Hello, folks! Thank you for a very useful feedback! I'm so sorry for my negative vision of netflow :( It's nice protocol but I haven't equpment with ability to generate netflow on wire speed and I use mirror/SPAN instead. I competely redesigned attack-analyzer subsystem and can process sampled data now. I just added sFLOW v5 suport to FastNetMon and you can try it now. In near future I will add netflow v5 support. With sFLOW support my tool can detect attack on 40-100GE links and more! Thanks for sFLOW architecture! :) You can check new version here: https://github.com/FastVPSEestiOu/fastnetmon Thank you! On Sun, Nov 23, 2014 at 2:53 AM, Brian Rak <brak@gameservers.com> wrote:
On 11/22/2014 11:18 AM, Denys Fedoryshchenko wrote:
On 2014-11-22 18:00, freedman@freedman.net wrote:
We see a lot of Brocade for switching in hosting providers, which makes sFlow easy, of course.
Oh, Brocade, recent experience with ServerIron taught me new lesson, that i can't do bonding on ports as i want, it has limitations about even/odd port numbers and etc. Most amazing part i just forgot, that i have this ServerIron, and it is a place where i run DDoS protection (but it works perfectly over "tap" way). Thanks for reminding about this vendor :)
I just hope you're not talking FCX's.... if you upgrade those to 8.x firmware, you'll lose sflow on the 10gb ports. Once you upgrade, they send a corrupted sflow packet, and at *far* less then the rate that you configure. Even if you adjust your parser to compensate for the corrupt packet, they're still dropping the large majority of samples, making sflow pretty much useless.
It's been several months since we reported this, and we're still waiting on a fix.
-- Sincerely yours, Pavel Odintsov