Tue Jun 24 14:22:04 UTC 2008

> We started out with SPAN ports, then moved on to Netoptics taps.
> Lately we've been using a combination of Cisco Netflow (from remote routers),
> and native Argus flows (from local taps) where we need more details.
> Flows are useful to answer "What happened X minutes/hours/days ago?",
> and where you do not need/want to capture full packet bodies
> (though with Argus you can choose whether to include payload data).

Cool - good to know that the Netoptics gear is good.  Seems like
there's a few resounding approvals of them.

Netflow would be lovely to export from our border routers.
Unfortunately, we are somewhat married to the 6500 platform which has
absolutely awful netflow support.  Very small TCAM, export is CPU
expensive, and sampling makes both problems worse.  So a mirrored copy
of the transit link is being sent to a pmacct box for flow generation.

