You might try the following tool set : http://www.splintered.net/sw/flow-tools/
There are some margining fan-out utilities that might allow you to hack something together. FCC -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Garlock Sent: Tuesday, August 03, 2004 3:39 PM To: [EMAIL PROTECTED] Subject: [Ntop] NetFlow (the dumb newbie is back! Heh) First off, thanks to everyone on the list for the help in the past. I've now got 6 linux machines running ntop at 6 sites here at our org. That could never have happened without your help :) Between MRTG and NTOP, this has been one hell of a year. It's damned nice to know what's going on .. Anyways, enough ass kissing. But I felt it necessary to prep as I've got a couple of dumb newbie questions. Not so much how-to questions, but .. eh, you'll see. Now that we're up, running, collecting and reporting with ntop, I'd like to shake things up by testing working with netflow. We're cisco-everywhere, so it shouldn't be a problem. I've read through the "NTop, NetFlow and Cisco Routers" document by Jonathan Feldman (sorry, no URL handy). Using that doc, I've been able to collect and report on netflow statistics. Great! :) Now for my question (and I probably could have just jumped right here): is it possible to merge netflow statistics? I know, by default, it's not. Simply activating the netflow plug-in forces all interfaces to be reported seperately. Is there some type of workaround? This is why I'm asking: at our primary site, we have 3 major WAN links. As it stands now, I'm sniffing that data with the ntop box which has an interface on each of those critical segments (core to primary WAN router (frame relay), core to secodnary WAN router (collection of point to point t1's) and core to firewall). With ntop now, I merge all this traffic and get a great "complete picture" of what folks are up to. If I were to switch to 3 NetFlow's, I'd have to constantly switch between them to get a good idea of what's going on. It has to do with the way our network passes traffic. For example, a user in a remote office requests a web page. His local router decides that traffic is best routed over the t1. It arrives at HQ on the secondary router and hops directly over to the firewall, as it's the gateway of last resort. Internet magic happens, and the data from the users request comes back in. The router in HQ decides to send it over frame relay. I'd have to look at 3 separate netflow interfaces to get the "complete" picture .. at least from here at HQ. Is this making sense? Am I overlooking something stupid that makes my question moot? Is this something that's in my newbieness I missed was asked each week for the last 30 weeks in the archive? Heh. I hope not :) Thanks and sorry for the freakin' BOOK of an email for a simple question. Thanks, Jon. -------------------------------------------------------- The information in this transmission is privileged and confidential and intended only for the recipient listed above. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. If you are not the intended recipient, you are hereby notified that any disclosure, copying or distribution of this message, or the taking of any action based upon it, is strictly prohibited. Thank you. _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
