Anyone got a reco on a package that can collect netflow data and accept user defined queries for specific data, like what an ip did every hour for some said interval?
Thanks! jlc
On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale JCasale@activenetwerx.com wrote:
Anyone got a reco on a package that can collect netflow data and accept user defined queries for specific data, like what an ip did every hour for some said interval?
well, collecting is pretty easy of course - tcpdump. And you can load the files into wireshark to query.
Though it is probably not just what you want.
In my old job I set up a sniffer appliance which basically ran tcpdump on any interface except the main interface, and logged it all in circular log files of a certain size. And the directory where these were kept were served out via the web server so that anyone could surf to the box and grab log files to look at.
You may also want to have a look at what ntop can do these days - it has been a few years since i've looked at it.
But of course this all assumes the traffic is visible to your CentOS box. For my sniffer appliance the way to deploy it was that all the other NICs except the main one got plugged into a mirror port on the switch, which mirrored the particular PC we wanted to sniff. In our case this was fine because we only monitored our product which was a VOIP appliance we were developing.
Alternately, running this on your router will pick up most of what you want - but obviously not local LAN traffic
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
thus Alan McKay spake:
On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale JCasale@activenetwerx.com wrote:
Anyone got a reco on a package that can collect netflow data and accept user defined queries for specific data, like what an ip did every hour for some said interval?
well, collecting is pretty easy of course - tcpdump. And you can load the files into wireshark to query.
Though it is probably not just what you want.
In my old job I set up a sniffer appliance which basically ran tcpdump on any interface except the main interface, and logged it all in circular log files of a certain size. And the directory where these were kept were served out via the web server so that anyone could surf to the box and grab log files to look at.
You may also want to have a look at what ntop can do these days - it has been a few years since i've looked at it.
But of course this all assumes the traffic is visible to your CentOS box. For my sniffer appliance the way to deploy it was that all the other NICs except the main one got plugged into a mirror port on the switch, which mirrored the particular PC we wanted to sniff. In our case this was fine because we only monitored our product which was a VOIP appliance we were developing.
Alternately, running this on your router will pick up most of what you want - but obviously not local LAN traffic
Well, netflow is the appropriate technology for this:
http://en.wikipedia.org/wiki/Netflow
Unfortunately, I don't know a solution for the thread starters question out of my head, so this was just for clarifying what we're talking about... ;)
Timo
Well, netflow is the appropriate technology for this:
Oh hey, look at that - I had no idea that was a specific thing :-)
I've seen something like that before - not Netflow obviously - but I've seen it. Now I'll just have to remember where :-)
I've seen something like that before - not Netflow obviously - but I've seen it. Now I'll just have to remember where :-)
Oh, it was the other day when I was looking at Tobi Oetiker's website. And ad on his site for this guy :
http://community.zenoss.org/index.jspa
I have been meaning to download and try it out. When I took a quick look at features the other day I think it does this sort of thing.
thus Alan McKay spake:
Well, netflow is the appropriate technology for this:
Oh hey, look at that - I had no idea that was a specific thing :-)
I've seen something like that before - not Netflow obviously - but I've seen it. Now I'll just have to remember where :-)
Well, Netflow is usually used at ISPs, and in bigger networks. We have Netflow running here to do accounting for our colocation customers. The main use of it, alas, not the only one...
Regards,
Timo
On Sun, Dec 06, 2009 at 11:48:45PM +0100, Timo Schoeler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
thus Alan McKay spake:
On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale JCasale@activenetwerx.com wrote:
Anyone got a reco on a package that can collect netflow data and accept user defined queries for specific data, like what an ip did every hour for some said interval?
well, collecting is pretty easy of course - tcpdump. And you can load the files into wireshark to query.
Though it is probably not just what you want.
In my old job I set up a sniffer appliance which basically ran tcpdump on any interface except the main interface, and logged it all in circular log files of a certain size. And the directory where these were kept were served out via the web server so that anyone could surf to the box and grab log files to look at.
You may also want to have a look at what ntop can do these days - it has been a few years since i've looked at it.
But of course this all assumes the traffic is visible to your CentOS box. For my sniffer appliance the way to deploy it was that all the other NICs except the main one got plugged into a mirror port on the switch, which mirrored the particular PC we wanted to sniff. In our case this was fine because we only monitored our product which was a VOIP appliance we were developing.
Alternately, running this on your router will pick up most of what you want - but obviously not local LAN traffic
Well, netflow is the appropriate technology for this:
http://en.wikipedia.org/wiki/Netflow
Unfortunately, I don't know a solution for the thread starters question out of my head, so this was just for clarifying what we're talking about... ;)
Timo
OP wants nfdump[1]. Great tool. The web front-end is called nfsen and is a separate package.
Ray
OP wants nfdump[1]. Great tool. The web front-end is called nfsen and is a separate package.
Yea, that looks nice, wow...
In the meantime while I was waiting for feedback I saw that cacti has a netflow plugin. Given my owner dumped this on me short notice before we shut down for holidays (while I have other stuff to cram in before our closure) I am hoping the cacti solution will be quick. If it doesn't provide what I need, I'll look into this, which I am sure after a quick read does what I want.
I need to provide records for certain users (known to be associated by ip) on a firewall overtime.
Thanks! jlc
On Sun, Dec 6, 2009 at 5:53 PM, Ray Van Dolson rayvd@bludgeon.org wrote:
OP wants nfdump[1]. Great tool. The web front-end is called nfsen and is a separate package.
Ray
Needs, but maybe not "wants." :-P
I used to be in love with ntop, but it has shown to be very unstable in the last few years (memory leaks, crashing, etc. for version in fedora-epel as well as latest stable and latest svn checkout..) Ntop is what you want (at least close to what you want the interface to look like) but i have yet to find any good netflow analyser that blows my skirt up after having sampled ntop (stability issues), solarwinds realtime netflow analyser (unknown reliability, plus only meant for live troubleshooting, not trending), solarwinds orion netflow module (too cumbersome to navigate to find simple answers like "what was on the wire during a certain time frame), and the cisco network analysis module for the 6500 (maybe the best i've seen even if its interface is ugly as hell.) If anyone has had a good experience with something user-friendly on the reporting side at least, I'd be thrilled to hear about it.
nfdump/nfsen does look like it could hold some value but i haven't evaluated it yet.
I used to be in love with ntop, but it has shown to be very unstable in the last few years (memory leaks, crashing, etc. for version in fedora-epel as
And here I thought it was just my PC. I finally converted my home PC to Linux last week (cough, cough Ubuntu cough) and one of the first things I did was install ntop. As soon as I started it, my PC hung solid.
On Sun, Dec 06, 2009 at 06:23:01PM -0500, Jake wrote:
On Sun, Dec 6, 2009 at 5:53 PM, Ray Van Dolson rayvd@bludgeon.org wrote:
OP wants nfdump[1]. Great tool. The web front-end is called nfsen and is a separate package.
Ray
Needs, but maybe not "wants." :-P
I used to be in love with ntop, but it has shown to be very unstable in the last few years (memory leaks, crashing, etc. for version in fedora-epel as well as latest stable and latest svn checkout..) Ntop is what you want (at least close to what you want the interface to look like) but i have yet to find any good netflow analyser that blows my skirt up after having sampled ntop (stability issues), solarwinds realtime netflow analyser (unknown reliability, plus only meant for live troubleshooting, not trending), solarwinds orion netflow module (too cumbersome to navigate to find simple answers like "what was on the wire during a certain time frame), and the cisco network analysis module for the 6500 (maybe the best i've seen even if its interface is ugly as hell.) If anyone has had a good experience with something user-friendly on the reporting side at least, I'd be thrilled to hear about it.
nfdump/nfsen does look like it could hold some value but i haven't evaluated it yet.
Both definitely fill their niche (actually I believe ntop can handle netflow data), but nfdump is much more appropriate (IMO) for colo/billing type situations.
Just saves data to simple files which can be parsed and easily imported into a DB. No need for a heavy-weight full-on packet capture system.
Ray
-
Alan McKay -
Jake -
Joseph L. Casale -
Ray Van Dolson -
Timo Schoeler