Netflow files consume far less space than a full packet capture, so that's good. RRD also has filters to control the level of detail saved, so you could tweak those settings to get what you want.
You could save n days (hours?) of netflow locally, then ship them (ftp, etc.) to another host? Maybe just have a dedicated nTop host? Typically security gear should be dedicated anyway. The netflow source (router) can have multiple destinations. I'm sure there are other tricks to get the data where you need. I'd start with the RRD files and filters and see how much space they take. Maybe you'll have enough space for 30 days? If the client wants detailed audit/accounting info for the last year or something, that could be an issue. G -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Redmore Sent: Thursday, July 12, 2007 11:52 AM To: [email protected] Subject: Re: [Ntop] Network Surveillance? - Usage History / Accounting /Auditing Gary, Thanks for your reply. My concern with the RRD files is local storage - I have minimal local storage, as this is an embedded appliance. I've tried to figure out how to get NTOP to send netflow information to another machine, but I'm missing something there. I don't see any way to specify where to send the netflow traffic. I'm very interested in starting to utilize netflow or sflow, but I just came up scratching my head when I tried implementing them in NTOP. I would assume it is easy to collect netflow info from other devices in NTOP, but I need to send the flows out of NTOP to a different machine with more storage. Thanks again, Dave Redmore Spigot Networks, Inc. ----- Original Message ----- From: "Gary Gatten" <[EMAIL PROTECTED]> To: [email protected] Sent: Thursday, July 12, 2007 11:37:43 AM (GMT-0600) America/Chicago Subject: RE: [Ntop] Network Surveillance? - Usage History / Accounting / Auditing Look at enabling the RRD files and then the reporting functions. This is a common need, but I haven't dug into it much. From my understand not all the data nTop displays "real-time" is stored in the RRD files - memory tables only. So, not sure if those files will have everything you need or not? I'll have to dig into this too I guess - same need you have. I would consider this more usage history / Accounting / Auditing. Call it what you will. Other options I've looked into involve dumping the netflow feed to files (I use netflow exclusively), then importing them to nTop (another instance) on demand for specific days / times / etc. Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Redmore Sent: Thursday, July 12, 2007 11:06 AM To: ntop Subject: [Ntop] Network Surveillance? Hello All, I have been implementing ntop into an embedded firewall appliance that I have been building for some clients recently that is based on IPCOP. I include ntop to do basic network monitoring; but, invariably, when I show clients how to access ntop and view network usage, they want to know how to view a historical snapshot of a host's internet usage. I would define this functionality as "network surveillance" - people who want to keep tabs on employees internet usage in pretty specific terms - what apps were run, what sites they visited and how long they were there. Can ntop be utilized in some way to get this sort of view? It seems that ntop works very well at looking at a snapshot of recent network activity and drilling into that snapshot very well, but not so well for collecting this sort of historical data and viewing host usage in general terms. I'm having trouble putting my finger on software that seems specifically geared towards doing what these customers are asking me for. Thanks, Dave Redmore Spigot Networks, Inc. _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop ======================================================================== === "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop =========================================================================== "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
