netFlow is - in ntop terms - packet compression. Instead of processing the whole packet, ntop just sees a small flow packet.
The downside is that you don't get the deep inspection - where ntop looks inside the actual packet and pulls out information (e.g. P2P user ids). Deep inspection is expensive and so turning this off (implicit w/ using netFlow) is often the only way to handle high packet rates. However, I don't think your netFlow configuration will show all of the traffic - you would need to have BOTH routers exporting their own flows. If you define two ntop netflow devices, then the traffic will be displayed one at a time. If you configure both netFlow devices to export to the same ntop netflow device (i.e. port #), ntop will combine them. This may give the single point view you want. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Loe Sent: Friday, July 07, 2006 12:11 PM To: [email protected] Subject: [Ntop] request help on best practice New to the list, new to ntop, new to netflow! We have two routers connected to two switches connected to two firewalls. These are our two ISPs. I'd like to collect netflow data from one router. I have an available port on one of the switches it connects to. Is it best to configure the router to export netflow data to my server - on the internal network - or would it be best to use that extra switch port as a span port and collect it that way? Either method has its own issues: Having the router send the data has overhead costs, right? How much? It is our bigger 'Net connection and I don't want to slow it down. Creating the span port will only collect data for the ethernet port on the router connected to that switch - whereas the router has another connection to the second switch which also gets traffic based on routes (the internal network is split, including the public IP range - can't explain why, the guys who set it up can't even explain it). If I'm missing an option, or if having the router export the netflow data isn't that big of a deal, please let me know what to try. _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
