Re: Looking for Netflow analysis package
Op 20-5-2013 0:40, Cameron Daniel schreef: On 2013-05-17 8:11 pm, Tim Vollebregt wrote: Is anyone using an open source solution to process netflow v9 captures? I'm waiting for SiLK v3 for some time now, which is currently only available for TLA's and Universities. Currently looking into nfdump. To drag this back on topic, yes I'm currently using nfcap/nfdump to capture and parse Netflow v9. It's not as tidy as I'd like but it does the job. If you want something you can just point and shoot, nfsen ties those two tools together into one config file. Tim Not only for netflow analysis, but also a DDOS detection tool: I am testing Andrisoft Wanguard this month. Very nice webinterface and has even possibility to do BGP blackholing. RInse
Re: Looking for Netflow analysis package
On 2013-05-17 8:11 pm, Tim Vollebregt wrote: Is anyone using an open source solution to process netflow v9 captures? I'm waiting for SiLK v3 for some time now, which is currently only available for TLA's and Universities. Currently looking into nfdump. To drag this back on topic, yes I'm currently using nfcap/nfdump to capture and parse Netflow v9. It's not as tidy as I'd like but it does the job. If you want something you can just point and shoot, nfsen ties those two tools together into one config file. Tim
Re: Looking for Netflow analysis package
On 5/17/13, Scott Weeks sur...@mauigateway.com wrote: owned resources. So don't. Set up an SSH tunnel over port 80 to your home server and access your non-paragraph-sized-signature email account from home. There's a million ways to do things and still follow corporate rules... The disclaimer requirements seem dumb, but not entirely unreasonable -- we should just tolerate them. As for spam... no good there. I would caution against taking the advise of setting up a SSH tunnel to follow corporate rules. In some cases, that might be subverting the intended affects of corporate rules. The outgoing SSH session (or any encrypted session or tunnel) to an unapproved non-company resource could still be a policy violation in some organizations; where they don't already have a firewall that identifies SSH protocol traffic regardless of TCP port, it is essentially firewall circumvention. The same goes for other encrypted or obscured remote access protocols such as VPNs, IP traffic tunnels, VNC over port 80. The defeat of e-mail/other network activity usage monitoring, may impact archiving of mail or compliance with banking, (or other) regulations. Since the SSH session is encrypted, the company's super-expensive Data Leak Protection software suite may be unable to analyze the outgoing traffic flow over the network. It _might_ be a harmless SSH session to post to a mailing list; OR it might instead be a covert channel for exfiltrating corporate data. The channel is encrypted... how can you prove the difference? How can the organization prove that its employees aren't siphoning customer data out of the database, to satisfy compliance with privacy laws? In orgs with different priorities, or that haven't addressed certain risks, it might be OK. But there will be organizations where it definitely is not OK, so we should just tolerate the spurious disclaimers. scot -- -JH
Re: Looking for Netflow analysis package
On Fri, 17 May 2013 10:02:53 -0700, John Starta said: Do you believe that Brent wrote the disclaimer attached to his message? Despite y/our opinions of such disclaimers, legal counsel in some companies still mandate their automatic attachment on all outbound messages. The only means of avoiding them is to subscribe to mailing lists from a personal e-mail account. There's another way. Educate the technology-challenged people who mandated the disclaimer. pgpO2dM_vQDYV.pgp Description: PGP signature
Re: Looking for Netflow analysis package
Is anyone using an open source solution to process netflow v9 captures? I'm waiting for SiLK v3 for some time now, which is currently only available for TLA's and Universities. Currently looking into nfdump. Tim On May 17, 2013, at 12:16 AM, Scott Weeks wrote: Does anyone know of a netflow collector that will do the following. snip -Original Message- From: Laura Smith [mailto:leavingi...@yahoo.com] UCE snipped out -- -Meshier, Brent wrote: Do not appreciate the cold call from Plixer. Please do not use the NANOG mailing list as your personal directory for sales leads. It's a sure fire way to get your company blacklisted among IT professionals. - tcan...@beatsmusic.com wrote: -- From: Thomas Cannon tcan...@beatsmusic.com That wasn't in your signature's disclaimer. Perhaps now would be a good time to add it? You haven't been here long have you... He DOES NOT need a 260 word signature (see below!) to make sure he does not get UCE from posting to NANOG. For any other sales folks out there considering doing this, Brent's warning is a good one: It's a sure fire way to get your company blacklisted among IT professionals. scott ps. WTF is this?!? The material contained herein is for informational purposes only and is not intended as an offer or solicitation with respect to the purchase or sale of securities. The decision of whether to adopt any strategy or to engage in any transaction and the decision of whether any strategy or transaction fits into an appropriate portfolio structure remains the responsibility of the customer and/or its advisors. Past performance on the underlying securities is no guarantee of future results. This material is intended for use by institutional clients only and not for use by the general public. Portions of this material may incorporate information provided by third party market data sources. Although this information has been obtained from and based upon sources believed to be reliable, neither Amherst Holdings, LLC nor any of its affiliates guarantee the accuracy or completeness of the information contained herein, and cannot be held responsible for inaccuracies in such third party data or the data supplied to the third party by issuers or guarantors. This report constitutes Amherst’s views as of the date of the report and is subject to change without notice. This information does not purport to be a complete analysis of any security, company or industry, including but not limited to any claim as to the prepayment consistency and/or the future performance of any securities or structures. To the extent applicable, change in prepayment rates and/or payments may significantly affect yield, price, total return and average life. Our affiliate, Amherst Securities Group, L.P., may have a position in securities discussed in this material.
Re: Looking for Netflow analysis package
On Fri, May 17, 2013 at 12:11:57PM +0200, Tim Vollebregt wrote: Is anyone using an open source solution to process netflow v9 captures? I'm waiting for SiLK v3 for some time now, which is currently only available for TLA's and Universities. pmacct does this pretty nicely (along with a couple other things) -J
Re: Looking for Netflow analysis package
Check out argus http://www.qosient.com/argus/ Netflow v9 support was added within the last few months. Cheers, Harry On 05/17/2013 06:11 AM, Tim Vollebregt wrote: Is anyone using an open source solution to process netflow v9 captures? I'm waiting for SiLK v3 for some time now, which is currently only available for TLA's and Universities. Currently looking into nfdump. Tim On May 17, 2013, at 12:16 AM, Scott Weeks wrote: Does anyone know of a netflow collector that will do the following. snip -Original Message- From: Laura Smith [mailto:leavingi...@yahoo.com] UCE snipped out -- -Meshier, Brent wrote: Do not appreciate the cold call from Plixer. Please do not use the NANOG mailing list as your personal directory for sales leads. It's a sure fire way to get your company blacklisted among IT professionals. - tcan...@beatsmusic.com wrote: -- From: Thomas Cannon tcan...@beatsmusic.com That wasn't in your signature's disclaimer. Perhaps now would be a good time to add it? You haven't been here long have you... He DOES NOT need a 260 word signature (see below!) to make sure he does not get UCE from posting to NANOG. For any other sales folks out there considering doing this, Brent's warning is a good one: It's a sure fire way to get your company blacklisted among IT professionals. scott ps. WTF is this?!? The material contained herein is for informational purposes only and is not intended as an offer or solicitation with respect to the purchase or sale of securities. The decision of whether to adopt any strategy or to engage in any transaction and the decision of whether any strategy or transaction fits into an appropriate portfolio structure remains the responsibility of the customer and/or its advisors. Past performance on the underlying securities is no guarantee of future results. This material is intended for use by institutional clients only and not for use by the general public. Portions of this material may incorporate information provided by third party market data sources. Although this information has been obtained from and based upon sources believed to be reliable, neither Amherst Holding s, LLC nor any of its affiliates guarantee the accuracy or completeness of the information contained herein, and cannot be held responsible for inaccuracies in such third party data or the data supplied to the third party by issuers or guarantors. This report constitutes Amherst’s views as of the date of the report and is subject to change without notice. This information does not purport to be a complete analysis of any security, company or industry, including but not limited to any claim as to the prepayment consistency and/or the future performance of any securities or structures. To the extent applicable, change in prepayment rates and/or payments may significantly affect yield, price, total return and average life. Our affiliate, Amherst Securities Group, L.P., may have a position in securities discussed in this material.
Re: Looking for Netflow analysis package
On Thu, 16 May 2013 15:16:22 -0700, Scott Weeks said: You haven't been here long have you... He DOES NOT need a 260 word signature (see below!) to make sure he does not get UCE from posting to NANOG. Actually, I think Thomas Cannon was making the opposite point - that if he's going to spam us all with a 260 word disclaimer, it could have been expanded to 263 words and add 'No cold calls'. Or just have that and lose the other 260 words that make absolutely no sense on a NANOG posting. pgp2uwyt9ZvPm.pgp Description: PGP signature
Re: Looking for Netflow analysis package
On May 17, 2013, at 8:24 AM, valdis.kletni...@vt.edu wrote: On Thu, 16 May 2013 15:16:22 -0700, Scott Weeks said: You haven't been here long have you... He DOES NOT need a 260 word signature (see below!) to make sure he does not get UCE from posting to NANOG. Actually, I think Thomas Cannon was making the opposite point - that if he's going to spam us all with a 260 word disclaimer, it could have been expanded to 263 words and add 'No cold calls'. Or just have that and lose the other 260 words that make absolutely no sense on a NANOG posting. Do you believe that Brent wrote the disclaimer attached to his message? Despite y/our opinions of such disclaimers, legal counsel in some companies still mandate their automatic attachment on all outbound messages. The only means of avoiding them is to subscribe to mailing lists from a personal e-mail account. Unfortunately these companies usually also have policies prohibiting your accessing personal e-mail accounts from company owned resources which can minimize the usefulness of some lists. In other words, just because we might work for enlightened companies doesn't mean all our colleagues can or do.
Re: Looking for Netflow analysis package
Well put. On May 17, 2013 1:54 PM, John Starta j...@starta.org wrote: On May 17, 2013, at 8:24 AM, valdis.kletni...@vt.edu wrote: On Thu, 16 May 2013 15:16:22 -0700, Scott Weeks said: You haven't been here long have you... He DOES NOT need a 260 word signature (see below!) to make sure he does not get UCE from posting to NANOG. Actually, I think Thomas Cannon was making the opposite point - that if he's going to spam us all with a 260 word disclaimer, it could have been expanded to 263 words and add 'No cold calls'. Or just have that and lose the other 260 words that make absolutely no sense on a NANOG posting. Do you believe that Brent wrote the disclaimer attached to his message? Despite y/our opinions of such disclaimers, legal counsel in some companies still mandate their automatic attachment on all outbound messages. The only means of avoiding them is to subscribe to mailing lists from a personal e-mail account. Unfortunately these companies usually also have policies prohibiting your accessing personal e-mail accounts from company owned resources which can minimize the usefulness of some lists. In other words, just because we might work for enlightened companies doesn't mean all our colleagues can or do.
Re: Looking for Netflow analysis package
On May 17, 2013 1:54 PM, John Starta j...@starta.org wrote: On May 17, 2013, at 8:24 AM, valdis.kletni...@vt.edu wrote: On Thu, 16 May 2013 15:16:22 -0700, Scott Weeks said: He DOES NOT need a 260 word signature (see below!) to make sure he does not get UCE from posting to NANOG. Actually, I think Thomas Cannon was making the opposite point - that if he's going to spam us all with a 260 word disclaimer, it could have been expanded to 263 words and add 'No cold calls'. Or just have that and lose the other 260 words that make absolutely no sense on a NANOG posting. Do you believe that Brent wrote the disclaimer attached to his message? Despite y/our opinions of such disclaimers, legal counsel in some companies still mandate their automatic attachment on all outbound messages. The only means of avoiding them is to subscribe to mailing lists from a personal e-mail account. Unfortunately these companies usually also have policies prohibiting your accessing personal e-mail accounts from company owned resources which can minimize the usefulness of some lists. In other words, just because we might work for enlightened companies doesn't mean all our colleagues can or do. - -- philfa...@gmail.com wrote: From: Phil Fagan philfa...@gmail.com Well put. One, you're both missing the point. Do you think a sales droid that'll scrape a technical mailing list like NANOG for cold calls will respect whatever crap is put into a .sig? Don't answer. It's rhetorical... Two, Unfortunately these companies usually also have policies prohibiting your accessing personal e-mail accounts from company owned resources. So don't. Set up an SSH tunnel over port 80 to your home server and access your non-paragraph-sized-signature email account from home. There's a million ways to do things and still follow corporate rules... scot
RE: Looking for Netflow analysis package
Laura, Do not appreciate the cold call from Plixer. Please do not use the NANOG mailing list as your personal directory for sales leads. It's a sure fire way to get your company blacklisted among IT professionals. --Brent -Original Message- From: Laura Smith [mailto:leavingi...@yahoo.com] Sent: Thursday, May 16, 2013 9:51 AM To: nanog@nanog.org Subject: Looking for Netflow analysis package Hello Erik, Scrutinizer from http://www.plixer.com/ supports all of those features you listed and scales to over 100K flows/second. http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html Good luck with your search. -- Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik The material contained herein is for informational purposes only and is not intended as an offer or solicitation with respect to the purchase or sale of securities. The decision of whether to adopt any strategy or to engage in any transaction and the decision of whether any strategy or transaction fits into an appropriate portfolio structure remains the responsibility of the customer and/or its advisors. Past performance on the underlying securities is no guarantee of future results. This material is intended for use by institutional clients only and not for use by the general public. Portions of this material may incorporate information provided by third party market data sources. Although this information has been obtained from and based upon sources believed to be reliable, neither Amherst Holdings, LLC nor any of its affiliates guarantee the accuracy or completeness of the information contained herein, and cannot be held responsible for inaccuracies in such third party data or the data supplied to the third party by issuers or guarantors. This report constitutes Amherst’s views as of the date of the report and is subject to change without notice. This information does not purport to be a complete analysis of any security, company or industry, including but not limited to any claim as to the prepayment consistency and/or the future performance of any securities or structures. To the extent applicable, change in prepayment rates and/or payments may significantly affect yield, price, total return and average life. Our affiliate, Amherst Securities Group, L.P., may have a position in securities discussed in this material.
Re: Looking for Netflow analysis package
That wasn't in your signature's disclaimer. Perhaps now would be a good time to add it? Geez. --tc On May 16, 2013, at 11:29 AM, Meshier, Brent bmesh...@amherst.com wrote: Laura, Do not appreciate the cold call from Plixer. Please do not use the NANOG mailing list as your personal directory for sales leads. It's a sure fire way to get your company blacklisted among IT professionals. --Brent -Original Message- From: Laura Smith [mailto:leavingi...@yahoo.com] Sent: Thursday, May 16, 2013 9:51 AM To: nanog@nanog.org Subject: Looking for Netflow analysis package Hello Erik, Scrutinizer from http://www.plixer.com/ supports all of those features you listed and scales to over 100K flows/second. http://www.plixer.com/Scrutinizer-Netflow-Sflow/scrutinizer.html Good luck with your search. -- Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik The material contained herein is for informational purposes only and is not intended as an offer or solicitation with respect to the purchase or sale of securities. The decision of whether to adopt any strategy or to engage in any transaction and the decision of whether any strategy or transaction fits into an appropriate portfolio structure remains the responsibility of the customer and/or its advisors. Past performance on the underlying securities is no guarantee of future results. This material is intended for use by institutional clients only and not for use by the general public. Portions of this material may incorporate information provided by third party market data sources. Although this information has been obtained from and based upon sources believed to be reliable, neither Amherst Holdings, LLC nor any of its affiliates guarantee the accuracy or completeness of the information contained herein, and cannot be held responsible for inaccuracies in such third party data or the data supplied to the third party by issuers or guarantors. This report constitutes Amherst’s views as of the date of the report and is subject to change without notice. This information does not purport to be a complete analysis of any security, company or industry, including but not limited to any claim as to the prepayment consistency and/or the future performance of any securities or structures. To the extent applicable, change in prepayment rates and/or payments may significantly affect yield, price, total return and average life. Our affiliate, Amherst Securities Group, L.P., may have a position in securities discussed in this material.
Re: Looking for Netflow analysis package
Does anyone know of a netflow collector that will do the following. snip -Original Message- From: Laura Smith [mailto:leavingi...@yahoo.com] UCE snipped out -- -Meshier, Brent wrote: Do not appreciate the cold call from Plixer. Please do not use the NANOG mailing list as your personal directory for sales leads. It's a sure fire way to get your company blacklisted among IT professionals. - tcan...@beatsmusic.com wrote: -- From: Thomas Cannon tcan...@beatsmusic.com That wasn't in your signature's disclaimer. Perhaps now would be a good time to add it? You haven't been here long have you... He DOES NOT need a 260 word signature (see below!) to make sure he does not get UCE from posting to NANOG. For any other sales folks out there considering doing this, Brent's warning is a good one: It's a sure fire way to get your company blacklisted among IT professionals. scott ps. WTF is this?!? The material contained herein is for informational purposes only and is not intended as an offer or solicitation with respect to the purchase or sale of securities. The decision of whether to adopt any strategy or to engage in any transaction and the decision of whether any strategy or transaction fits into an appropriate portfolio structure remains the responsibility of the customer and/or its advisors. Past performance on the underlying securities is no guarantee of future results. This material is intended for use by institutional clients only and not for use by the general public. Portions of this material may incorporate information provided by third party market data sources. Although this information has been obtained from and based upon sources believed to be reliable, neither Amherst Holdings, LLC nor any of its affiliates guarantee the accuracy or completeness of the information contained herein, and cannot be held responsible for inaccuracies in such third party data or the data supplied to the third party by issuers or guarantors. This report constitutes Amherst’s views as of the date of the report and is subject to change without notice. This information does not purport to be a complete analysis of any security, company or industry, including but not limited to any claim as to the prepayment consistency and/or the future performance of any securities or structures. To the extent applicable, change in prepayment rates and/or payments may significantly affect yield, price, total return and average life. Our affiliate, Amherst Securities Group, L.P., may have a position in securities discussed in this material.
RE: Looking for Netflow analysis package
I'd also suggest looking at NetFlow Auditor: http://www.netflowauditor.com/ I think it will do all of those except AS path analysis. Another good option might also be the InterNAP FCP, which does all of that PLUS optimizes routing based on the data (can also be deployed in a preview mode): http://www.internap.com/business-internet-connectivity-services/route-optimi zation-flow-control/ Good luck, -Scott -Original Message- From: Erik Sundberg [mailto:esundb...@nitelusa.com] Sent: Tuesday, May 14, 2013 7:00 PM To: nanog@nanog.org Subject: Looking for Netflow analysis package Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.
Re: Looking for Netflow analysis package
I can vouch for the FCP. I haven't used their newer platforms but the device worked very well. On Wed, May 15, 2013 at 10:50 AM, Scott Berkman sc...@sberkman.net wrote: I'd also suggest looking at NetFlow Auditor: http://www.netflowauditor.com/ I think it will do all of those except AS path analysis. Another good option might also be the InterNAP FCP, which does all of that PLUS optimizes routing based on the data (can also be deployed in a preview mode): http://www.internap.com/business-internet-connectivity-services/route-optimi zation-flow-control/ Good luck, -Scott -Original Message- From: Erik Sundberg [mailto:esundb...@nitelusa.com] Sent: Tuesday, May 14, 2013 7:00 PM To: nanog@nanog.org Subject: Looking for Netflow analysis package Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.
RE: Looking for Netflow analysis package
The Netflow analyzer from Solarwinds works pretty well for all of that provided you're receiving the data from a Cisco source that does netflow v9. It is not very useful at all for sflow though because they haven't updated it to recognize the ASN data. Their sales staff will also hound you relentlessly about 'special pricing' for their other products while not actually being willing to give anything all that special, so use a throwaway email address and phone number if you do choose to purchase and don't want to be bothered. David -Original Message- From: Erik Sundberg [mailto:esundb...@nitelusa.com] Sent: Tuesday, May 14, 2013 7:00 PM To: nanog@nanog.org Subject: Looking for Netflow analysis package Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.
Re: Looking for Netflow analysis package
Solarwinds netflow is also way, way overpriced for what you get...and their license model for Netflow is utterly ridiculous. I like Splunk plus Netflow integrator. With some custom lookup tables, you might be able to code up a view that'll show you the per-ASN stats. You can definitely do it by Subnet pretty easily. On Tue, May 14, 2013 at 4:10 PM, David Hubbard dhubb...@dino.hostasaurus.com wrote: The Netflow analyzer from Solarwinds works pretty well for all of that provided you're receiving the data from a Cisco source that does netflow v9. It is not very useful at all for sflow though because they haven't updated it to recognize the ASN data. Their sales staff will also hound you relentlessly about 'special pricing' for their other products while not actually being willing to give anything all that special, so use a throwaway email address and phone number if you do choose to purchase and don't want to be bothered. David -Original Message- From: Erik Sundberg [mailto:esundb...@nitelusa.com] Sent: Tuesday, May 14, 2013 7:00 PM To: nanog@nanog.org Subject: Looking for Netflow analysis package Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Looking for Netflow analysis package
While it doesn't do everything you're looking for nfsen[1] is pretty extensible. [1] http://nfsen.sourceforge.net/ On Tue, May 14, 2013 at 10:59:32PM +, Erik Sundberg wrote: Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.
RE: Looking for Netflow analysis package
Where are all my ntop brethren? Sent from my Mobile Device. Original message From: David Hubbard dhubb...@dino.hostasaurus.com Date: 05/14/2013 4:12 PM (GMT-08:00) To: nanog@nanog.org Subject: RE: Looking for Netflow analysis package The Netflow analyzer from Solarwinds works pretty well for all of that provided you're receiving the data from a Cisco source that does netflow v9. It is not very useful at all for sflow though because they haven't updated it to recognize the ASN data. Their sales staff will also hound you relentlessly about 'special pricing' for their other products while not actually being willing to give anything all that special, so use a throwaway email address and phone number if you do choose to purchase and don't want to be bothered. David -Original Message- From: Erik Sundberg [mailto:esundb...@nitelusa.com] Sent: Tuesday, May 14, 2013 7:00 PM To: nanog@nanog.org Subject: Looking for Netflow analysis package Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.
Re: Looking for Netflow analysis package
Take a look at argus www.qosient.com Dave Edelman On May 14, 2013, at 19:17, Mike Hale eyeronic.des...@gmail.com wrote: Solarwinds netflow is also way, way overpriced for what you get...and their license model for Netflow is utterly ridiculous. I like Splunk plus Netflow integrator. With some custom lookup tables, you might be able to code up a view that'll show you the per-ASN stats. You can definitely do it by Subnet pretty easily. On Tue, May 14, 2013 at 4:10 PM, David Hubbard dhubb...@dino.hostasaurus.com wrote: The Netflow analyzer from Solarwinds works pretty well for all of that provided you're receiving the data from a Cisco source that does netflow v9. It is not very useful at all for sflow though because they haven't updated it to recognize the ASN data. Their sales staff will also hound you relentlessly about 'special pricing' for their other products while not actually being willing to give anything all that special, so use a throwaway email address and phone number if you do choose to purchase and don't want to be bothered. David -Original Message- From: Erik Sundberg [mailto:esundb...@nitelusa.com] Sent: Tuesday, May 14, 2013 7:00 PM To: nanog@nanog.org Subject: Looking for Netflow analysis package Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Looking for Netflow analysis package
Check out the FlowViewer/flow-tools/SiLK combo also. https://sourceforge.net/projects/flowviewer/ Erik Sundberg esundb...@nitelusa.com wrote on 05/14/2013 06:59:32 PM: From: Erik Sundberg esundb...@nitelusa.com To: nanog@nanog.org nanog@nanog.org Date: 05/14/2013 07:00 PM Subject: Looking for Netflow analysis package Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.
RE: Looking for Netflow analysis package
Re: Looking for Netflow analysis package
Not exactly netflow until you set it up as such buy, Graylog2 and LogStash are OSS. Also, I'll probably be releasing modules and a simple evented (POE) program in perl soon (don't wait up if you can't deal with code - it ain't and ain't going to be a web app but a simple framework mainly for the simplest and fastest parsing regexes). But all of the modern log aggregation software uses ElasticSearch as a data store which makes correlation / netflow pretty easy. On May 14, 2013 9:20 PM, Joe Loiacono jloia...@csc.com wrote: Check out the FlowViewer/flow-tools/SiLK combo also. https://sourceforge.net/projects/flowviewer/ Erik Sundberg esundb...@nitelusa.com wrote on 05/14/2013 06:59:32 PM: From: Erik Sundberg esundb...@nitelusa.com To: nanog@nanog.org nanog@nanog.org Date: 05/14/2013 07:00 PM Subject: Looking for Netflow analysis package Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.
Re: Looking for Netflow analysis package
ManageEngine's NetFlow Analyzer will do most of that (not sure about AS Path Analysis.) It is priced per monitored interface, but is pretty reasonable for what it does. They have a 30-day demo available. We use their full OpManager+NetFlow suite to monitor several hundred devices with thousands of interfaces. We only license NetFlow for the interfaces that connect to external providers. E-mail me privately if you want to see the reports. Jason On Tue, May 14, 2013 at 6:59 PM, Erik Sundberg esundb...@nitelusa.comwrote: Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.
Re: Looking for Netflow analysis package
We use/d nfsen extensively for this this past November December and have been very successful in planning our bandwidth purchases since then. We like it so much that reliable, full-speed Netflow telemetry is now a requirement on all edge/core routers. Randal On Tue, May 14, 2013 at 8:18 PM, Jason Lester jles...@wcs.k12.va.us wrote: ManageEngine's NetFlow Analyzer will do most of that (not sure about AS Path Analysis.) It is priced per monitored interface, but is pretty reasonable for what it does. They have a 30-day demo available. We use their full OpManager+NetFlow suite to monitor several hundred devices with thousands of interfaces. We only license NetFlow for the interfaces that connect to external providers. E-mail me privately if you want to see the reports. Jason On Tue, May 14, 2013 at 6:59 PM, Erik Sundberg esundb...@nitelusa.com wrote: Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.
Re: Looking for Netflow analysis package
On Tue, May 14, 2013 at 11:18 PM, Jason Lester jles...@wcs.k12.va.uswrote: ManageEngine's NetFlow Analyzer will do most of that (not sure about AS Path Analysis.) It is priced per monitored interface, but is pretty reasonable for what it does. They have a 30-day demo available. We use their full OpManager+NetFlow suite to monitor several hundred devices with thousands of interfaces. We only license NetFlow for the interfaces that connect to external providers. This product cannot stand any service provider production network I can think of. It is too slow to handle high-speed routers. I suggest staying away from all ManageEngine's products in general, but NFA is the worst of them. Rubens
Re: Looking for Netflow analysis package
You might want to take a look at pmacct, http://www.pmacct.net/. It includes an embedded version of Quagga, allowing BGP AS Path data to be efficiently joined with flow records. Peter On Tue, May 14, 2013 at 3:59 PM, Erik Sundberg esundb...@nitelusa.comwrote: Does anyone know of a netflow collector that will do the following. *Graph/List Destination Networks By Top AS *Graph/List Destination Networks By Top IP Address *AS Path Analysis *Traffic Type (ICMP, TCP, UDP, IPSEC, HTTP, SSH, SMTP, etc..) We will be using this to help us decide who to Peer with and what transit Providers to look at. I am familiar with Arbor Network's Peak Flow utility but it's a little too pricy. I also found AS-Stats https://neon1.net/as-stats/ look promising from the power point on their page. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you.