<div dir="ltr">Brian, you may want to see if your routers support sFlow (vendors have added the feature over the last few years). <div><br></div><div>In particular, see if it includes support for the sFlow extended_gateway structure:<div><br><div>/* Extended Gateway Data */<br>/* opaque = flow_data; enterprise = 0; format = 1003 */<br><br>struct extended_gateway {<br> next_hop nexthop; /* Address of the border router that should<br> be used for the destination network */<br> unsigned int as; /* Autonomous system number of router */<br> unsigned int src_as; /* Autonomous system number of source */<br> unsigned int src_peer_as; /* Autonomous system number of source peer */<br> as_path_type dst_as_path<>; /* Autonomous system path to the destination */<br> unsigned int communities<>; /* Communities associated with this route */<br> unsigned int localpref; /* LocalPref associated with this route */<br>}<br></div><div><br></div><div>The dst_as_path field is particularly valuable since it allows you to see who your customers are peering with.</div></div><div><br></div><div>While not a complete solution, you might want to take a look at sflowtool, <a href="https://github.com/sflow/sflowtool">https://github.com/sflow/sflowtool</a>, to decode the sFlow records and convert them to JSON. It's not hard to write a Python script to calculate BGP peering metrics and push the results into a time series database (Prometheus, InfluxDB, etc) and build dashboards in Grafana. The following article gives a few examples:</div><div><br></div><div><a href="https://blog.sflow.com/2018/12/sflow-to-json.html">https://blog.sflow.com/2018/12/sflow-to-json.html</a><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 26, 2024 at 5:06 PM Brian Knight via NANOG <<a href="mailto:nanog@nanog.org">nanog@nanog.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<div style="margin:0px;padding:0px;font-family:monospace">What's presently the most commonly used open source toolset for monitoring AS-to-AS traffic?<br> <br> I want to see with which ASes I am exchanging the most traffic across my transits and IX links. I want to look for opportunities to peer so I can better sell expansion of peering to upper management.</div>
<div style="margin:0px;padding:0px;font-family:monospace"> </div>
<div style="margin:0px;padding:0px;font-family:monospace">Our routers are mostly $VENDOR_C_XR so Netflow support is key.<br> <br> In the past, I've used <a href="https://github.com/manuelkasper/AS-Stats" target="_blank">AS-Stats</a> for this purpose. However, it is particularly CPU and disk IO intensive. Also, it has not been actively maintained since 2017.<br> <br> <a href="https://www.influxdata.com/what-are-netflow-and-sflow/" target="_blank">InfluxDB wants to sell me</a> on Telegraf + InfluxDB + Chronograf + Kapacitor, but I can't find any clear guide on what hardware I would need for that, never mind how to set up the software. It does appear to have an open source option, however.</div>
<div style="margin:0px;padding:0px;font-family:monospace"> </div>
<div style="margin:0px;padding:0px;font-family:monospace">pmacct seems to be good at gathering Netflow, but doesn't seem to analyze data. I don't see any concise howto guides for setting this up for my purpose, however.</div>
<div style="margin:0px;padding:0px;font-family:monospace"> </div>
<div style="margin:0px;padding:0px;font-family:monospace">I'm aware Kentik does this very well, but I have no budget at the moment, my testing window is longer than the 30 day trial, and we are not prepared to share our Netflow data with a third party.</div>
<div style="margin:0px;padding:0px;font-family:monospace"> </div>
<div style="margin:0px;padding:0px;font-family:monospace"><a href="https://www.elastiflow.com/" target="_blank">Elastiflow</a> appears to have been <a href="https://github.com/robcowart/elastiflow?tab=readme-ov-file" target="_blank">open source</a> at one time in the past, but no longer. Since it too appears to be hosted, I have the same objections as I do with Kentik above.</div>
<div style="margin:0px;padding:0px;font-family:monospace"> </div>
<div style="margin:0px;padding:0px;font-family:monospace">On-list and off-list replies are welcome.</div>
<div style="margin:0px;padding:0px;font-family:monospace"> </div>
<div style="margin:0px;padding:0px;font-family:monospace">Thanks,</div>
<div style="margin:0px;padding:0px;font-family:monospace"> </div>
<div style="margin:0px;padding:0px;font-family:monospace">-Brian</div>
<div style="margin:0px;padding:0px;font-family:monospace"> </div>
</div>
</blockquote></div>