-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Isherwood, Jeffrey - AES wrote:
> Thank you Peter, I am looking at Samplicator now...
>
> I just updated the team leader for this research project, and he asked me to
> verify that if the raw netflow data is coming in from multiple sources (like
> 200 or so) all inbound on the same port (9996) that the nfcapd will capture
> it all, the samplicator can then forward it to 2 reseach labs and a managed
> services contractor (to do with what they all will). Will Samplicator
> replicate and forward the nfcapd data with our altering it?
o To capture multiple sources on the same port, use nfdump-1.6rc3 (latest 1.6
pre-release).
o Samplicator replicates a UDP stream. It has no idea about the format of the
data. You can even
configure samplicator to retain the original sender IP address. Therefor the
content of the
data is not touched.
>
> Will the server running nfcapd keep a copy of the Netflow data or does it
> forward and forget? I think (personal opinion) that if would be preferable
> if it held onto the data, if for simply no other reason than for verification
> and redundancy.
Nfcapd replicates the incoming UDP stream it receives to another host in
addition to collecting and processing the data.
This means switching on/off packet forwarding does not affect any other data
processinf tasks.
- Peter
>
> So I guess I'm going to start over (since I messed up the installation of
> nfsen and apache, and couldn't get the web pages to yield data, probably a
> permissions problem).
>
> I'll install NFDUMP (nfcapd comes with nfdump) and Samplicator and see what I
> can do... I think from looking at the documentation tho, that if I'm not
> using nfsen, I'll need to automate or script nfcapd to get it running.
>
> Thanks...
>
> PS: Vince, thanks for the pointer to the flow-fanout that looks like a good
> "fall back option". I don't think it would allow me to retain copies of the
> flows on the server, which I need to do... but I could use it to send an
> extra copy somewhere else.
>
>
> Jeffrey
>
>
> -----Original Message-----
> From: Peter Haag [mailto:[email protected]]
> Sent: Thursday, December 17, 2009 2:02 AM
> To: Isherwood, Jeffrey - AES
> Cc: '[email protected]'
> Subject: Re: [Nfdump-discuss] Using NFDUMP as an aggregator...
>
>>> Isherwood, Jeffrey - AES wrote:
>>> I would like to take the output from our Netflow devices and send it to 3
>>> to 4
>>> different locations to accommodate managed services contractors, network
>>> staff,
>>> customer support and research initiatives...
>>>
>>> I'm looking to collect flows from all across the enterprise, store them and
>>> redirect them out to other people/units that have need of them. Most
>>> equipment
>>> I've looked at has a limit of two Netflow destinations each, so I thought
>>> that
>>> NFDUMP might be the solution.
>
> No - nfcapd just can forward the flows for daisy chaining the flow traffic.
> To fan out to many places, have a look into
> samplicator: http://freshmeat.net/projects/samplicator/ from my
> colleague Simon Leinen.
>
> Hop, this helps
>
> - Peter
>
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the sender.
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSysoC/5AbZRALNr/AQJSFAQAj6dteDZ4rxi+9aval0o7H+CjGkZ46JDE
txPC71m7Rueap/SLt17EBWqR5Csc3+xZmfv53VOO8FsL7wgEqkI+CQHfiZmRLUZq
MhZ8OdbDoCH9yoU/OqEgMrKWZ9FQ3lNfOjoI5G3NdBv/e0JMOCmwO6fphdf8v6nN
dIEuXManmaU=
=Qee8
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
