 8071 334
Fax: +49 5241 80671 334
Mobile: +49 170 1892720
Sitz der Gesellschaft: Gütersloh
Amtsgericht Gütersloh, HRB 2157
Geschäftsführer: Christoph Mohn
<http://www.lycos-europe.com/L/A/>
More information about the NANOG
mailing list