Here a summary of the answers I got. Again thanks for your help. mail from Joe >-Try fprobe, open source: http://sourceforge.net/projects/fprobe
reply from Samuel >-nProbe by ntop.org is pretty robust tool for generating v5/v9 flows and >fairly inexpensive. http://www.ntop.org/nProbe.html mail from Roland >-Lancope offer a productized version of this, I believe Endace too, too. I talked to Lancope, they might provide me in 1 or 2 years with a 10G interface. mail from Frank >I just had an extended briefing with a company called Xangati. Very >interesting stuff, but they didn't talk about ways to obtain netflows if >your router isn't able to natively generate them. answer from Adam >I can attest to this. nProbe is your best bet for a “virtual NetFlow >exporter”. It performs well and has tons of export formats and features. We >use it extensively for QA and testing. You do, however, have to pay a bit >or it whereas fprobe and others are free. I talked to Peter Shaw [EMAIL PROTECTED] here his answer >Thanks for contacting us. Yes, our Probe can handle the traffic level you >describe. Our typical, hardware-accelerated Probe has 2 Gigabit ports, and >shows less than 10% CPU utilisation when generating NetFlow records at the >full 2Gbps. We can readily build a Probe using 10Gig ports, and do not >expect any performance challenge at the traffic level you describe. >I have a couple of further questions/comments for you; >1) what Collector system do you plan to send the NetFlow records to ? We >can work with any NetFlow-aware collector, but we do find that many of them >struggle to keep up with the high volume of records from our Probe. We are >working on our own Collector/buffer system to reduce this problem, and >expect this to be available in Q2'08. I talked also to Luca Deri <[EMAIL PROTECTED]> here the answer >the nPulse appliance is based on an old version of nProbe I have >developed years ago. We offer nBox appliances (http://www.nmon.net/nBox.html >) with a new accelerated nProbe version not available to anyone but >us. Next month we plan to introduce a new model based on a accelerated >card developed with a a twin company, able to outperform existing >solutions but with a lower price. >for 10G at the moment we use the Endace platform (NinjaProbe) or >Tilera (see http://www.tilera.com/pdf/ProductBrief_TILExpress_V1.pdf >and search for nProbe) cards for wire rate. If you have a few Gbits, a >software nBox can also be enough, but if you go above a hardware card >is definitively needed. >In late 2008 we should have our custom 10G card available but until >then we rely on external hardware solutions. >unless you want to buy the appliance from Endace and the software from >me, I can currently offer an nbox with dual 10G capability featuring >software packet capture acceleration for about 6K Euro. This model is >suitable for monitoring 2-3 Gbit of traffic. As I have stated before, >10G hardware capture acceleration still needs some time. next mail from gert >Has any of you done a reality-check before recommending these tools, >whether one of them can actually *handle* a 10G-link? >Sniffing 10G without losing packets is *hard*. >Sniffing 10G and doing any sort of math with it is *very hard*. >Any "sniff packets and do flow exports from there" application that >aims to do better than the flow hardware on the PFC3 needs to be really, >really, *really* good. conclusion: It is not easy to find a device to capture a 10G interface and generate the netflow. When I have news, I will will inform you. Best Stefan -- Stefan Hegger Internet System Engineer Lycos Europe GmbH Carl-Bertelsmann Str. 29 Postfach 315 33312 Gütersloh Phone: Tel: +49 5241 8071 334 Fax: +49 5241 80671 334 Mobile: +49 170 1892720 Sitz der Gesellschaft: Gütersloh Amtsgericht Gütersloh, HRB 2157 Geschäftsführer: Christoph Mohn <http://www.lycos-europe.com/L/A/>