Pp ------Original Message------ From: nate Sender: centos-bounces at centos.org To: CentOS Mailing list ReplyTo: CentOS Mailing list Sent: Feb 23, 2009 8:13 PM Subject: Re: [CentOS] cisco netflow analyzer? Robinson Tiemuqinke wrote:> Anyone knows any Cisco netflow analyzer that could run on Linux/Windows? I > know that cisco ASDM works at somewhat level but too rough... > > For example, CIsco ASDM can only shows at IP level and only three types > graph, like top 10 source Address, top ten destination level, or top ten > services. but I want the analyzer to show different traffics from the same > box when in need.ntop can read netflow events, the server runs in linux(maybe works in windows too),the client is browser-based so you can access it from almost anywhere.. netflow is somewhat restricted as far as what info you can get, I''ve only used sflow, a brief comparison of the protocols is at the bottom of this pdf: http://www.sflow.org/sFlowOverview.pdf ntop can read sflow as well, though last time I tried it it was unstable, I used sflowtrend instead. nate _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos Sent from my Verizon Wireless BlackBerry
>> Anyone knows any Cisco netflow analyzer that could run on Linux/Windows? I >> know that cisco ASDM works at somewhat level but too rough... >> >> For example, CIsco ASDM can only shows at IP level and only three types >> graph, like top 10 source Address, top ten destination level, or top ten >> services. but I want the analyzer to show different traffics from the same >> box when in need.i''ve been pretty impressed with nfsen. took a little bit of fiddling to figure out, but lets me drill down into things pretty well.
On Mon, Feb 23, 2009 at 07:29:11PM -0800, Joe Pruett wrote:> >> Anyone knows any Cisco netflow analyzer that could run on Linux/Windows? I > >> know that cisco ASDM works at somewhat level but too rough... > >> > >> For example, CIsco ASDM can only shows at IP level and only three types > >> graph, like top 10 source Address, top ten destination level, or top ten > >> services. but I want the analyzer to show different traffics from the same > >> box when in need. > > i''ve been pretty impressed with nfsen. took a little bit of fiddling to > figure out, but lets me drill down into things pretty well.Seconded. nfsen is awesome. Bit of a learning curve, but extremely powerful once you get the hang of it! You can also use iptables and the ULOG target to generate "flow" information from your Linux boxes and send the output to nfsen/nfcapd as well! Ray
> > > > i''ve been pretty impressed with nfsen. took a little bit of fiddling to > > figure out, but lets me drill down into things pretty well. > > Seconded. nfsen is awesome. Bit of a learning curve, but extremely > powerful once you get the hang of it! > > You can also use iptables and the ULOG target to generate "flow" > information from your Linux boxes and send the output to nfsen/nfcapd > as well! > > RayI''m not trying to hijack this thread but do you find any significant overhead involved with using the ULOG target or packet loss in your statistics? Would you have a ULOG target very early on in your FORWARD filter to log all packets? Do those packets go to a ulogd instance and then to disk (rrd to limit disk usage) for nfsen to use? I''m concerned with losing packets in my current ntop configuration (not using pf_ring) and am looking at less obtrusive alternatives like gulp or ulog to first get ALL of the packets and with as little overhead as possible move that data to a location where analysis can happen using ntop or nfsen. Thanks.