Thanks very much Burton, that was a very helpful reply. I've decided to go with a port span. Our traffic is low (a couple Mbps), so the compression of netFlow isn't needed. Also, I like the deep packet inspection capabilities.
And yes, I made sure my monitor interface does not have an IP. Ntop was up and running quickly. I'm sure more questions to follow though....thanks again! Shane On 4/14/05, Burton Strauss <[EMAIL PROTECTED]> wrote: > The advantage of netFlow is the implicit compression - 15 (or more or less) > packets in one 1500 byte packet vs. 15 packets each of whatever length. The > disadvantage is that you lose the layer 2 (Ethernet) and internal (deep > packet inspection) details. That's a trade-off decision that depends on > what you need to pull out of the data. > > There are two other ways you can grab the data, vs. span. > > (1) A passive tap. It's easy to build for 10- and 100-BaseT (instructions > are at snort.org). Just remember that you will need TWO interfaces on the > ntop box (one for each direction) and you MUST merge the traffic (the > default, but this means stay away from netFlow!). > > (2) A true hub. Not a switching hub, but a true hub. These aren't easy to > find, but older 3Coms and Linksyses work great. > > Span too, will certainly work. > > In either case, remember you don't need to assign (*and don't want to) an IP > address to the monitoring interface(s). > > -----Burton _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
