On Tue, Aug 19, 2003 at 12:55:33PM -0700, lance_tatman@agilent.com wrote:
Are operators frequently using netflow nowadays? I assume that if you are, you turn it on only for some limited duration to collect your data and then go back and do your analysis. Is this assumption correct?
What are you looking at when you analyze this data? I've seen uses such as top 10 destination AS's for peering evaluations. What else? Billing?
i've seen netflow used in a few situations: 1) it's actually kinda useful for DoS situations, you can easily look at the data flowing through the router and get some general idea of what the traffic looks like without a fancy sniffer, etc.. You can also do "sh ip ca flow | inc K" to see large flows which are useful in a flooding situation. 2) i personally use netflow on my home network (with the max cache size) to get an idea of what was going on a few minutes ago. i have a low enough set of traffic that this works. 3) i've seen others use netflow for peering analysis in the past but with transit costs so low, and other things unless you're peering now it's not really worthwhile to try and get into that marketspace as there's not a lot of money to be made. 4) i've seen people feed the netflow data into various sql based systems for analysis. this allows them to track trends, any large upticks in traffic (proto0, proto255, icmp, tcp/445 tcp/135) they are seeing on their network and generate alerts if it exceeds some pre-existing thresholds. you can always do more interesting things, the problem comes in storage of data, insuring you are doing 1:1 sampling, etc.. (hard on big pipes) - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.