RE: ipfix/netflow/sflow generator for Linux

["Thomas York" <straterra () fuhell com>]

Never heard of it. I'll give it a shot. Another project that uses argus also
looks interesting.. http://nautilus.oshean.org/wiki/Periscope

-----Original Message-----
From: Ken A [mailto:ka () pacific net] 
Sent: Monday, December 06, 2010 4:04 PM
To: nanog () nanog org
Subject: Re: ipfix/netflow/sflow generator for Linux

Have you considered argus?
It can deliver "argus flows" from multiple interfaces.
 From http://www.qosient.com/argus/ :

> Argus can be considered an implementation of the architecture 
> described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and 
> the project has actively contributed to the IPFIX effort, however, 
> Argus technology should be considered a superset of the IPFIX 
> architecture, providing "proof of concept" implementations for most 
> aspects of the IPFIX applicability statement. Argus technology can 
> read and process Cisco Netflow data, and many sites develop audits 
> using a mixture of Argus and Netflow records.

Ken


On 12/6/2010 2:44 PM, Thomas York wrote:
> fprobe doesn't work properly because it has the input and output 
> interface IDs as both 0. In Scrutinizer, this makes the flow look like 
> all the data came in the interface and immediately left via the same 
> interface. Also, this causes problems when running multiple instances 
> of fprobe.
>
> This seems to be the issue with most of the flow software I've tried.
>
> -----Original Message----- From: Samuel Petreski 
> [mailto:sp446 () georgetown edu] Sent: Monday, December 06, 2010 3:38 PM 
> To: 'Thomas York'; nanog () nanog org Subject: RE:
> ipfix/netflow/sflow generator for Linux
>
> I've used fprobe with great success. You can run multiple instances of 
> fprobe for the different interfaces.
>
> --Samuel
>
> fprobe: a NetFlow probe - libpcap-based tool that collects network 
> traffic data and emit it as NetFlow flows towards the specified 
> collector.
>
> WWW: http://sourceforge.net/projects/fprobe
>
> -- Samuel Petreski Sr. Security Analyst Georgetown University
>
> > -----Original Message----- From: Thomas York 
> > [mailto:straterra () fuhell com] Sent: Monday, December 06, 2010 2:15 PM 
> > To: nanog () nanog org Subject: ipfix/netflow/sflow generator for Linux
> >
> > At my current place of work, we use all Linux routers. I need to do 
> > some
> IP
> > accounting/reporting and am currently trying to use Scrutinizer.
> Scrutinizer
> > can use netstream, jstream, ipfix, netflow, and sflow data without 
> > qualms. My only issue is that I can't seem to find any good software 
> > for Linux
> that
> > works with multiple interfaces to generate the flow information.
> > I've
> tried
> > ndsad, nprobe, softflowd, host sflow, and ipcad without much luck.
> > Most of the software only works on one interface (which is useless as 
> > I need to do accounting for numerous interfaces).
> >
> >
> >
> > I've had the best luck with ipcad. The only thing that seems to not 
> > work
> with
> > it is that it doesn't correctly give the interface number in the flow 
> > information. It refers to all interfaces as interface 65535.
> > I've tried
> the config
> > option for ipcad to map an interface directly to an SNMP interface 
> > ID, but that option of the config file seems to be ignored.
> >
> >
> >
> > Ntop functionally does exactly what I need, but it's extremely buggy. 
> > It segfaults after a few minutes, regardless of Linux distro or Ntop
> version.
> > So..any ideas on what I can do to get good flow information from our 
> > Linux routers?

--
Ken Anderson
Pacific Internet - http://www.pacific.net