[CentOS] netflow colelction and analysis
Ray Van Dolson
rayvd at bludgeon.org
Sun Dec 6 22:53:42 UTC 2009
On Sun, Dec 06, 2009 at 11:48:45PM +0100, Timo Schoeler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> thus Alan McKay spake:
> > On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale
> > <JCasale at activenetwerx.com> wrote:
> >> Anyone got a reco on a package that can collect netflow data and accept user defined queries
> >> for specific data, like what an ip did every hour for some said interval?
> > well, collecting is pretty easy of course - tcpdump.
> > And you can load the files into wireshark to query.
> > Though it is probably not just what you want.
> > In my old job I set up a sniffer appliance which basically ran
> > tcpdump on any interface except the main interface, and logged it all
> > in circular log files of a certain size. And the directory where
> > these were kept were served out via the web server so that anyone
> > could surf to the box and grab log files to look at.
> > You may also want to have a look at what ntop can do these days - it
> > has been a few years since i've looked at it.
> > But of course this all assumes the traffic is visible to your CentOS
> > box. For my sniffer appliance the way to deploy it was that all the
> > other NICs except the main one got plugged into a mirror port on the
> > switch, which mirrored the particular PC we wanted to sniff. In our
> > case this was fine because we only monitored our product which was a
> > VOIP appliance we were developing.
> > Alternately, running this on your router will pick up most of what you
> > want - but obviously not local LAN traffic
> Well, netflow is the appropriate technology for this:
> Unfortunately, I don't know a solution for the thread starters question
> out of my head, so this was just for clarifying what we're talking
> about... ;)
OP wants nfdump. Great tool. The web front-end is called nfsen and is
a separate package.
More information about the CentOS