[46435] in North American Network Operators' Group
RE: Let's talk about Distance Sniffing/Remote Visibility
daemon@ATHENA.MIT.EDU (Chance Whaley)
Thu Mar 28 13:04:41 2002
From: "Chance Whaley" <chance@dreamscope.com>
To: "'Tony Wasson'" <ajwasson@inficad.com>,
"'Pete Kruckenberg'" <pete@kruckenberg.com>
Cc: <nanog@merit.edu>
Date: Thu, 28 Mar 2002 11:03:17 -0700
Message-ID: <000101c1d682$d6c21260$640aa8c0@loki>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <01a301c1d66f$3e0a7070$0200a8c0@chelly>
Errors-To: owner-nanog-outgoing@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Also note that sFlow can export it's data into tcpdump format.
.chance
From: http://www.inmon.com/sflowTools.htm
The sFlow toolkit provides command line utilities and scripts for
analyzing sFlow data.
The core component of the sFlow toolkit is the sflowtool command line
utility. sflowtool interfaces to utilities such as tcpdump, ntop and
Snort for detailed packet tracing and analysis, NetFlow compatible
collectors for IP flow accounting, and provides text based output
that can be used in scripts to provide customized analysis and
reporting and for integrating with other tools such as MRTG or
rrdtool.
For example, the command:
sflowtool -t | tcpdump -r -
will provide a decoded packet trace. Advanced packet filtering is
easily performed using tcpdump. In addition, many other packet
analyzers are capable of processing packets in tcpdump format.
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
> Behalf Of Tony Wasson
> Sent: Thursday, March 28, 2002 8:43 AM
> To: Pete Kruckenberg
> Cc: nanog@merit.edu
> Subject: Re: Let's talk about Distance Sniffing/Remote Visibility
>
>
>
> sFlow is great! I've used InMon's (www.inmon.com) sFlow probe
> along with the xRMON built into some HP switches to get
> packet sampling. The math on packet sampling is pretty deep.
> NTOP also supports sFlow and it is open source. www.ntop.org
>
> Tony Wasson
>
> ----- Original Message -----
> From: "Pete Kruckenberg" <pete@kruckenberg.com>
> To: <nanog@merit.edu>
> Sent: Thursday, March 28, 2002 8:12 AM
> Subject: Re: Let's talk about Distance Sniffing/Remote Visibility
>
>
> >
> > On Thu, 28 Mar 2002 CARL.P.HIRSCH@sargentlundy.com wrote:
> > > It seems to me that the means available are A) a very expensive
> > > distributed NAI Sniffer installation B) standard RMON
> probes and the
> > > NMS of your choice and C) A linux box with a ton of interfaces
> > > running Ethereal accessed via Xwindows/VNC/whatever.
> >
> > I am starting to deploy GigE as a WAN technology. One nice
> benefit is
> > that the equipment (Cisco 6500/7600 class) has capabilities not
> > usually found in routers (such as remote port mirroring).
> Coupled with
> > VLAN ACL's, this can be quite useful for ad-hoc remote
> > diagnostics.
> >
> > One particularly interesting adaptation is sFlow (RFC
> 3176), currently
> > only implemented by Foundry (I don't know of any other vendors
> > planning to implement sFlow). sFlow is usually pitched against
> > Netflow, I see it more as a diagnostic tool. It works quite
> like port
> > mirroring, but also allows sampling and only sends header
> information
> > to the collection server.
> >
> > Pete.
> >
> >
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQA/AwUBPKNa5C+t+bSN12wHEQJb7ACgl3o1lBRSLME/jerFPSZIWtNtdgoAoOR+
ve3DiXjpnhQVg1hPgBP4e+Tn
=YQ4G
-----END PGP SIGNATURE-----
