-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
thus Alan McKay spake:
On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale JCasale@activenetwerx.com wrote:
Anyone got a reco on a package that can collect netflow data and accept user defined queries for specific data, like what an ip did every hour for some said interval?
well, collecting is pretty easy of course - tcpdump. And you can load the files into wireshark to query.
Though it is probably not just what you want.
In my old job I set up a sniffer appliance which basically ran tcpdump on any interface except the main interface, and logged it all in circular log files of a certain size. And the directory where these were kept were served out via the web server so that anyone could surf to the box and grab log files to look at.
You may also want to have a look at what ntop can do these days - it has been a few years since i've looked at it.
But of course this all assumes the traffic is visible to your CentOS box. For my sniffer appliance the way to deploy it was that all the other NICs except the main one got plugged into a mirror port on the switch, which mirrored the particular PC we wanted to sniff. In our case this was fine because we only monitored our product which was a VOIP appliance we were developing.
Alternately, running this on your router will pick up most of what you want - but obviously not local LAN traffic
Well, netflow is the appropriate technology for this:
http://en.wikipedia.org/wiki/Netflow
Unfortunately, I don't know a solution for the thread starters question out of my head, so this was just for clarifying what we're talking about... ;)
Timo