Re: Proxying NetFlow traffic correctly

[Jérôme Fleury]

We use pmacct with it's tee plugin - it gets the job done beautifully and
it's a one-liner config.

https://github.com/pmacct/pmacct/blob/master/CONFIG-KEYS

On Tue, Jun 6, 2017 at 2:43 PM, Sami via NANOG  wrote:

> Hello,
> I have been searching for a solution that collects/duplicates NetFlow
> traffic properly for a while but i couldn't find any.
> Do you know any good unix alternative to ntopng, flowd, flow-tools?
>
> nprobe of netflow seems to be the closest one to fit my needs but i want
> to see if there are any other solution.
>
> My goal is to centralize NetFlow traffic into a single machine and then
> proxy some flows to other destinations for further analysis
>
> Best Regards,
> Sami

Re: Proxying NetFlow traffic correctly

[Mike Sabbota]

Check out samplicator.

https://github.com/sleinen/samplicator

--Mike

On Tue, Jun 6, 2017 at 2:43 PM, Sami via NANOG  wrote:

> Hello,
> I have been searching for a solution that collects/duplicates NetFlow
> traffic properly for a while but i couldn't find any.
> Do you know any good unix alternative to ntopng, flowd, flow-tools?
>
> nprobe of netflow seems to be the closest one to fit my needs but i want
> to see if there are any other solution.
>
> My goal is to centralize NetFlow traffic into a single machine and then
> proxy some flows to other destinations for further analysis
>
> Best Regards,
> Sami

Re: Proxying NetFlow traffic correctly

[Joe Loiacono]

You may want to check out the SiLK netflow capture and analysis tool 
suite. Look in particular at it's SiLK Administrators Tools section which 
provides extensive flexibility for manipulating netflow exports. The 
analysis tools are quite good too.

http://tools.netsa.cert.org/silk/silk-reference-guide.pdf

Joe

"NANOG"  wrote on 06/06/2017 05:43:46 PM:

> From: Sami via NANOG 
> To: "nanog@nanog.org" 
> Date: 06/06/2017 07:33 PM
> Subject: Proxying NetFlow traffic correctly
> Sent by: "NANOG" 
> 
> Hello,
> I have been searching for a solution that collects/duplicates 
> NetFlow traffic properly for a while but i couldn't find any.
> Do you know any good unix alternative to ntopng, flowd, flow-tools?
> 
> nprobe of netflow seems to be the closest one to fit my needs but i 
> want to see if there are any other solution.
> 
> My goal is to centralize NetFlow traffic into a single machine and 
> then proxy some flows to other destinations for further analysis
> 
> Best Regards,
> Sami

Re: Proxying NetFlow traffic correctly

[Selphie Keller]

samplicate is very good, been using it for 6 years for netflow duplication
using botth the spoofing and non, depending on the sensor's needs if it
needs to retain the source ip or not.



On 6 June 2017 at 20:39, Dobbins, Roland  wrote:

>
>
> On Jun 7, 2017, at 06:32, Sami via NANOG  nanog.org>> wrote:
>
> My goal is to centralize NetFlow traffic into a single machine and then
> proxy some flows to other destinations for further analysis
>
> 
>
> Or nprobe, as was already mentioned.
>
> ---
> Roland Dobbins >
>

Re: Proxying NetFlow traffic correctly

[Dobbins, Roland]

On Jun 7, 2017, at 06:32, Sami via NANOG 
> wrote:

My goal is to centralize NetFlow traffic into a single machine and then proxy 
some flows to other destinations for further analysis



Or nprobe, as was already mentioned.

---
Roland Dobbins >

Re: Proxying NetFlow traffic correctly

[Hugo Slabbert]

On Tue 2017-Jun-06 16:39:16 -0700, Hugo Slabbert  wrote:



On Tue 2017-Jun-06 17:43:46 -0400, Sami via NANOG  wrote:


Hello,
I have been searching for a solution that collects/duplicates NetFlow traffic 
properly for a while but i couldn't find any.
Do you know any good unix alternative to ntopng, flowd, flow-tools?

nprobe of netflow seems to be the closest one to fit my needs but i want to see 
if there are any other solution.

My goal is to centralize NetFlow traffic into a single machine and then proxy 
some flows to other destinations for further analysis

Best Regards,
Sami


Flexible: pmacct[1][2]
Simple and does what you ask: samplicate[3]


Actually: samplicate is more all-or-nothing as far as I'm aware.  So it 
could proxy a full set of flows, but the "some flows" part of your request 
I'm not so sure about.




--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal

[1] http://pmacct.net/
[2] https://github.com/pmacct/pmacct
[3] https://github.com/sleinen/samplicator





signature.asc
Description: Digital signature

Re: Proxying NetFlow traffic correctly

[Hugo Slabbert]

On Tue 2017-Jun-06 17:43:46 -0400, Sami via NANOG  wrote:


Hello,
I have been searching for a solution that collects/duplicates NetFlow traffic 
properly for a while but i couldn't find any.
Do you know any good unix alternative to ntopng, flowd, flow-tools?

nprobe of netflow seems to be the closest one to fit my needs but i want to see 
if there are any other solution.

My goal is to centralize NetFlow traffic into a single machine and then proxy 
some flows to other destinations for further analysis

Best Regards,
Sami


Flexible: pmacct[1][2]
Simple and does what you ask: samplicate[3]

--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal

[1] http://pmacct.net/
[2] https://github.com/pmacct/pmacct
[3] https://github.com/sleinen/samplicator


signature.asc
Description: Digital signature

Re: Proxying NetFlow traffic correctly

[Tim Raphael]

nProbe is what you want, it’s another product from NTop.

http://www.ntop.org/products/netflow/nprobe/ 


- Tim


> On 7 Jun 2017, at 7:43 am, Sami via NANOG  wrote:
> 
> Hello,
> I have been searching for a solution that collects/duplicates NetFlow traffic 
> properly for a while but i couldn't find any.
> Do you know any good unix alternative to ntopng, flowd, flow-tools?
> 
> nprobe of netflow seems to be the closest one to fit my needs but i want to 
> see if there are any other solution.
> 
> My goal is to centralize NetFlow traffic into a single machine and then proxy 
> some flows to other destinations for further analysis
> 
> Best Regards,
> Sami