[CentOS] netflow colelction and analysis

Sun Dec 6 22:44:06 UTC 2009
Alan McKay <alan.mckay at gmail.com>

On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale
<JCasale at activenetwerx.com> wrote:
> Anyone got a reco on a package that can collect netflow data and accept user defined queries
> for specific data, like what an ip did every hour for some said interval?

well, collecting is pretty easy of course - tcpdump.
And you can load the files into wireshark to query.

Though it is probably not just what you want.

In my  old job I set up a sniffer appliance which basically ran
tcpdump on any interface except the main interface, and logged it all
in circular log files of a certain size.  And the directory where
these were kept were served out via the web server so that anyone
could surf to the box and grab log files to look at.

You may also want to have a look at what ntop can do these days - it
has been a few years since i've looked at it.

But of course this all assumes the traffic is visible to your CentOS
box.  For my sniffer appliance the way to deploy it was that all the
other NICs except the main one got plugged into a mirror port on the
switch, which mirrored the particular PC we wanted to sniff.  In our
case this was fine because we only monitored our product which was a
VOIP appliance we were developing.

Alternately, running this on your router will pick up most of what you
want - but obviously not local LAN traffic


-- 
“Don't eat anything you've ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"