ipfix/netflow/sflow generator for Linux

Mon Dec 6 21:15:59 UTC 2010

Never heard of it. I'll give it a shot. Another project that uses argus also
looks interesting.. http://nautilus.oshean.org/wiki/Periscope

-----Original Message-----
From: Ken A [mailto:ka at pacific.net] 
Sent: Monday, December 06, 2010 4:04 PM
To: nanog at nanog.org
Subject: Re: ipfix/netflow/sflow generator for Linux

Have you considered argus?
It can deliver "argus flows" from multiple interfaces.
 From http://www.qosient.com/argus/ :

> Argus can be considered an implementation of the architecture 
> described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and 
> the project has actively contributed to the IPFIX effort, however, 
> Argus technology should be considered a superset of the IPFIX 
> architecture, providing "proof of concept" implementations for most 
> aspects of the IPFIX applicability statement. Argus technology can 
> read and process Cisco Netflow data, and many sites develop audits 
> using a mixture of Argus and Netflow records.

Ken

On 12/6/2010 2:44 PM, Thomas York wrote:
> fprobe doesn't work properly because it has the input and output 
> interface IDs as both 0. In Scrutinizer, this makes the flow look like 
> all the data came in the interface and immediately left via the same 
> interface. Also, this causes problems when running multiple instances 
> of fprobe.
>
> This seems to be the issue with most of the flow software I've tried.
>
> -----Original Message----- From: Samuel Petreski 
> [mailto:sp446 at georgetown.edu] Sent: Monday, December 06, 2010 3:38 PM 
> To: 'Thomas York'; nanog at nanog.org Subject: RE:
> ipfix/netflow/sflow generator for Linux
>
> I've used fprobe with great success. You can run multiple instances of 
> fprobe for the different interfaces.
>
> --Samuel
>
> fprobe: a NetFlow probe - libpcap-based tool that collects network 
> traffic data and emit it as NetFlow flows towards the specified 
> collector.
>
> WWW: http://sourceforge.net/projects/fprobe
>
> -- Samuel Petreski Sr. Security Analyst Georgetown University
>
>> -----Original Message----- From: Thomas York 
>> [mailto:straterra at fuhell.com] Sent: Monday, December 06, 2010 2:15 PM 
>> To: nanog at nanog.org Subject: ipfix/netflow/sflow generator for Linux
>>
>> At my current place of work, we use all Linux routers. I need to do 
>> some
> IP
>> accounting/reporting and am currently trying to use Scrutinizer.
> Scrutinizer
>> can use netstream, jstream, ipfix, netflow, and sflow data without 
>> qualms. My only issue is that I can't seem to find any good software 
>> for Linux
> that
>> works with multiple interfaces to generate the flow information.
>> I've
> tried
>> ndsad, nprobe, softflowd, host sflow, and ipcad without much luck.
>> Most of the software only works on one interface (which is useless as 
>> I need to do accounting for numerous interfaces).
>>
>>
>>
>> I've had the best luck with ipcad. The only thing that seems to not 
>> work
> with
>> it is that it doesn't correctly give the interface number in the flow 
>> information. It refers to all interfaces as interface 65535.
>> I've tried
> the config
>> option for ipcad to map an interface directly to an SNMP interface 
>> ID, but that option of the config file seems to be ignored.
>>
>>
>>
>> Ntop functionally does exactly what I need, but it's extremely buggy. 
>> It segfaults after a few minutes, regardless of Linux distro or Ntop
> version.
>> So..any ideas on what I can do to get good flow information from our 
>> Linux routers?
>
>
>
>
>

--
Ken Anderson
Pacific Internet - http://www.pacific.net