-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 thus Alan McKay spake: > On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale > <JCasale at activenetwerx.com> wrote: >> Anyone got a reco on a package that can collect netflow data and accept user defined queries >> for specific data, like what an ip did every hour for some said interval? > > well, collecting is pretty easy of course - tcpdump. > And you can load the files into wireshark to query. > > Though it is probably not just what you want. > > In my old job I set up a sniffer appliance which basically ran > tcpdump on any interface except the main interface, and logged it all > in circular log files of a certain size. And the directory where > these were kept were served out via the web server so that anyone > could surf to the box and grab log files to look at. > > You may also want to have a look at what ntop can do these days - it > has been a few years since i've looked at it. > > But of course this all assumes the traffic is visible to your CentOS > box. For my sniffer appliance the way to deploy it was that all the > other NICs except the main one got plugged into a mirror port on the > switch, which mirrored the particular PC we wanted to sniff. In our > case this was fine because we only monitored our product which was a > VOIP appliance we were developing. > > Alternately, running this on your router will pick up most of what you > want - but obviously not local LAN traffic Well, netflow is the appropriate technology for this: http://en.wikipedia.org/wiki/Netflow Unfortunately, I don't know a solution for the thread starters question out of my head, so this was just for clarifying what we're talking about... ;) Timo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkscNM0ACgkQO/2mgkVVV7mcngCaA7oWyotXtnrTxHakYgPdy6Od yQUAn0UHkw/1xgAqKLtyZST1y5TfigX0 =LzLT -----END PGP SIGNATURE-----