flow analysis for juniper devices
Richard A Steenbergen
ras at e-gerbil.net
Tue Nov 16 00:45:06 UTC 2010
On Tue, Nov 16, 2010 at 12:33:37AM +0100, bas wrote:
>
> Shouldn't there be a (**)
>
> (**) Also Except for MX'es with trio chipsets. These can do
> inline-jflow that export to IPFIX (modified netflow v9)
>
> All of the open source collector solutions I've tried that can handle
> v9 cannot handle IPFIX from the trio cards.
>
> Richard; Do you have something that handles IPFIX?
Yes there's that too. I haven't actually gotten around to testing the
Trio specific Netflow capabilities yet, but supposedly they only support
IPFIX when using the "built in" sampling capabilities. If you want v9
you'll still need a Multiservice DPC, or you can always stick to classic
RE-sampled v5/v8.
IPFIX is effectively "netflow v10", it's largely based off of v9, but
it's just different enough to be incompatible. Of course it's close
enough that it shouldn't be THAT much work if you already have an
existing v9 parser, but I don't know what software actually supports it
today. The only flow collector implementation which I've spent any
amount of time looking at besides the stuff I've written myself is
pmacct, which IMHO shows great promise, but I don't believe it supports
IPFIX yet. For my purposes I'd have been just as happy if everyone had
standardized on sFlow (especially since I already wrote a parser for it
:P), but alas it isn't meant to be.
Some differences between v9 and IPFIX that googling turned up:
http://www.plixer.com/blog/netflow/what-is-ipfix-vs-netflow-v9/
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the NANOG
mailing list