On 21/01/2023 13:05, nfsen-discuss-requ...@lists.sourceforge.net wrote:
if nfsen is no longer under development what is the next best thing for
visualizing nfdump/sfdump data?
FWIW, I am still using and installing nfsen. It works nicely for
relatively small networks; a single virtual server with not a lot of resources
is all it needs.
I also still use nfdump/nfcapd+nfsen. It's the most lightweight solution
I know for collecting flows, as it simply appends them to a file. nfsen
needs about half a dozen patches to run properly, but I've published a
version with these patches applied here: https://github.com/nsrc-org/nfsen
Even though nfsen is not being maintained, nfdump still is (thanks Peter!)
Best alternative I have tested is Elastiflow <https://docs.elastiflow.com/docs/
<https://docs.elastiflow.com/docs/>>, but it has more moving parts and higher
system requirements.
Note that there are two completely different versions of Elastiflow. The
old (now deprecated) version <https://github.com/robcowart/elastiflow>
was open source, ran on top of Logstash (resource hog), and could be
used for free.
The new version is closed-source and written in Go. There is a free
version which is limited to 4000 flows per second and few flow
attributes. You can request a free basic license key
<https://www.elastiflow.com/basic-license>, which lasts for 1 year, and
enables some additional features. A paid-for license
<https://www.elastiflow.com/subscriptions> unlocks higher flow rates and
even more features.
If you want something like Elastiflow which is built on top of
Elasticsearch but less commercial, then you can use Filebeat
<https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html>
to collect the records and write them to Elasticsearch: this lets you
use the Kibana dashboards which come with filebeat. All these bits are
now licensed under the "nearly free" Elastic license, but you can still
get an Apache-licensed filebeat-oss package, and you can use OpenSearch
+ Opensearch Dashboard instead of ElasticSearch + Kibana.
In addition: Filebeat writes its Netflow packets to Elasticsearch in a
format called "Elastic Common Schema" (ECS). Elastiflow can write
either in a format called "CODEX" or in "ECS", and they publish
dashboards for both. So in principle, you might be able to use the
Elastiflow ECS dashboards
<https://docs.elastiflow.com/docs/elastic_kibana/> with Filebeat (I have
not tested this!)
Elasticsearch is great for searching, but very expensive for storing and
indexing compared to nfdump/nfsen. You should expect your flow records
to expand by a factor of at least 10, and you *must* use SSD. And lots
of RAM.
Other options?
If you are an R&E network or a non-profit, then you can get a free
license
<https://www.ntop.org/support/faq/do-you-charge-universities-no-profit-and-research/>
for ntop-ng <https://www.ntop.org/products/traffic-analysis/ntop/>.
There is also a community version, but I haven't checked how restricted
it is.
I evaluated but discarded:
- nfsen-ng: user interface is terrible
- pmacct/pmgraph: only really useful for aggregating flows, not drilling
down into individual flows
- SiLK and flowviewer: SiLK is somewhat like nfdump with some benefits
but some drawbacks, and more difficult to use. flowviewer is ancient and
crufty web interface, more so even than nfsen.
I would very much like to see a solution for netflow built on top of
loki and grafana. This could combine the cheap storage of nfdump with
powerful searching and visualization.
Regards,
Brian.
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
