oss netflow collector/trending/analysis

[Matthew Galgoci]

Hey There,

I was just wondering, for people who are doing netflow analysis with
open source tools and who are doing at least 10k or more flows per
second, what are you using?

I know of three tool sets:

- The classic osu flow-tools and the modern continuation/fork.
- ntop
- nfdump/nfsen

Is there anything else I've missed? A few folks here really seem to like
nfsen/nfdump.

Thanks,

Matt

-- 
Matthew Galgoci
Network Operations
Red Hat, Inc
919.754.3700 x44155
--
“Whatever you do will be insignificant, but it is very important that you do 
it.”  -- Mahatma Gandhi

Re: oss netflow collector/trending/analysis

[Dobbins, Roland]

On May 2, 2014, at 9:36 PM, Matthew Galgoci  wrote:

> A few folks here really seem to like
> nfsen/nfdump.

The good thing about nfdump/nfsen is that you can customize it and do a lot 
with it, and it's easy to get set up and running.

This is the canonical list of open-source NetFlow tools:



---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Re: oss netflow collector/trending/analysis

[Jeroen Massar]

On 2014-05-02 16:36, Matthew Galgoci wrote:
[..]
> Is there anything else I've missed? A few folks here really seem to like
> nfsen/nfdump.

For OSS that is pretty much it that really matters (maybe you could add
Argus if you really want though).

For a long long list, check out Simon Leinen's site:
https://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html

Not all of that is OSS though. Lots of these netflow-analyzer tools are
in-house / a bunch-of-scripts-upon-scripts that are to scary to let out
in the open and/or do not scale...

IMHO your best bet is to use nfsen/nfdump as that is the best thing
publicly available.

Greets,
 Jeroen

Re: oss netflow collector/trending/analysis

[Avi Freedman]

There's also SiLK from CMU.  It's powerful but has a learning curve.

I also see pmacct being used both by some end networks and by 
some vendors as part of systems.

Avi

> Hey There,
> 
> I was just wondering, for people who are doing netflow analysis with
> open source tools and who are doing at least 10k or more flows per
> second, what are you using?
> 
> I know of three tool sets:
> 
> - The classic osu flow-tools and the modern continuation/fork.
> - ntop
> - nfdump/nfsen
> 
> Is there anything else I've missed? A few folks here really seem to like
> nfsen/nfdump.
> 
> Thanks,
> 
> Matt

Re: oss netflow collector/trending/analysis

[Leslie]

pmacct (http://www.pmacct.net/) is another pretty awesome open source tool.

Leslie

On Fri, May 2, 2014 at 8:00 AM, Avi Freedman  wrote:
>
> There's also SiLK from CMU.  It's powerful but has a learning curve.
>
> I also see pmacct being used both by some end networks and by
> some vendors as part of systems.
>
> Avi
>
>> Hey There,
>>
>> I was just wondering, for people who are doing netflow analysis with
>> open source tools and who are doing at least 10k or more flows per
>> second, what are you using?
>>
>> I know of three tool sets:
>>
>> - The classic osu flow-tools and the modern continuation/fork.
>> - ntop
>> - nfdump/nfsen
>>
>> Is there anything else I've missed? A few folks here really seem to like
>> nfsen/nfdump.
>>
>> Thanks,
>>
>> Matt
>

Re: oss netflow collector/trending/analysis

[Joe Loiacono]

"NANOG"  wrote on 05/02/2014 
11:00:15 AM:

> From: freed...@freedman.net (Avi Freedman)
> 
> There's also SiLK from CMU.  It's powerful but has a learning curve.
> 

SiLK is very good. See FlowViewer for a powerful front-end to the tool.

http://sourceforge.net/projects/flowviewer/

Also supports flow-tools.

Joe

Re: oss netflow collector/trending/analysis

[Pierre-Yves Maunier]

2014-05-02 16:36 GMT+02:00 Matthew Galgoci :

>
> Hey There,
>
> I was just wondering, for people who are doing netflow analysis with
> open source tools and who are doing at least 10k or more flows per
> second, what are you using?
>
> I know of three tool sets:
>
> - The classic osu flow-tools and the modern continuation/fork.
> - ntop
> - nfdump/nfsen
>
> Is there anything else I've missed? A few folks here really seem to like
> nfsen/nfdump.
>
> Thanks,
>
> Matt
>


Hi Matt,


I've been using pmacct for quite some time now and I'm more than happy with
the results.

Being able to store all infos in a *SQL db is a killer feature for me.

Also it can speak BGP with your routers so it can grab the AS Path
information which allow us for example to make traffic graphs for a
destination AS aggregated by AS Path (one of my favorites feature I had
with the Arbor peakflow in my previous company).

Pierre-Yves

Re: oss netflow collector/trending/analysis

[David Edelman]

Argus (qosient.com) is worth looking at. 


Dave Edelman


> On May 2, 2014, at 12:21, Leslie  wrote:
> 
> pmacct (http://www.pmacct.net/) is another pretty awesome open source tool.
> 
> Leslie
> 
>> On Fri, May 2, 2014 at 8:00 AM, Avi Freedman  wrote:
>> 
>> There's also SiLK from CMU.  It's powerful but has a learning curve.
>> 
>> I also see pmacct being used both by some end networks and by
>> some vendors as part of systems.
>> 
>> Avi
>> 
>>> Hey There,
>>> 
>>> I was just wondering, for people who are doing netflow analysis with
>>> open source tools and who are doing at least 10k or more flows per
>>> second, what are you using?
>>> 
>>> I know of three tool sets:
>>> 
>>> - The classic osu flow-tools and the modern continuation/fork.
>>> - ntop
>>> - nfdump/nfsen
>>> 
>>> Is there anything else I've missed? A few folks here really seem to like
>>> nfsen/nfdump.
>>> 
>>> Thanks,
>>> 
>>> Matt
>> 

Re: oss netflow collector/trending/analysis

[Warren Bailey]

Ntop is somehow open source if I recall. Seemed to work well and was fairly 
cheap to license.


Sent from my T-Mobile 4G LTE Device



 Original message 
From: David Edelman 
Date: 05/04/2014 11:05 AM (GMT-07:00)
To: Leslie 
Cc: nanog@nanog.org
Subject: Re: oss netflow collector/trending/analysis


Argus (qosient.com) is worth looking at.


Dave Edelman


> On May 2, 2014, at 12:21, Leslie  wrote:
>
> pmacct (http://www.pmacct.net/) is another pretty awesome open source tool.
>
> Leslie
>
>> On Fri, May 2, 2014 at 8:00 AM, Avi Freedman  wrote:
>>
>> There's also SiLK from CMU.  It's powerful but has a learning curve.
>>
>> I also see pmacct being used both by some end networks and by
>> some vendors as part of systems.
>>
>> Avi
>>
>>> Hey There,
>>>
>>> I was just wondering, for people who are doing netflow analysis with
>>> open source tools and who are doing at least 10k or more flows per
>>> second, what are you using?
>>>
>>> I know of three tool sets:
>>>
>>> - The classic osu flow-tools and the modern continuation/fork.
>>> - ntop
>>> - nfdump/nfsen
>>>
>>> Is there anything else I've missed? A few folks here really seem to like
>>> nfsen/nfdump.
>>>
>>> Thanks,
>>>
>>> Matt
>>