The advantage of netFlow is the implicit compression - 15 (or more or less)
packets in one 1500 byte packet vs. 15 packets each of whatever length.  The
disadvantage is that you lose the layer 2 (Ethernet) and internal (deep
packet inspection) details.  That's a trade-off decision that depends on
what you need to pull out of the data.

There are two other ways you can grab the data, vs. span.

(1) A passive tap.  It's easy to build for 10- and 100-BaseT (instructions
are at snort.org).  Just remember that you will need TWO interfaces on the
ntop box (one for each direction) and you MUST merge the traffic (the
default, but this means stay away from netFlow!).

(2) A true hub.  Not a switching hub, but a true hub.  These aren't easy to
find, but older 3Coms and Linksyses work great.

Span too, will certainly work.

In either case, remember you don't need to assign (*and don't want to) an IP
address to the monitoring interface(s).

-----Burton
 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Shane Presley
Sent: Thursday, April 14, 2005 7:51 AM
To: [email protected]
Subject: [Ntop] Watching Internet Connection: Mirror Port or Cisco flows?

Hello,

We have a simple Internet connection.  It goes something like:

Internal LAN --> Switch --> Firewall --> Switch --> Router --> Switch -->
ISP

I'd like to use NTOP to watch traffic between our router and our ISP. 
So we have a Cisco 3800 series router, connected to a Cisco 2950
switch.   The router is on port 1, port 2 is our ISP (ethernet 100MB
line).

I have a RedHat box with eth0 on the Internal LAN (for management). 
My plan was to put eth1 on that external switch, and just SPAN/Mirror ports
1&2 to a port, and put eth1 there.

But I also read about Cisco Flows.  Is that a better way to get the Internet
traffic info?  If so, are there any docs on how to configure it?  Both on
the router and ntop?

Thanks
Shane
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to