[101712] in North American Network Operators' Group
summary of ipflow/netflow appliance
daemon@ATHENA.MIT.EDU (Stefan Hegger)
Wed Jan 16 03:42:02 2008
From: Stefan Hegger <Stefan.Hegger@lycos-europe.com>
To: nanog@merit.edu
Date: Wed, 16 Jan 2008 08:54:59 +0100
Errors-To: owner-nanog@merit.edu
Here a summary of the answers I got. Again thanks for your help.
mail from Joe=20
>-Try fprobe, open source: http://sourceforge.net/projects/fprobe=20
reply from Samuel
>-nProbe by ntop.org is pretty robust tool for generating v5/v9 flows and=20
>fairly inexpensive. http://www.ntop.org/nProbe.html
mail from Roland=20
>-Lancope offer a productized version of this, I believe Endace too, too.
I talked to Lancope, they might provide me in 1 or 2 years with a 10G=20
interface.
mail from Frank
>I just had an extended briefing with a company called Xangati. Very
>interesting stuff, but they didn't talk about ways to obtain netflows if
>your router isn't able to natively generate them.
answer from Adam
>I can attest to this. nProbe is your best bet for a =E2=80=9Cvirtual NetFl=
ow=20
>exporter=E2=80=9D. It performs well and has tons of export formats and fea=
tures. We=20
>use it extensively for QA and testing. You do, however, have to pay a bit=
=20
>or it whereas fprobe and others are free.
I talked to Peter Shaw peter@npulsenetworks.com
here his answer
>Thanks for contacting us. Yes, our Probe can handle the traffic level you
>describe. Our typical, hardware-accelerated Probe has 2 Gigabit ports, and
>shows less than 10% CPU utilisation when generating NetFlow records at the
>full 2Gbps. We can readily build a Probe using 10Gig ports, and do not
>expect any performance challenge at the traffic level you describe.
>I have a couple of further questions/comments for you;
>1) what Collector system do you plan to send the NetFlow records to ? We
>can work with any NetFlow-aware collector, but we do find that many of them
>struggle to keep up with the high volume of records from our Probe. We are
>working on our own Collector/buffer system to reduce this problem, and
>expect this to be available in Q2'08.
I talked also to Luca Deri <deri@ntop.org>
here the answer
>the nPulse appliance is based on an old version of nProbe I have =20
>developed years ago. We offer nBox appliances (http://www.nmon.net/nBox.ht=
ml=20
>) with a new accelerated nProbe version not available to anyone but =20
>us. Next month we plan to introduce a new model based on a accelerated =20
>card developed with a a twin company, able to outperform existing =20
>solutions but with a lower price.
>for 10G at the moment we use the Endace platform (NinjaProbe) or =20
>Tilera (see http://www.tilera.com/pdf/ProductBrief_TILExpress_V1.pdf =20
>and search for nProbe) cards for wire rate. If you have a few Gbits, a =20
>software nBox can also be enough, but if you go above a hardware card =20
>is definitively needed.
>In late 2008 we should have our custom 10G card available but until =20
>then we rely on external hardware solutions.
>unless you want to buy the appliance from Endace and the software from =20
>me, I can currently offer an nbox with dual 10G capability featuring =20
>software packet capture acceleration for about 6K Euro. This model is =20
>suitable for monitoring 2-3 Gbit of traffic. As I have stated before, =20
>10G hardware capture acceleration still needs some time.
next mail from gert
>Has any of you done a reality-check before recommending these tools,
>whether one of them can actually *handle* a 10G-link?
>Sniffing 10G without losing packets is *hard*.
>Sniffing 10G and doing any sort of math with it is *very hard*.
>Any "sniff packets and do flow exports from there" application that=20
>aims to do better than the flow hardware on the PFC3 needs to be really,
>really, *really* good.
conclusion:
It is not easy to find a device to capture a 10G interface and generate the=
=20
netflow.
When I have news, I will will inform you.
Best Stefan
=2D-=20
Stefan Hegger
Internet System Engineer
Lycos Europe GmbH
Carl-Bertelsmann Str. 29
Postfach 315
33312 G=C3=BCtersloh=20
Phone:
Tel: +49 5241 8071 334
=46ax: +49 5241 80671 334
Mobile: +49 170 1892720
Sitz der Gesellschaft: G=C3=BCtersloh
Amtsgericht G=C3=BCtersloh, HRB 2157
Gesch=C3=A4ftsf=C3=BChrer: Christoph Mohn=20
<http://www.lycos-europe.com/L/A/>
