Re: [Nfsen-discuss] anyone uses yaf from US-CERT?

Wed, 04 Jan 2017 07:49:14 -0800 

Hi Jens,
I've not worked with YAF, but I've done a similar set up as follow to get reliable full flows (as I too am not a fan sampled flows): 

passive tap (span will work too) => telemetry probe


* On the probe, I usually run a linux distro of choice (for me, it's a 
flavor of debian stripped of systemd as I've seen issues out of the box 
and don't want to spend too much time doing RCA); not trying to reignite 
religious war of initd vs systemd at all here



* softlowd on interface tied to tap or span, converts this to v9_nf / 
ipfix / sflow


* send this off to nfsen/nfdump


tradeoff with this method, is that source interface of the flows are not 
embedded due to tap or span methodology but one can write some 
programming glue to tied this back to upstream or downstream layer3 
routers if need be.



I know you asked specifically about YAF, but how you'd use YAF may be 
similar here and wanted to provide alternative perspective to help out.  
Good luck.


Regards,
Ge Moua

moua0...@umn.edu
University of Minnesota Alumnus
--

On 1/2/17 6:08 AM, Jens Hektor wrote:

Hi,

our Nexus 7000 now have M3 cards for 40 Gbit/s
and so the Nexus now runs in sampled mode.

That's nothing we want here.

At the moment I am experimenting with "yaf"

        https://tools.netsa.cert.org/yaf/index.html

to get full flows again.

Q:
has anyxone worked with that?
any experiences how to setup?

Best regards, Jens



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss






















					Reply via email to