Re: The Making of a Router
On 12/26/13 11:33 AM, Nick Cameo sym...@gmail.com wrote: Hello Everyone, We are looking to put together a 2u server with a few PCIe 3 x8 (recommendations appreciated). The router will take a voip transcoding line card, and will act as an edge router for a telecom company. For things like BGP (Quagga, Zebra, all that lovely stuff!!!), static routes, and firewall capabilities we are thinking gentoo linux stripped for sure however, what about the BSDs? FreeBSD or OpenBSD. Any comments, feedback, does, and don'ts are much appreciated. Kind Regards, Nick. Depends on how skilled you are at maintaining Linux vs BSD, honestly. Personally, I've accomplished something similar with great performance in the past on Linux. I ran Debian 7 + latest compiled Quagga + latest compiled Libreswan + Shorewall. If you're going to have a lot of different people changing the rules, I would go with Shorewall. The syntax is brain-dead simple, even though you're stuck with the network stack limitations of Linux. A lot of my issues with doing this in Linux have to do with distro's loading a bunch of net filter helpers by default, which can be a major pain in the ass (I'm looking at you, SIP and SNMP modules). I had to do a lot of tweaking to the conn track tables to make them large enough to handle lots of traffic, but obviously YMMV. Have you tried labbing BSD vs Linux to see which you like better? I'd probably do that before throwing it in to production. -- Thomas York ExactTarget, a salesforce.com company http://exacttarget.com Network Engineer ty...@exacttarget.com Office: (317) 832-4384 Mobile: (317) 660-5426
86th Street TWTC outage
Just in case anyone has equipment in the 86th Street TWTC Colo, both of their AC units are dead and the fire department is here. I'll try to update as soon as I know something.
MikroTik + EAP-TLS + Non-Channel 1 / Apple iOS issues
I know a few of you guys are using MikroTik offerings in the enterprise, so I hope to pick your brain(s). I have many, many RB433UAH's deployed worldwide as simple WAPs. I've been looking to move to 802.1x EAP-TLS via an external FreeRadius server. I have our HP Procurves using the FreeRadius server without issue. Infact, the only devices that seem to have issues are the MikroTik devices. For one, only channel 1 seems to work with 802.1x. If I change the channel to ANYTHING else, clients refuse to auth. Secondly, newer iOS devices (iOS 5 and newer, I believe) refuse to auth entirely. I have an older iPod touch that is on iOS4 that can authenticate on channel 1. Have any of you guys seen issues like this? Thanks. -- Thomas York smime.p7s Description: S/MIME cryptographic signature
MessageLabs/MXLogic issues
Have any of you noticed issued delivering email through MessageLabs to people who use MXLogic for spam/AV filtering? I've seen it more and more over the last month, to the point that I have to call 5-10 people a day to tell them to whitelist our domain in MXLogic. It isn't specific to a certain domain, just to Symantec/MessageLabs IPs. I've also seen this issue once or twice with domains hosted with Gmail, but those have cleared themselves up. -- Thomas York smime.p7s Description: S/MIME cryptographic signature
China Telecom VPN problems (again)
It looks like I'm having China Telecom issues yet again. They're batting down our SSL VPN tunnels. Switching ports doesn't help. Tunneling the SSL tunnel inside of another tunnel doesn't help. At this point I'm tired of listening to the screaming by the business users. Can someone contact me (here or off-list, I don't care) about circuits in China so that we don't have to use China Telecom? We'd only need 2-10 Mbit and Ethernet hand off. We don't need BGP or MPLS or anything remotely fancy. Our main concern is getting connectivity to the business district in Suzhou, but it'd be nice if we could also use the same carrier in Shenzhen. Thanks! -- Thomas York smime.p7s Description: S/MIME cryptographic signature
RE: IPv6 Toolkit v1.2: Latest snapshot, and git repo
Also compiles and works fine for me on 10.7. -- Thomas York -Original Message- From: Randy Carpenter [mailto:rcar...@network1.net] Sent: Monday, July 16, 2012 11:21 AM To: Fernando Gont Cc: NANOG Subject: Re: IPv6 Toolkit v1.2: Latest snapshot, and git repo Appears to compile file on Mac OS X 10.7. The resulting programs run, but I have not tried any real testing with actual data. thanks, -Randy - Original Message - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Folks, I've posted a snapshot (tarball) of my working copy of the IPv6 toolkit. The tarball is available at: http://www.si6networks.com/research/ipv6-toolkit-v1.2.tar.gz Additionally, I've created a git repository for the toolkit, such that collaboration is improved. The git repo is available at: https://github.com/fgont/ipv6-toolkit.git If you have access to a Mac OS box, please try to compile the tools, and let me know if you find any errors (or let me know if they compiled cleanly). If you can also run the tools according to some of the examples in the manuals (and report any problems), that would be great, too. P.S.: If you've sent patches and your patches have not yet been applied, most likely it just means that I'm catching-up with them (feel free to resend!). Thanks! Best regards,-- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJQAtn3AAoJEJbuqe/Qdv/xYIgH+wTQXJ3iNEnGnA0cMazS32py 3HfTdcMaEphnfF2a15dq1h/uqF05g3t9KqU744A1XmMtDlChvQ2I77uj2amqaeKi dED6e/NTuVAxTAI0ZTPIEn7BkDgtqvhuaoth+E4SX73lJC9eJR7e3T3BAtbESZaQ Sp67lvtgYmqogDc0IQALGNucyhHmacfUBocVLVgmVPn8BwdFxHI80W+Vc6TnKfjm Yc9ijgUPLTu0hOGD4bpOeQ2V3Dzw9PW17PyJlPr3TzWLzb8g64/zZROtHjXl/V4s 0JNAZVrHNDvA7kfEujzsoLcnQLCfq3+jzecvXcGwgsYMDXRBL8Lv628OAhrVglY= =Z3+1 -END PGP SIGNATURE- smime.p7s Description: S/MIME cryptographic signature
RE: job screening question
My answer to that questionwould be No..why would I ever blanket block ICMP? If I'm that stupid, I shouldn't be deploying firewalls at all. I also assume I wouldn't get the job after answering that... Thomas York -Original Message- From: William Herrin [mailto:b...@herrin.us] Sent: Thursday, July 05, 2012 1:02 PM To: nanog@nanog.org Subject: job screening question Hi folks, I gave my HR folks a screening question to ask candidates for an IP expert position. I've gotten some unexpected answers, so I want to do a sanity check and make sure I'm not asking something unreasonable. And by unexpected I don't mean naively incorrect answers, I mean oh-my-God-how-did-you-get-that-cisco-certification answers. The question was: You implement a firewall on which you block all ICMP packets. What part of the TCP protocol (not IP in general, TCP specifically) malfunctions as a result? My questions for you are: 1. As an expert who follows NANOG, do you know the answer? Or is this question too hard? 2. Is the question too vague? Is there a clearer way to word it? 3. Is there a better screening question I could pass to HR to ask and check the candidate's response against the supplied answer? Thanks, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004 smime.p7s Description: S/MIME cryptographic signature
Re: Commerical Backup Solutions
We use Barracuda Yosemite backup with about 10 locations all over the world, using disk to disk (single disks via esata and to SANs) and disk to tape (both libraries and single drives). Very rarely do we have issues. Barracuda support isn't as good as Yosemite's (Barracuda bought them) but still not bad. Also, the site wide license is a steal! Get a demo, it might fit the bill. --Thomas York On May 17, 2012 6:59 PM, Mike Lyon mike.l...@gmail.com wrote: We used Acronis and it was a nightmare as was their off-shored support model. Never again... Wouldn't touch them with a 10 foot pole. Switched to Iron Mountain LiveVault which backs everything up over the wire. It has basic reporting functions but not extremely granular. http://ironmountain.com/services/democenter/livevault/player.html Barracuda also seems to have a nice product. Though, i've never used it: http://www.barracudanetworks.com/ns/products/backup_overview.php -Mike On Thu, May 17, 2012 at 3:53 PM, Paul Stewart p...@paulstewart.org wrote: Hey folks. I'm hoping for some input from operational folks on backup solutions for servers. We are looking for a commercial backup solution with a nice reporting dashboard etc. It must support full/incremental backups on Windows and various flavors of Linux. We would also be looking for bare metal image/recovery abilities. To date, we've been fond of Acronis until we got the quote for it .. Initially we would be looking at 50-80 servers and growing it up from there to probably 150-200 boxes. Some of these servers are geographically dispersed. At the moment we have been using Bacula but it lacks bare metal options and doesn't have any nice reporting options (Executive Dashboard etc) Thanks for any input, Paul -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon
RE: OWA blocked by China
Good luck with that. I have three plants in China and China Telecom loves batting down our VPN tunnels. They've left the current solution alone for a few months now. It appears they try to do DPI on SSL/IPSec to see if it's a VPN tunnel. I placed our SSL OpenVPN tunnel inside of a GRE tunnel. For some reason, they don't seem to be doing DPI on it and mostly leave it alone now. I'm sure it'll change at some point soon, though. -- Thomas York -Original Message- From: TR Shaw [mailto:ts...@oitc.com] Sent: Tuesday, March 27, 2012 10:45 AM To: Jim Gonzalez Cc: nanog@nanog.org Subject: Re: OWA blocked by China On Mar 27, 2012, at 10:16 AM, Jim Gonzalez wrote: Hello, One of my customers has workers in China. There outlook web access is blocked by the China Firewall. I was just wondering if anyone had this issue ? I have not tried any work arounds as of yet just gathering info Jim Try a tunnel? Tom smime.p7s Description: S/MIME cryptographic signature
RE: Any recommended router. They are reliable and have good support.
I've had one major, glaring issue with RouterBoard/Mikrotik. Quite often, I will configure a new router/AP/whatever Mikrotik device and it simply will not work. The config is correct, but the device just won't work properly (sometimes it won't pass data, it won't bridge correctly, VLAN membership isn't correct, etc). However, if I reset the device to factory settings (Which takes forever because you have to find the little metal half circles and use a flat-head screwdriver to bridge them) and redo the EXACT same config everything will magically work. This annoyance hasn't been enough to make me switch to another brand yet, but I know every time I have to deploy a new device I'm likely to wrestle this issue. --Thomas York -Original Message- From: Eduardo Schoedler [mailto:lis...@esds.com.br] Sent: Tuesday, November 22, 2011 1:00 PM To: 'Meftah Tayeb'; 'Leigh Porter'; fai...@snappydsl.net Cc: 'nanog list' Subject: RES: Any recommended router. They are reliable and have good support. One missing feature in MikroTik is IS-IS. -- Eduardo Schoedler -Mensagem original- De: Eduardo Schoedler [mailto:lis...@esds.com.br] Enviada em: terça-feira, 22 de novembro de 2011 15:04 Para: 'Meftah Tayeb'; 'Leigh Porter'; fai...@snappydsl.net Cc: 'nanog list' Assunto: RES: Any recommended router. They are reliable and have good support. One important feature for me is MPLS/VPLS support. +1 MikroTik -- Eduardo Schoedler -Mensagem original- De: Meftah Tayeb [mailto:tayeb.mef...@gmail.com] Enviada em: segunda-feira, 21 de novembro de 2011 12:26 Para: Leigh Porter; fai...@snappydsl.net Cc: nanog list Assunto: Re: Any recommended router. They are reliable and have good support. Leigh, MT is very responcive wonderfull fast bug fixs and very organised RouterOs releases i use it a lot and have a hell load of features support all major routing protocols BGP, OSPF / OSPFv3, RIP/RIPNG, PIM for multicast, MME for wireless and much more. thank you - Original Message - From: Leigh Porter leigh.por...@ukbroadband.com To: fai...@snappydsl.net Cc: nanog list nanog@nanog.org Sent: Tuesday, November 22, 2011 6:02 PM Subject: Re: Any recommended router. They are reliable and have good support. Has anybody had experience of mikrotik support? Is it any good? Any thoughts about the time to fix bugs? -- Leigh On 22 Nov 2011, at 15:57, Faisal Imtiaz fai...@snappydsl.net wrote: mikrotik family .. you can have all sizes and shapes of routers .. lots of support available online or from independent consultants. Regards. Faisal Imtiaz Snappy Internet Telecom On 11/22/2011 10:38 AM, Deric Kwok wrote: Hi Can I know any selection of Linux routers except cisco / juniper? They are reliable and have good support provided We would like to get one for testing. Thank you smime.p7s Description: S/MIME cryptographic signature
RE: Time Warner Telecom problems
FWIW, We saw issues here in Indianapolis between TWTC and L3 up until a few minutes ago. --Thomas York -Original Message- From: Blake Hudson [mailto:bl...@ispn.net] Sent: Monday, November 07, 2011 11:02 AM To: nanog@nanog.org Subject: Re: Time Warner Telecom problems Joe Greco wrote the following on 11/7/2011 9:54 AM: Gizmodo is reporting problems at Time Warner Telecom we're suffering from it too and calls to the NOC have not been answered so far... does anyone have any further information? http://gizmodo.com/5857010/massive-time-warner-outage-hits-the-us Actually, it looks to me like they mean Time Warner, because that's what they said. The company once known as Time Warner Telecom has always been a different entity, and hasn't been known as that in some time, now being called twtelecom. Much of that company is what was once known as inc.net, a Milwaukee area provider of the '90's. Time Warner Cable appears to have experienced an implosion this morning, being out of service for about 11 minutes. During that time, packets originating here in Milwaukee quickly died in Chicago; Using the looking glass from TWtelecom, we saw 30-60min outage (roughly 8:30AM to 9:30AM CST) between the Kansas City location and our own server room in Kansas City. Other TWtelecom locations appeared to be unaffected. Perhaps TWtelecom is served by Timewarner or shares equipment in KC. Either way, none of our KC customers who were served via TWtelecom or Timewarner were able to reach us. Packets would hit Level 3 Communications and die in either direction at the border between L3 and TW. FWIW, TW was showing a good BGP route to us and vise versa. http://lglass.twtelecom.net/
Re: DNS DoS ???
I see this all the time on my personal servers. I finally just told bind to stop logging it. On 07/29/2011 02:51 PM, Elliot Finley wrote: my DNS servers were getting slow so I blocked recursive queries for all but my own network. Then I was getting so many of these: ns2 named[5056]: client 78.159.111.190#25345: query (cache) 'isc.org/ANY/IN' denied that is was still slowing things down. I've since written a script to watch the log and throw these into the box local firewall. If I expire the entries after 24 hours then I accumulate about 10200 unique IPs. If I expire after 48 hours, then it's just over 2 unique IPs. Is anyone else seeing this? Elliot smime.p7s Description: S/MIME Cryptographic Signature
Re: IMPORTANT ADMINISTRIVIA - NANOG list and website changes over the next week
On 07/08/2011 01:23 PM, Seth Mattinen wrote: On 7/8/11 9:04 AM, Michael K. Smith - Adhost wrote: Hello Everyone We are going to be moving the NANOG mailing list over to our new service provider beginning this week. There are several changes that will occur over time that will, hopefully, reduce the service impact to users. One key note - the new system doesn't use Mailman, so your filtering rules may need to be changed to accommodate the new system. - July 8th - We will begin the transition of the NANOG website to its new location with our service provider. - There may be service glitches through the weekend on the site, but nothing catastrophic - July 9th - Mailman will be modified to use our service provider's MX for outbound messages. - Hopefully this will be transparent to list participants, but users can add mail.amsl.com to their filters. - July 9th - Subscription changes to the list will be frozen and the list archives will be unavailable. - Administrivia requests will receive a bounce message during this phase. - July 11th - MX records will be updated so all inbound/outbound mail goes through their system. - At this stage, mail.amsl.com will be the only MX for NANOG list services. No more IPv6? I don't see an record for it... ~Seth There goes 90% of my IPv6 traffic! --Thomas York smime.p7s Description: S/MIME Cryptographic Signature
VPN tunnels between US and China dropping/slow
At my current place of business, we have several manufacturing plants in China as well as the United States. All of the plants have an OVPN tunnel to a datacenter here in Indianapolis which connect all of the plants. Our China plants pay for the basic 3mbit/3mbit fiber internet connections. I've had a hell of a time keeping their tunnels up. They're running on port 443 over TCP now, but every month or so the tunnel degrades so badly I have to switch the port. I've recently tried tunneling OVPN (UDP) over a GRE tunnel and that has worked for a few months..but even now is degrading. The interesting thing is that ONLY the tunnel traffic gets degraded. I've replaced all of the equipment on both ends of all of the VPN tunnels, which changed nothing. Currently, we're talking to Time Warner and some of our customers who have plants in China to see what solutions they're using to get around this kind of issue. One thing we are hearing quite often is that they're using a MPLS based connection to Hong Kong, then going to the USA from there. We're happy to try this, but due to cost issues we're (management mostly) considering this a last resort option. Are there any other options maybe some of you have to fixing this issue? Thanks Thomas York smime.p7s Description: S/MIME cryptographic signature
Re: VPN tunnels between US and China dropping/slow
I tried to tell my bosses that and I got a blank stare. -- Thomas York Adam Rothschild a...@latency.net wrote: Realize also that China Telecom is congested both internally and on certain peering interfaces. While DPI is a likely culprit, be sure to not overlook a good old-fashioned inability to manage capacity, combined with certain hashing algorithms... -a
Re: VPN tunnels between US and China dropping/slow
Yes. Every day at roughly 2AM EDT the latency climbs to 700ms+ with about 25% packet loss and fluctuates until about 6-7AM. -- Thomas York Joel Jaeggli joe...@bogus.com wrote: On 5/10/11 10:10 AM, Adam Rothschild wrote: Realize also that China Telecom is congested both internally and on certain peering interfaces. While DPI is a likely culprit, be sure to not overlook a good old-fashioned inability to manage capacity, combined with certain hashing algorithms... if you're measuring the end-to-end path you'll likely see evidenced of the latency climbing on a near daily cycle. my median rtt from the us east coast is 268ms sometimes it's north of 370 with essentially the same loss properties. -a
Bright House residential IPv6
I'm a new Bright House residential customer and I have their new 40/5 'Lightning' service, which is rumored to have free native IPv6. I've called them, but of course no one I talked to knew anything about IPv6. Do any of you have this service and have native? If you do, what did you do to get it activated for your line? Thomas York smime.p7s Description: S/MIME cryptographic signature
RE: Bright House residential IPv6
As per an off list topic, I'm in downtown Indianapolis. If anyone has a residential contact for this region, I'd much appreciate it. Thanks! Thomas York -Original Message- From: Thomas York [mailto:strate...@fuhell.com] Sent: Monday, May 02, 2011 10:13 AM To: nanog@nanog.org Subject: Bright House residential IPv6 I'm a new Bright House residential customer and I have their new 40/5 'Lightning' service, which is rumored to have free native IPv6. I've called them, but of course no one I talked to knew anything about IPv6. Do any of you have this service and have native? If you do, what did you do to get it activated for your line? Thomas York smime.p7s Description: S/MIME cryptographic signature
Off list contact for Quadranet
If the network contact at Quadranet could contact me off list, I'd appreciate it. This is concerning the continual spamming of a proxy server I run from multiple hosts at Quadranet. Thomas York smime.p7s Description: S/MIME cryptographic signature
RE: ipfix/netflow/sflow generator for Linux
I just retested nprobe and it has the same issue as most of the other tools. It doesn't specify the InputInt and OutputInt properly. Yes, you can statically set it but that will drastically skew the data in this environment. I'm not against running multiple processes, I've just not found a product that runs using multiple processes that does what I need to. I just noticed the ntop version in EPEL is fairly old, so I'll try to compile the latest myself and see if it's more stable. Also, FYI to anyone who is interested in this, I've opened a support ticket with ipcad to fix the interface numbering issue. http://tinyurl.com/32pjyfa From: packetmon...@gmail.com [mailto:packetmon...@gmail.com] On Behalf Of Darren Bolding Sent: Monday, December 06, 2010 8:57 PM To: Thomas York Subject: Re: ipfix/netflow/sflow generator for Linux We've used nprobe with good success, passing the flows to ntop, nfsen etc. nProbe supports specifying the interface- so yes, you would have to run multiple processes, but I believe it would work. We went ahead and purchased the PF_RING driver as it significantly improved the capture performance of our systems. I'm assuming since you tried it, you really don't want to fire up a separate process for each interface? I'd love to hear what you thought about the various tools and what you end up deciding on. For us, we collect the data using nprobe and have had no problem getting ntop to stably analyze those flows when pointed to it. NFSEN is pretty damn cool also. We point various nprobe, netflow, sflow data at it with good effect. --D On Mon, Dec 6, 2010 at 11:15 AM, Thomas York strate...@fuhell.com wrote: At my current place of work, we use all Linux routers. I need to do some IP accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer can use netstream, jstream, ipfix, netflow, and sflow data without qualms. My only issue is that I can't seem to find any good software for Linux that works with multiple interfaces to generate the flow information. I've tried ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of the software only works on one interface (which is useless as I need to do accounting for numerous interfaces). I've had the best luck with ipcad. The only thing that seems to not work with it is that it doesn't correctly give the interface number in the flow information. It refers to all interfaces as interface 65535. I've tried the config option for ipcad to map an interface directly to an SNMP interface ID, but that option of the config file seems to be ignored. Ntop functionally does exactly what I need, but it's extremely buggy. It segfaults after a few minutes, regardless of Linux distro or Ntop version. So..any ideas on what I can do to get good flow information from our Linux routers? -- -- Darren Bolding -- -- dar...@bolding.org --
ipfix/netflow/sflow generator for Linux
At my current place of work, we use all Linux routers. I need to do some IP accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer can use netstream, jstream, ipfix, netflow, and sflow data without qualms. My only issue is that I can't seem to find any good software for Linux that works with multiple interfaces to generate the flow information. I've tried ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of the software only works on one interface (which is useless as I need to do accounting for numerous interfaces). I've had the best luck with ipcad. The only thing that seems to not work with it is that it doesn't correctly give the interface number in the flow information. It refers to all interfaces as interface 65535. I've tried the config option for ipcad to map an interface directly to an SNMP interface ID, but that option of the config file seems to be ignored. Ntop functionally does exactly what I need, but it's extremely buggy. It segfaults after a few minutes, regardless of Linux distro or Ntop version. So..any ideas on what I can do to get good flow information from our Linux routers?
RE: ipfix/netflow/sflow generator for Linux
fprobe doesn't work properly because it has the input and output interface IDs as both 0. In Scrutinizer, this makes the flow look like all the data came in the interface and immediately left via the same interface. Also, this causes problems when running multiple instances of fprobe. This seems to be the issue with most of the flow software I've tried. -Original Message- From: Samuel Petreski [mailto:sp...@georgetown.edu] Sent: Monday, December 06, 2010 3:38 PM To: 'Thomas York'; nanog@nanog.org Subject: RE: ipfix/netflow/sflow generator for Linux I've used fprobe with great success. You can run multiple instances of fprobe for the different interfaces. --Samuel fprobe: a NetFlow probe - libpcap-based tool that collects network traffic data and emit it as NetFlow flows towards the specified collector. WWW: http://sourceforge.net/projects/fprobe -- Samuel Petreski Sr. Security Analyst Georgetown University -Original Message- From: Thomas York [mailto:strate...@fuhell.com] Sent: Monday, December 06, 2010 2:15 PM To: nanog@nanog.org Subject: ipfix/netflow/sflow generator for Linux At my current place of work, we use all Linux routers. I need to do some IP accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer can use netstream, jstream, ipfix, netflow, and sflow data without qualms. My only issue is that I can't seem to find any good software for Linux that works with multiple interfaces to generate the flow information. I've tried ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of the software only works on one interface (which is useless as I need to do accounting for numerous interfaces). I've had the best luck with ipcad. The only thing that seems to not work with it is that it doesn't correctly give the interface number in the flow information. It refers to all interfaces as interface 65535. I've tried the config option for ipcad to map an interface directly to an SNMP interface ID, but that option of the config file seems to be ignored. Ntop functionally does exactly what I need, but it's extremely buggy. It segfaults after a few minutes, regardless of Linux distro or Ntop version. So..any ideas on what I can do to get good flow information from our Linux routers?
RE: ipfix/netflow/sflow generator for Linux
Never heard of it. I'll give it a shot. Another project that uses argus also looks interesting.. http://nautilus.oshean.org/wiki/Periscope -Original Message- From: Ken A [mailto:k...@pacific.net] Sent: Monday, December 06, 2010 4:04 PM To: nanog@nanog.org Subject: Re: ipfix/netflow/sflow generator for Linux Have you considered argus? It can deliver argus flows from multiple interfaces. From http://www.qosient.com/argus/ : Argus can be considered an implementation of the architecture described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and the project has actively contributed to the IPFIX effort, however, Argus technology should be considered a superset of the IPFIX architecture, providing proof of concept implementations for most aspects of the IPFIX applicability statement. Argus technology can read and process Cisco Netflow data, and many sites develop audits using a mixture of Argus and Netflow records. Ken On 12/6/2010 2:44 PM, Thomas York wrote: fprobe doesn't work properly because it has the input and output interface IDs as both 0. In Scrutinizer, this makes the flow look like all the data came in the interface and immediately left via the same interface. Also, this causes problems when running multiple instances of fprobe. This seems to be the issue with most of the flow software I've tried. -Original Message- From: Samuel Petreski [mailto:sp...@georgetown.edu] Sent: Monday, December 06, 2010 3:38 PM To: 'Thomas York'; nanog@nanog.org Subject: RE: ipfix/netflow/sflow generator for Linux I've used fprobe with great success. You can run multiple instances of fprobe for the different interfaces. --Samuel fprobe: a NetFlow probe - libpcap-based tool that collects network traffic data and emit it as NetFlow flows towards the specified collector. WWW: http://sourceforge.net/projects/fprobe -- Samuel Petreski Sr. Security Analyst Georgetown University -Original Message- From: Thomas York [mailto:strate...@fuhell.com] Sent: Monday, December 06, 2010 2:15 PM To: nanog@nanog.org Subject: ipfix/netflow/sflow generator for Linux At my current place of work, we use all Linux routers. I need to do some IP accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer can use netstream, jstream, ipfix, netflow, and sflow data without qualms. My only issue is that I can't seem to find any good software for Linux that works with multiple interfaces to generate the flow information. I've tried ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of the software only works on one interface (which is useless as I need to do accounting for numerous interfaces). I've had the best luck with ipcad. The only thing that seems to not work with it is that it doesn't correctly give the interface number in the flow information. It refers to all interfaces as interface 65535. I've tried the config option for ipcad to map an interface directly to an SNMP interface ID, but that option of the config file seems to be ignored. Ntop functionally does exactly what I need, but it's extremely buggy. It segfaults after a few minutes, regardless of Linux distro or Ntop version. So..any ideas on what I can do to get good flow information from our Linux routers? -- Ken Anderson Pacific Internet - http://www.pacific.net
RE: ipfix/netflow/sflow generator for Linux
It can, but then you are setting the input/output IDs statically. That would work fine if your router only had 2 interfaces. We currently have routers with a single (or few) WAN interfaces and multiple internal interfaces and there isn't any way to statically categorize the data. -Original Message- From: Dobbins, Roland [mailto:rdobb...@arbor.net] Sent: Monday, December 06, 2010 4:20 PM To: North American Network Operators Group Subject: Re: ipfix/netflow/sflow generator for Linux On Dec 7, 2010, at 3:44 AM, Thomas York wrote: fprobe doesn't work properly because it has the input and output interface IDs as both 0. IIRC, this can be altered via a config change. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar.
