On Mon, Jun 23, 2008 at 10:00:06PM -0500, Kevin Kadow wrote:
We started out with SPAN ports, then moved on to Netoptics taps.
Lately we've been using a combination of Cisco Netflow (from remote routers), and native Argus flows (from local taps) where we need more details.
Flows are useful to answer "What happened X minutes/hours/days ago?", and where you do not need/want to capture full packet bodies (though with Argus you can choose whether to include payload data).
Cool - good to know that the Netoptics gear is good. Seems like there's a few resounding approvals of them. Netflow would be lovely to export from our border routers. Unfortunately, we are somewhat married to the 6500 platform which has absolutely awful netflow support. Very small TCAM, export is CPU expensive, and sampling makes both problems worse. So a mirrored copy of the transit link is being sent to a pmacct box for flow generation. -- Ross Vandegrift ross@kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37