[105460] in North American Network Operators' Group
Re: Techniques for passive traffic capturing
daemon@ATHENA.MIT.EDU (Ross Vandegrift)
Tue Jun 24 10:24:13 2008
From: Ross Vandegrift <ross@kallisti.us>
Date: Tue, 24 Jun 2008 10:22:04 -0400
To: Kevin Kadow <kkadow+pottedmeatproduct@gmail.com>
In-Reply-To: <dc718edc0806232000g6b0f115csc022de9e1cd51a8c@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Mon, Jun 23, 2008 at 10:00:06PM -0500, Kevin Kadow wrote:
> We started out with SPAN ports, then moved on to Netoptics taps.
>
> Lately we've been using a combination of Cisco Netflow (from remote routers),
> and native Argus flows (from local taps) where we need more details.
>
> Flows are useful to answer "What happened X minutes/hours/days ago?",
> and where you do not need/want to capture full packet bodies
> (though with Argus you can choose whether to include payload data).
>
> http://qosient.com/argus/
Cool - good to know that the Netoptics gear is good. Seems like
there's a few resounding approvals of them.
Netflow would be lovely to export from our border routers.
Unfortunately, we are somewhat married to the 6500 platform which has
absolutely awful netflow support. Very small TCAM, export is CPU
expensive, and sampling makes both problems worse. So a mirrored copy
of the transit link is being sent to a pmacct box for flow generation.
--
Ross Vandegrift
ross@kallisti.us
"The good Christian should beware of mathematicians, and all those who
make empty prophecies. The danger already exists that the mathematicians
have made a covenant with the devil to darken the spirit and to confine
man in the bonds of Hell."
--St. Augustine, De Genesi ad Litteram, Book II, xviii, 37
