Hi Joerg, I have done some experiments with ndsad (http://sourceforge.net/projects/ndsad/). It doesn't seem to be in active development anymore, but it has some nice features. If you use it on Linux, you can connect it to a ULOG target from iptables. On FreeBSD you can use the 'divert' ipfw command to filter your data. So you have a lot of control over which packets are sent to your collector, and you are not limited to a single network interface. For example, you can collect information about packets that are dropped by your firewall, or collect only ssh traffic that goes from interface eth0 to eth1.
You can use samplicate to resend netflow to multiple collectors. According to the readme file, it should be available from: http://www.switch.ch/tf-tant/floma/sw/samplicator/ but this page forwards to a page that doesn't have a reference to samplicate. However, I did find this download page: http://www.switch.ch/network/downloads/tf-tant/samplicator/ Werner [EMAIL PROTECTED] wrote: > Hello netflow specialist! > > What free software implementation of a netflow probe do you use and which > ones are reliable for long term usage? > > I have found three > > fprobe (http://sourceforge.net/projects/fprobe/) > fprobe (http://psi.home.ro/flow - not available) > Softflowd (http://www.mindrot.org/softflowd.html) > > and nProbe, which is not for free. > > Until now I am using softflowd (http://www.mindrot.org/projects/softflowd/) > on linux. It's statistic function ("softflowctl statistics") is very nice and > it is smart in flushing/expiring flow records before shutting down. But I am > missing support for multiple remote collector addresses, given like this: "-n > collector1:8885 -n collector2:8885". > > The sourceforge fprobe can send the flow information to more than one > collector at a time. But when shutting down it's zapping the already > collected flow information (tethereal does not show any UDP flow datagramm > when shutting down). Maybe this is not very vital, but well - softflowd is > smarter. > > Does anyone know how to figure out whether fprobe has lost some packets (like > the "Packets dropped by libpcap:" and "Packets dropped by interface:" > statistics of softflowd). And does anyone know whether this "dropped" packets > are really all missing packets or is this only the number of missing packets > softflowd knows about but maybe this number is bigger? > > > Another question is: > Do you know of a "multiplexing relay" that resceives flow records and resends > it to one or more remote or local collectors? > > > > Joerg > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Nfsen-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
