Thank you, Werner.
incidently I read the manpage of nfdump. It can also act as an online netflow
repeater:
-R host[/port}
Enable packet repeater. Send all incoming packets to another host and
port.
host is either a valid IPv4/IPv6 address, or a valid symbolic hostname,
which resolves to a IPv6 or IPv4 address. port may be ommited and
defaults
to port 9995. Note: Due to IPv4/IPv6 accepted addresses the port
separator is '/'.
Btw. I have http://sourceforge.net/projects/fprobe/ running for some days now
(on Checkpoint SecurePlatform - compiled on CentOS 3.9). Seems to be stable.
Do all other users of nfsen beside Werner don't use software netflow
implementations? What are your opinions about softflowd, fprobe and ndsad? Do
you know other good netflow probes (or is this off-topic)?
Joerg
-----Original Message-----
From: Werner Schram [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 12, 2008 10:06 AM
To: Pichel, Jörg
Cc: [email protected]
Subject: Re: [Nfsen-discuss] Recommended software netflow probes
Hi Joerg,
I have done some experiments with ndsad
(http://sourceforge.net/projects/ndsad/). It doesn't seem to be in active
development anymore, but it has some nice features. If you use it on Linux, you
can connect it to a ULOG target from iptables. On FreeBSD you can use the
'divert' ipfw command to filter your data. So you have a lot of control over
which packets are sent to your collector, and you are not limited to a single
network interface. For example, you can collect information about packets that
are dropped by your firewall, or collect only ssh traffic that goes from
interface eth0 to eth1.
You can use samplicate to resend netflow to multiple collectors.
According to the readme file, it should be available from:
http://www.switch.ch/tf-tant/floma/sw/samplicator/
but this page forwards to a page that doesn't have a reference to samplicate.
However, I did find this download page:
http://www.switch.ch/network/downloads/tf-tant/samplicator/
Werner
[EMAIL PROTECTED] wrote:
> Hello netflow specialist!
>
> What free software implementation of a netflow probe do you use and which
> ones are reliable for long term usage?
>
> I have found three
>
> fprobe (http://sourceforge.net/projects/fprobe/)
> fprobe (http://psi.home.ro/flow - not available)
> softflowd (http://www.mindrot.org/softflowd.html)
>
> and nProbe, which is not for free.
>
> Until now I am using softflowd (http://www.mindrot.org/projects/softflowd/)
> on linux. It's statistic function ("softflowctl statistics") is very nice and
> it is smart in flushing/expiring flow records before shutting down. But I am
> missing support for multiple remote collector addresses, given like this: "-n
> collector1:8885 -n collector2:8885".
>
> The sourceforge fprobe can send the flow information to more than one
> collector at a time. But when shutting down it's zapping the already
> collected flow information (tethereal does not show any UDP flow datagramm
> when shutting down). Maybe this is not very vital, but well - softflowd is
> smarter.
>
> Does anyone know how to figure out whether fprobe has lost some packets (like
> the "Packets dropped by libpcap:" and "Packets dropped by interface:"
> statistics of softflowd). And does anyone know whether this "dropped" packets
> are really all missing packets or is this only the number of missing packets
> softflowd knows about but maybe this number is bigger?
>
>
> Another question is:
> Do you know of a "multiplexing relay" that resceives flow records and resends
> it to one or more remote or local collectors?
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
