The advantage of netFlow is the implicit compression - 15 (or more or less) packets in one 1500 byte packet vs. 15 packets each of whatever length. The disadvantage is that you lose the layer 2 (Ethernet) and internal (deep packet inspection) details. That's a trade-off decision that depends on what you need to pull out of the data.
There are two other ways you can grab the data, vs. span. (1) A passive tap. It's easy to build for 10- and 100-BaseT (instructions are at snort.org). Just remember that you will need TWO interfaces on the ntop box (one for each direction) and you MUST merge the traffic (the default, but this means stay away from netFlow!). (2) A true hub. Not a switching hub, but a true hub. These aren't easy to find, but older 3Coms and Linksyses work great. Span too, will certainly work. In either case, remember you don't need to assign (*and don't want to) an IP address to the monitoring interface(s). -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shane Presley Sent: Thursday, April 14, 2005 7:51 AM To: [email protected] Subject: [Ntop] Watching Internet Connection: Mirror Port or Cisco flows? Hello, We have a simple Internet connection. It goes something like: Internal LAN --> Switch --> Firewall --> Switch --> Router --> Switch --> ISP I'd like to use NTOP to watch traffic between our router and our ISP. So we have a Cisco 3800 series router, connected to a Cisco 2950 switch. The router is on port 1, port 2 is our ISP (ethernet 100MB line). I have a RedHat box with eth0 on the Internal LAN (for management). My plan was to put eth1 on that external switch, and just SPAN/Mirror ports 1&2 to a port, and put eth1 there. But I also read about Cisco Flows. Is that a better way to get the Internet traffic info? If so, are there any docs on how to configure it? Both on the router and ntop? Thanks Shane _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
