-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- --On February 18, 2008 14:00:59 +0100 [EMAIL PROTECTED] wrote: | Thank you, Werner. | | incidently I read the manpage of nfdump. It can also act as an online netflow repeater: | | -R host[/port} | Enable packet repeater. Send all incoming packets to another host and port. | host is either a valid IPv4/IPv6 address, or a valid symbolic hostname, | which resolves to a IPv6 or IPv4 address. port may be ommited and defaults | to port 9995. Note: Due to IPv4/IPv6 accepted addresses the port | separator is '/'. | | | Btw. I have http://sourceforge.net/projects/fprobe/ running for some days now (on Checkpoint SecurePlatform - compiled on | CentOS 3.9). Seems to be stable. | | | Do all other users of nfsen beside Werner don't use software netflow implementations? What are your opinions about softflowd, | fprobe and ndsad? Do you know other good netflow probes (or is this off-topic)? So far I'm using softflowd on a monitoring port at a medium sized ISP. Works reasonable well, incl. netflow v9. It's also small enough to understand the code, to add own changes etc. However, I don't know how far softflowd scales, and it needs quite a few CPU cycles .. - Peter | | | | Joerg | | | -----Original Message----- | From: Werner Schram [mailto:[EMAIL PROTECTED] | Sent: Tuesday, February 12, 2008 10:06 AM | To: Pichel, Jörg | Cc: [email protected] | Subject: Re: [Nfsen-discuss] Recommended software netflow probes | | Hi Joerg, | | I have done some experiments with ndsad | (http://sourceforge.net/projects/ndsad/). It doesn't seem to be in active development anymore, but it has some nice features. | If you use it on Linux, you can connect it to a ULOG target from iptables. On FreeBSD you can use the 'divert' ipfw command | to filter your data. So you have a lot of control over which packets are sent to your collector, and you are not limited to a | single network interface. For example, you can collect information about packets that are dropped by your firewall, or | collect only ssh traffic that goes from interface eth0 to eth1. | | You can use samplicate to resend netflow to multiple collectors. | According to the readme file, it should be available from: | http://www.switch.ch/tf-tant/floma/sw/samplicator/ | | but this page forwards to a page that doesn't have a reference to samplicate. However, I did find this download page: | http://www.switch.ch/network/downloads/tf-tant/samplicator/ | | | Werner | | [EMAIL PROTECTED] wrote: | > Hello netflow specialist! | > | > What free software implementation of a netflow probe do you use and which ones are reliable for long term usage? | > | > I have found three | > | > fprobe (http://sourceforge.net/projects/fprobe/) | > fprobe (http://psi.home.ro/flow - not available) | > softflowd (http://www.mindrot.org/softflowd.html) | > | > and nProbe, which is not for free. | > | > Until now I am using softflowd (http://www.mindrot.org/projects/softflowd/) on linux. It's statistic function ("softflowctl | > statistics") is very nice and it is smart in flushing/expiring flow records before shutting down. But I am missing support | > for multiple remote collector addresses, given like this: "-n collector1:8885 -n collector2:8885". | > | > The sourceforge fprobe can send the flow information to more than one collector at a time. But when shutting down it's | > zapping the already collected flow information (tethereal does not show any UDP flow datagramm when shutting down). Maybe | > this is not very vital, but well - softflowd is smarter. | > | > Does anyone know how to figure out whether fprobe has lost some packets (like the "Packets dropped by libpcap:" and | > "Packets dropped by interface:" statistics of softflowd). And does anyone know whether this "dropped" packets are really | > all missing packets or is this only the number of missing packets softflowd knows about but maybe this number is bigger? | > | > | > Another question is: | > Do you know of a "multiplexing relay" that resceives flow records and resends it to one or more remote or local collectors? | | | ------------------------------------------------------------------------- | This SF.net email is sponsored by: Microsoft | Defy all challenges. Microsoft(R) Visual Studio 2008. | http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ | _______________________________________________ | Nfsen-discuss mailing list | [email protected] | https://lists.sourceforge.net/lists/listinfo/nfsen-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBR7mPxf5AbZRALNr/AQIruAQAqAF7QZ505h8CQ+jMU9rlYPts39Tm/3xd 5nzQUReli+2xB5T1Ae/awQS7zYisUY8zY6jKgmRPcnOqdApC9YaOVzMrN31J4lwo ct4GNt120dSv+W31K8l1M38xGFVq394bPu+kR0yC7DARU9+XSBMqFBNdcNG46joC ugJQgoH7Nj4= =P0qo -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
