On Sun, Dec 06, 2009 at 11:48:45PM +0100, Timo Schoeler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > thus Alan McKay spake: > > On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale > > <JCasale at activenetwerx.com> wrote: > >> Anyone got a reco on a package that can collect netflow data and accept user defined queries > >> for specific data, like what an ip did every hour for some said interval? > > > > well, collecting is pretty easy of course - tcpdump. > > And you can load the files into wireshark to query. > > > > Though it is probably not just what you want. > > > > In my old job I set up a sniffer appliance which basically ran > > tcpdump on any interface except the main interface, and logged it all > > in circular log files of a certain size. And the directory where > > these were kept were served out via the web server so that anyone > > could surf to the box and grab log files to look at. > > > > You may also want to have a look at what ntop can do these days - it > > has been a few years since i've looked at it. > > > > But of course this all assumes the traffic is visible to your CentOS > > box. For my sniffer appliance the way to deploy it was that all the > > other NICs except the main one got plugged into a mirror port on the > > switch, which mirrored the particular PC we wanted to sniff. In our > > case this was fine because we only monitored our product which was a > > VOIP appliance we were developing. > > > > Alternately, running this on your router will pick up most of what you > > want - but obviously not local LAN traffic > > Well, netflow is the appropriate technology for this: > > http://en.wikipedia.org/wiki/Netflow > > Unfortunately, I don't know a solution for the thread starters question > out of my head, so this was just for clarifying what we're talking > about... ;) > > Timo OP wants nfdump[1]. Great tool. The web front-end is called nfsen and is a separate package. Ray [1] http://nfdump.sourceforge.net/