Here a summary of the answers I got. Again thanks for your help. mail from Joe
-Try fprobe, open source: http://sourceforge.net/projects/fprobe
reply from Samuel
-nProbe by ntop.org is pretty robust tool for generating v5/v9 flows and fairly inexpensive. http://www.ntop.org/nProbe.html
mail from Roland
-Lancope offer a productized version of this, I believe Endace too, too.
I talked to Lancope, they might provide me in 1 or 2 years with a 10G interface. mail from Frank
I just had an extended briefing with a company called Xangati. Very interesting stuff, but they didn't talk about ways to obtain netflows if your router isn't able to natively generate them.
answer from Adam
I can attest to this. nProbe is your best bet for a “virtual NetFlow exporter”. It performs well and has tons of export formats and features. We use it extensively for QA and testing. You do, however, have to pay a bit or it whereas fprobe and others are free.
I talked to Peter Shaw peter@npulsenetworks.com here his answer
Thanks for contacting us. Yes, our Probe can handle the traffic level you describe. Our typical, hardware-accelerated Probe has 2 Gigabit ports, and shows less than 10% CPU utilisation when generating NetFlow records at the full 2Gbps. We can readily build a Probe using 10Gig ports, and do not expect any performance challenge at the traffic level you describe. I have a couple of further questions/comments for you; 1) what Collector system do you plan to send the NetFlow records to ? We can work with any NetFlow-aware collector, but we do find that many of them struggle to keep up with the high volume of records from our Probe. We are working on our own Collector/buffer system to reduce this problem, and expect this to be available in Q2'08.
I talked also to Luca Deri <deri@ntop.org> here the answer
the nPulse appliance is based on an old version of nProbe I have developed years ago. We offer nBox appliances (http://www.nmon.net/nBox.html ) with a new accelerated nProbe version not available to anyone but us. Next month we plan to introduce a new model based on a accelerated card developed with a a twin company, able to outperform existing solutions but with a lower price.
for 10G at the moment we use the Endace platform (NinjaProbe) or Tilera (see http://www.tilera.com/pdf/ProductBrief_TILExpress_V1.pdf and search for nProbe) cards for wire rate. If you have a few Gbits, a software nBox can also be enough, but if you go above a hardware card is definitively needed. In late 2008 we should have our custom 10G card available but until then we rely on external hardware solutions.
unless you want to buy the appliance from Endace and the software from me, I can currently offer an nbox with dual 10G capability featuring software packet capture acceleration for about 6K Euro. This model is suitable for monitoring 2-3 Gbit of traffic. As I have stated before, 10G hardware capture acceleration still needs some time.
next mail from gert
Has any of you done a reality-check before recommending these tools, whether one of them can actually *handle* a 10G-link? Sniffing 10G without losing packets is *hard*. Sniffing 10G and doing any sort of math with it is *very hard*. Any "sniff packets and do flow exports from there" application that aims to do better than the flow hardware on the PFC3 needs to be really, really, *really* good.
conclusion: It is not easy to find a device to capture a 10G interface and generate the netflow. When I have news, I will will inform you. Best Stefan -- Stefan Hegger Internet System Engineer Lycos Europe GmbH Carl-Bertelsmann Str. 29 Postfach 315 33312 Gütersloh Phone: Tel: +49 5241 8071 334 Fax: +49 5241 80671 334 Mobile: +49 170 1892720 Sitz der Gesellschaft: Gütersloh Amtsgericht Gütersloh, HRB 2157 Geschäftsführer: Christoph Mohn <http://www.lycos-europe.com/L/A/>