Re: Open source Netflow analysis for monitoring AS-to-AS traffic

2024-03-29 Thread Peter Phaal
The sFlow frame_length field isn't intended to be vague. If you are seeing non-conforming sFlow implementations, please raise the issue with the vendor so they can fix the issue. Verifying that the frame_length and stripped fields are correctly implemented is one of the tests performed by the sFlo

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

2024-03-28 Thread Peter Phaal
-cisco8k/m-sflow-commands.html I couldn't find a similar option in the NetFlow/IPFIX configuration guide, but I might have missed it. On Thu, Mar 28, 2024 at 10:48 AM Saku Ytti wrote: > Hey, > > On Thu, 28 Mar 2024 at 17:49, Peter Phaal wrote: > > > sFlow was mentioned

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

2024-03-28 Thread Peter Phaal
eam enrichment does add a level of operational complexity. On Wed, Mar 27, 2024 at 11:03 PM Saku Ytti wrote: > On Wed, 27 Mar 2024 at 21:02, Peter Phaal wrote: > > > Brian, you may want to see if your routers support sFlow (vendors have > added the feature over the last few years).

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

2024-03-27 Thread Peter Phaal
Brian, you may want to see if your routers support sFlow (vendors have added the feature over the last few years). In particular, see if it includes support for the sFlow extended_gateway structure: /* Extended Gateway Data */ /* opaque = flow_data; enterprise = 0; format = 1003 */ struct extend

Re: Flow Tools AS-Path

2023-04-04 Thread Peter Phaal
Export of destination AS-Path is supported in the sFlow extended_gateway structure. /* Extended Gateway Data */ /* opaque = flow_data; enterprise = 0; format = 1003 */ struct extended_gateway { next_hop nexthop; /* Address of the border router that should

Re: SDN Internet Router (sir)

2023-01-03 Thread Peter Phaal
https://github.com/sflow-rt/active-routes Inspired by SIR, but uses Bird multi-table capability to separate RIB/FIB routes. On Tue, Jan 3, 2023 at 7:47 AM Mike Hammett wrote: > https://github.com/dbarrosop/sir > > I came across this over the weekend. Given that the project was abandoned > six y

Re: Sflow/netflow/ipfix open source security projects

2022-08-10 Thread Peter Phaal
Sounds like an interesting project. You might want to take a look at sflowtool to get started. The following article shows how to use sflowtool to decode sFlow datagrams and includes a simple Python script matching IP addresses against a known threat database. https://blog.sflow.com/2018/12/sflow-

Re: Free-ish Linux Netflow collector/analyser options

2022-05-17 Thread Peter Phaal
Juniper added sFlow support to MX routers in Junos 18.1R1, https://blog.sflow.com/2018/04/sflow-available-on-juniper-mx-series.html You might want to consider deploying sFlow instead of IPFIX, particularly if you are interested in DDoS mitigation where low latency and visibility into packet header

Re: sflow -> aggregated aspath visualization?

2020-03-16 Thread Peter Phaal
You could use Prometheus / Grafana to build the dashboards. The following example is a starting point (top ASNs / Countries by traffic volume): https://grafana.com/grafana/dashboards/11146 The example could be modified to make the make router / interface selectable, or cloned to create separate p

Re: Sflow billing or usage calculation software

2019-04-17 Thread Peter Phaal
On Tue, Apr 16, 2019 at 8:35 PM Deepak Jain wrote: > Now I know I'm pushing my luck... but do certain vendors more fully > embrace sFlow than others? maybe one of the whitebox vendors if not one > of the majors? > > Hacking support into something isn't the worse thing in the world, but > if there

Re: Sflow billing or usage calculation software

2019-04-13 Thread Peter Phaal
Tony, You might find the following article useful in identifying features to consider when evaluating sFlow analyzers: https://blog.sflow.com/2009/05/choosing-sflow-analyzer.html The following white paper discusses accuracy of packet sampling for usage accounting: https://inmon.com/pdf/sFlowBilli

Juniper releases sFlow support for MX routers

2018-04-06 Thread Peter Phaal
Hi All, I thought there might be interest in availability of sFlow in Junos OS Release 18.1R1 for MX routers: https://blog.sflow.com/2018/04/sflow-available-on-juniper-mx-series.html Peter

Re: Open Souce Network Operating Systems

2018-01-20 Thread Peter Phaal
On Sat, Jan 20, 2018 at 11:26 AM, Colton Conor wrote: > > Thanks for the information. Do you have a recommendation of which > distribution of Linux to use for this? Is there one that is more network > centric than another? > Cumulus Linux, OpenSwitch, and Open Network Linux are all Debian based s

Re: Open Souce Network Operating Systems

2018-01-20 Thread Peter Phaal
On Sat, Jan 20, 2018 at 9:32 AM, Colton Conor wrote: > > My understanding if Free Range Routing is a package of software that runs > in linux, but not a full and true NOS right? > Why not consider Linux a NOS? Installing Free Range Routing adds control plane protocols: BGP, OSPF, ISIS, etc. > I

Re: tracking TCP session hop by hop

2017-11-29 Thread Peter Phaal
On Wed, Nov 29, 2017 at 9:06 AM, William Herrin wrote: > On Tue, Nov 28, 2017 at 3:48 PM, Yifeng Zhou > wrote: > > > Is there any way that we can track TCP session hop by hop? > > > > Say we have 10 ECMP between A and Z point, what's the easiest way to > track > > specific session is using which

Re: Netflow/sFlow generator for Linux with BGP support

2017-01-28 Thread Peter Phaal
Patrick, You might want to try pmacct: http://www.pmacct.net/ Peter On Sat, Jan 28, 2017 at 8:17 AM, Patrick Velder wrote: > Hi there > > I'm currently switching from MikroTik CCR 1009 to SuperMicro 5018D-FN8T as > small router. Now I'd love to integrate BGP infos into netflow/sflow, as > Mikr

Re: Barefoot "Tofino": 6.4 Tbps whitebox switch silicon?

2016-06-16 Thread Peter Phaal
On Thu, Jun 16, 2016 at 1:19 AM, Saku Ytti wrote: > On 16 June 2016 at 06:21, Eric Kuhnke wrote: >> Based on their investors, could have interesting results for much lower >> cost 100GbE whitebox switches. > > Why lower cost? The BOM isn't the expensive part, the code is the > expensive part. Onl

Re: Network Weathermap

2016-04-28 Thread Peter Phaal
Many drawing tools support SVG as a file export format. Exporting or converting the map to SVG format allows the map attributes (link colors, widths, etc) to be modulated using JavaScript embedded in the web page. As an example, the following SC15 weathermap was created by converting a PDF diagram

Re: collectd as alternative to RTG for high-resolution polling and long term storage?

2016-03-19 Thread Peter Phaal
On Wed, Mar 16, 2016 at 11:45 AM, Eric Kuhnke wrote: > Would anyone care to share their experience using collectd as an > alternative to rtg for high-resolution polling of interface traffic and > long term storage? > > I am investigating the various options for large data set size, lossless > long

Re: sFlow vs netFlow/IPFIX

2016-03-03 Thread Peter Phaal
On Thu, Mar 3, 2016 at 9:16 AM, Nick Hilliard wrote: > The beauty of sflow is that you can do anything in the collector, but > most people aren't going to do this because it means maintaining two > sets of data about your flow configuration: one set on the switch and > one set in your collector co

Re: sFlow vs netFlow/IPFIX

2016-03-03 Thread Peter Phaal
em vendor. On Thu, Mar 3, 2016 at 3:53 AM, Nick Hilliard wrote: > Peter Phaal wrote: >> I think "pathologically broken" somewhat overstates the case. >> Bidirectional sampling is allowed by the sFlow spec and other vendors >> have made that choice. Another vendor used

Re: sFlow vs netFlow/IPFIX

2016-03-02 Thread Peter Phaal
On Wed, Mar 2, 2016 at 2:45 PM, Nick Hilliard wrote: > Peter Phaal wrote: >> Monitoring ingress and egress in the switch is wasteful of resources. > > It's more than a waste of resources: it's pathologically broken and > Cisco decline to fix it, despite the fact t

Re: sFlow vs netFlow/IPFIX

2016-03-02 Thread Peter Phaal
On Wed, Mar 2, 2016 at 9:30 AM, Nick Hilliard wrote: > Peter Phaal wrote: >> The Nexus 3200 should work well with 100G flows - I believe it's >> based on the latest Broadcom Tomahawk ASIC. The older Trident II >> ASICs in the Nexus 9k are 40g parts > > does nx-o

Re: sFlow vs netFlow/IPFIX

2016-03-02 Thread Peter Phaal
> > On Mar 1, 2016, at 10:12 PM, Mark Tinka wrote: > > > >> On 2/Mar/16 08:04, Mark Tinka wrote: >> >> We were initially looking at at the Nexus 9000, but then moved to the >> 7700 because the Broadcom chip on the 7700 cannot do single flows larger >> than 40Gbps on the 100Gbps ports. > > Th

Re: sFlow vs netFlow/IPFIX

2016-03-01 Thread Peter Phaal
On Tue, Mar 1, 2016 at 6:13 AM, Mark Tinka wrote: > > > On 29/Feb/16 12:15, Nikolay Shopik wrote: > >> Cisco Nexus switches support sflow, since they are broadcom based. > > Not all of them, just the Nexus 9000, IIRC. > The situation in the Cisco Nexus line is confusing. In addition, to the Nexus

Re: mrtg alternative

2016-02-27 Thread Peter Phaal
InfluxDB + Grafana are a modern alternative from the DevOps space: http://lkhill.com/using-influxdb-grafana-to-display-network-statistics/ On Fri, Feb 26, 2016 at 3:18 PM, Baldur Norddahl wrote: > Hi > > I am currently using MRTG and RRD to make traffic graphs. I am searching > for more modern a

Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-21 Thread Peter Phaal
the external server. Embedded instrumentation is simple to deploy and reduces operational complexity and cost when compared to add on probe solutions. Peter Phaal InMon Corp.

Re: Linux router traffic monitoring, how? netflow?

2014-11-14 Thread Peter Phaal
You might want to take a look at the Host sFlow SourceForge project: http://host-sflow.sourceforge.net/ The hsflowd agent used the sFlow protocol to export interface counters, host performance statistics and packet flows (collected using iptables ULOG). Peter On Thu, Nov 13, 2014 at 9:09 AM, Eli

Re: Filter NTP traffic by packet size?

2014-02-23 Thread Peter Phaal
What is the business model for the IX? Unauthorized filtering of incoming traffic risks collateral damage and outing exchange members seems problematic. The business model seems clearer when offering filtering as a service to downstream networks, the effects are narrowly scoped, and members have c

Re: Filter NTP traffic by packet size?

2014-02-22 Thread Peter Phaal
Brocade demonstrated how peering exchanges can selectively filter large NTP reflection flows using the sFlow monitoring and hybrid port OpenFlow capabilities of their MLXe switches at last week's Network Field Day event. http://blog.sflow.com/2014/02/nfd7-real-time-sdn-and-nfv-analytics_1986.html

Re: TWC (AS11351) blocking all NTP?

2014-02-03 Thread Peter Phaal
On Mon, Feb 3, 2014 at 2:58 PM, Christopher Morrow wrote: > wait, so the whole of the thread is about stopping participants in the > attack, and you're suggesting that removing/changing end-system > switch/routing gear and doing something more complex than: > deny udp any 123 any > deny udp an

Re: TWC (AS11351) blocking all NTP?

2014-02-03 Thread Peter Phaal
On Mon, Feb 3, 2014 at 12:38 PM, Christopher Morrow wrote: > On Mon, Feb 3, 2014 at 2:42 PM, Peter Phaal wrote: >> On Mon, Feb 3, 2014 at 10:16 AM, Christopher Morrow >> wrote: >>> On Mon, Feb 3, 2014 at 12:42 PM, Peter Phaal wrote: > >>> There's ce

Re: TWC (AS11351) blocking all NTP?

2014-02-03 Thread Peter Phaal
On Mon, Feb 3, 2014 at 10:16 AM, Christopher Morrow wrote: > On Mon, Feb 3, 2014 at 12:42 PM, Peter Phaal wrote: >> Why burn the village when only one house is the problem? I thought >> there might be some interest in hearing about work being done to use >> SDN to au

Re: TWC (AS11351) blocking all NTP?

2014-02-03 Thread Peter Phaal
Why burn the village when only one house is the problem? I thought there might be some interest in hearing about work being done to use SDN to automatically configure filtering in existing switches and routers to mitigate flood attacks. Real-time analytics based on measurements from switches/route

Re: ddos attacks

2013-12-18 Thread Peter Phaal
Dan, If you are using sFlow for your measurements, then you might want to take a look sFlow-RT for DDoS mitigation. The following case study describes how sFlow and null routing are being used to mitigate flood attacks: http://blog.sflow.com/2013/03/ddos.html The analytics engine will detect flo

Re: Looking for Netflow analysis package

2013-05-14 Thread Peter Phaal
You might want to take a look at pmacct, http://www.pmacct.net/. It includes an embedded version of Quagga, allowing BGP AS Path data to be efficiently joined with flow records. Peter On Tue, May 14, 2013 at 3:59 PM, Erik Sundberg wrote: > Does anyone know of a netflow collector that will do th

Re: SDN - Killer Apps

2013-02-25 Thread Peter Phaal
On Mon, Feb 25, 2013 at 2:10 AM, Saku Ytti wrote: > On (2013-02-25 13:53 +0530), Glen Kent wrote: > >> I understand that this is just some bit of what we can do with SDN. The >> amount of what all can be done is limitless. So, a question to all out >> there - Is my understanding of what can be ach

Re: Anyone know of a good InfiniBand vendor in the US?

2013-02-21 Thread Peter Phaal
I wanted to bring attention to the following draft proposal from Mellanox to export traffic information from InfiniBand switches: http://sflow.org/draft_sflow_infiniband.txt If you are an InfiniBand user, this is a great opportunity to think about the types of metrics that you woud want from your

Re: switch 10G standalone TOR, core to DC

2013-02-19 Thread Peter Phaal
On Tue, Feb 19, 2013 at 8:21 PM, Bao Nguyen wrote: > Anyone have worked with the switching vendor Quanta for their 10ge switching > as > TOR? [1] Their spec looked interesting and they are quiet cheap. > > > [1] > http://www.quantaqct.com/en/01_product/02_detail.php?mid=30&sid=114&id=116&qs=63 >

Re: switch 10G standalone TOR, core to DC

2013-01-29 Thread Peter Phaal
Peter, Network visibility wasn't mentioned as a requirement, but it is worth considering since the ToR switches are the best place monitor server network I/O, tunneled traffic (VxLAN, GRE etc), storage (iSCSI, FCoE, HDFS etc). The Nexus 5548 switch does not include monitoring (i.e. no NetFlow/sFl

Re: Detection of Rogue Access Points

2012-10-14 Thread Peter Phaal
Do the layer 2 switches include sFlow instrumentation? http://sflow.org/products/network.php The following paper describes how IP TTL values can help identify unauthorized NAT devices. http://www.sflow.org/detectNAT/ Peter On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote: > Gentlemen, >

Re: Real world sflow vs netflow?

2012-09-24 Thread Peter Phaal
On Mon, Sep 24, 2012 at 11:19 AM, Joe Loiacono wrote: > OK, Well I guess I was thinking sFlow was primarily a switch oriented > technology versus on a layer-3 peering router. The sFlow technology is a good fit for any device that performs a packet forwarding function (including routers) and the s

Re: Real world sflow vs netflow?

2012-09-24 Thread Peter Phaal
On Mon, Sep 24, 2012 at 5:48 AM, Joe Loiacono wrote: > Peter Phaal wrote on 09/23/2012 12:23:57 PM: > > >> Exporting packet oriented measurements doesn't mean that you have to >> loose ingress/egress interface data. In the specific example being >> discussed (sF

Re: Real world sflow vs netflow?

2012-09-23 Thread Peter Phaal
On Sun, Sep 23, 2012 at 8:16 AM, Dobbins, Roland wrote: > > On Sep 23, 2012, at 7:55 PM, Danny McPherson wrote: > >> If the *flow generation process is not performed on the router (or otherwise >> conveyed by some metadata outside of "raw [sampled] packet headers") then >> you lose visibility to i

Re: Real world sflow vs netflow?

2012-09-22 Thread Peter Phaal
On Sat, Sep 22, 2012 at 4:41 PM, Dobbins, Roland wrote: > You have misinterpreted what I said. I was saying that flow telemetry of any > variety must be exported from edge devices, which in most cases are routers > (in some cases layer-3 switches), in response to your 'move it out of the > route

Re: Real world sflow vs netflow?

2012-09-22 Thread Peter Phaal
On Fri, Sep 21, 2012 at 10:02 PM, Dobbins, Roland wrote: > > On Sep 22, 2012, at 12:40 AM, Peter Phaal wrote: > >> However, moving the flow generation out of the router gives a lot of >> flexibility. > > Actually, moving it out of the router creates huge problems a

Re: Real world sflow vs netflow?

2012-09-21 Thread Peter Phaal
On Thu, Sep 20, 2012 at 11:21 AM, Mikael Abrahamsson wrote: > Most of the platforms I know of do sampled netflow at 1:100-1:1000 or so, > and then I don't really see the fundamental difference in doing the flow > analysis on the router itself (classic netflow) or doing the same but at the > sFlow

Re: Real world sflow vs netflow?

2012-09-20 Thread Peter Phaal
On Sat, Jul 14, 2012 at 1:30 AM, Łukasz Bromirski wrote: > sFlow is really sPacket, as it doesn't deal with flows. > > NetFlow, jFlow, IPFIX deal with flows. I am a puzzled by the orthodoxy that seems to prevail around the value "flows" as a measure of network traffic in packet switched networks.

Re: Real world sflow vs netflow?

2012-07-17 Thread Peter Phaal
In the case of sFlow, the collector determines how to report bytes. The sFlow agent reports the size of the sampled layer 2 frame (along with the first 128 bytes of the frame) and the collector can choose whether to report L2 bytes, L3 bytes, L4 bytes etc. by subtracting the sizes of the headers. I

Re: Real world sflow vs netflow?

2012-07-13 Thread Peter Phaal
Hi David, The main architectural difference between sFlow and Netflow is the location of the flow cache: 1. NetFlow: Packets are decoded on the router, flow keys are extracted and used to lookup/create an entry in a flow cache which is then updated based on values in the packet. Records are expor

Re: Network Traffic Collection

2012-02-23 Thread Peter Phaal
On Thu, Feb 23, 2012 at 1:59 PM, Justin M. Streiner wrote: > On Thu, 23 Feb 2012, Maverick wrote: > >> I want to be able to see information like how much traffic an ip send >> over a period of time, what machines it talked to etc from this >> perspective it should be IP based but I would really li

Re: What sflow software - Manage Engine Net flow analyzer or Plixer Scrutinizer with Analyzer

2011-01-01 Thread Peter Phaal
sFlowTrend is free for up to five routers and should meet your requirement to quickly see top flows: http://inmon.com/products/sFlowTrend.php sFlowTrend is InMon's entry level product, if you need more features you might want to try sFlowTrend-Pro or Traffic Sentinel. When selecting an sFlow a

ipfix/netflow/sflow generator for Linux

2010-12-27 Thread Peter Phaal
The latest version of Host sFlow adds support for ULOG traffic monitoring (with ingress/egress ifIndex numbers): http://host-sflow.sourceforge.net/ Cheers, Peter > My only issue is that I can't seem to find any good software for Linux that > works with multiple interfaces to generate the flow in