RE: ipfix/netflow/sflow generator for Linux
I just retested nprobe and it has the same issue as most of the other tools. It doesn't specify the InputInt and OutputInt properly. Yes, you can statically set it but that will drastically skew the data in this environment. I'm not against running multiple processes, I've just not found a product that runs using multiple processes that does what I need to. I just noticed the ntop version in EPEL is fairly old, so I'll try to compile the latest myself and see if it's more stable. Also, FYI to anyone who is interested in this, I've opened a support ticket with ipcad to fix the interface numbering issue. http://tinyurl.com/32pjyfa From: packetmonger@gmail.com [mailto:packetmonger@gmail.com] On Behalf Of Darren Bolding Sent: Monday, December 06, 2010 8:57 PM To: Thomas York Subject: Re: ipfix/netflow/sflow generator for Linux We've used nprobe with good success, passing the flows to ntop, nfsen etc. nProbe supports specifying the interface- so yes, you would have to run multiple processes, but I believe it would work. We went ahead and purchased the PF_RING driver as it significantly improved the capture performance of our systems. I'm assuming since you tried it, you really don't want to fire up a separate process for each interface? I'd love to hear what you thought about the various tools and what you end up deciding on. For us, we collect the data using nprobe and have had no problem getting ntop to stably analyze those flows when pointed to it. NFSEN is pretty damn cool also. We point various nprobe, netflow, sflow data at it with good effect. --D On Mon, Dec 6, 2010 at 11:15 AM, Thomas York <straterra@fuhell.com> wrote: At my current place of work, we use all Linux routers. I need to do some IP accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer can use netstream, jstream, ipfix, netflow, and sflow data without qualms. My only issue is that I can't seem to find any good software for Linux that works with multiple interfaces to generate the flow information. I've tried ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of the software only works on one interface (which is useless as I need to do accounting for numerous interfaces). I've had the best luck with ipcad. The only thing that seems to not work with it is that it doesn't correctly give the interface number in the flow information. It refers to all interfaces as interface 65535. I've tried the config option for ipcad to map an interface directly to an SNMP interface ID, but that option of the config file seems to be ignored. Ntop functionally does exactly what I need, but it's extremely buggy. It segfaults after a few minutes, regardless of Linux distro or Ntop version. So..any ideas on what I can do to get good flow information from our Linux routers? -- -- Darren Bolding -- -- darren@bolding.org --
On Dec 7, 2010, at 8:27 PM, Thomas York wrote:
Yes, you can statically set it but that will drastically skew the data in this environment.
What are you attempting to do that northbound/southbound isn't Good Enough? ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
participants (2)
-
Dobbins, Roland
-
Thomas York