<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Samplicator is a nifty tool. <br>
<br>
--John<br>
<br>
<div class="moz-cite-prefix">On 1/25/22 16:50, Compton, Rich A
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:E74FA2CD-27BB-4578-87A9-1473C090C023@charter.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:12.0pt">Elastiflow
is pretty cool. <a href="https://www.elastiflow.com"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://www.elastiflow.com</a> or the old open source
version: <a href="https://github.com/robcowart/elastiflow"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://github.com/robcowart/elastiflow</a> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">You can
pretty much do the same thing with Elastic’s filebeat (<a
href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html</a>).
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">Pmacct is
also good for grabbing netflow
<a href="http://www.pmacct.net" moz-do-not-send="true"
class="moz-txt-link-freetext">http://www.pmacct.net</a>
and sending it somewhere (file, database, kafka, etc.) You
can also grab BMP and streaming telemetry with it.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">If you’re
looking for open source DDoS detection using netflow, check
out
<a href="https://github.com/pavel-odintsov/fastnetmon"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/pavel-odintsov/fastnetmon</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">Shameless
plug, check out my tool to look for spoofed UDP
amplification request traffic coming into your network
<a href="https://github.com/racompton/tattle-tale"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/racompton/tattle-tale</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">FYI, you can
send netflow to multiple collectors with
<a href="https://github.com/sleinen/samplicator"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/sleinen/samplicator</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">-Rich<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:12.0pt;color:black">From: </span></b><span
style="font-size:12.0pt;color:black">NANOG
<a class="moz-txt-link-rfc2396E" href="mailto:nanog-bounces+rich.compton=charter.com@nanog.org"><nanog-bounces+rich.compton=charter.com@nanog.org></a>
on behalf of David Bass <a class="moz-txt-link-rfc2396E" href="mailto:davidbass570@gmail.com"><davidbass570@gmail.com></a><br>
<b>Date: </b>Tuesday, January 25, 2022 at 11:06 AM<br>
<b>To: </b>Christopher Morrow
<a class="moz-txt-link-rfc2396E" href="mailto:morrowc.lists@gmail.com"><morrowc.lists@gmail.com></a><br>
<b>Cc: </b>NANOG list <a class="moz-txt-link-rfc2396E" href="mailto:nanog@nanog.org"><nanog@nanog.org></a><br>
<b>Subject: </b>[EXTERNAL] Re: Flow collection and
analysis<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div style="border:solid #5A5A5A 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt;background:#235C70"><strong><span
style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:white">CAUTION:</span></strong><span
style="font-size:10.0pt;color:white"> The e-mail below is
from an external source. Please exercise caution before
opening attachments, clicking links, or following
guidance. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Most of these things, yes. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Add:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Troubleshooting/operational support<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Customer reporting<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Jan 25, 2022 at 1:38 PM
Christopher Morrow <<a
href="mailto:morrowc.lists@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">morrowc.lists@gmail.com</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Jan 25, 2022 at 10:53
AM David Bass <<a
href="mailto:davidbass570@gmail.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">davidbass570@gmail.com</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">Wondering what others in the
small to medium sized networks out there are using
these days for netflow data collection, and your
opinion on the tool?<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">a question not asked, and
answer not provided here, is:<br>
"What are you actually trying to do with the
netflow?"<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Answers of the form:<br>
"Dos detection and mitigation planning"<br>
"Discover peering options/opportunities"<br>
"billing customers"<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> "traffic analysis for future
network planning"<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> "abuse
monitoring/management/investigations"<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> "pretty noc graphs"<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">are helpful.. I'm sure other
answers would as well.. but: "how do you collect?"
is "with a collector" and isn't super helpful if
the collector can't feed into the tooling /
infrastructure / long-term goal you have.<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
The contents of this e-mail message and <br>
any attachments are intended solely for the <br>
addressee(s) and may contain confidential <br>
and/or legally privileged information. If you<br>
are not the intended recipient of this message<br>
or if this message has been addressed to you <br>
in error, please immediately alert the sender<br>
by reply e-mail and then delete this message <br>
and any attachments. If you are not the <br>
intended recipient, you are notified that <br>
any use, dissemination, distribution, copying,<br>
or storage of this message or any attachment <br>
is strictly prohibited.
</blockquote>
<br>
</body>
</html>