Neil Aggarwal wrote: > Are there any pitfalls with this approach? Performance is the biggest one. Port mirroring often involves the CPU, and is really not built for scaling. If your traffic levels are very low it may work fine. Port mirroring is often a low priority task so if the switch is busy it will drop packets on the mirror to try to ensure availability on the normal ports. If you have cisco gear they have NetFlow which is similar to sFlow but NetFlow is often a software service so has performance impact as well, depending on the precise equipment your using. > Would ntop be a good tool for it? Looks like ntop has nProbe which can collect data from a mirrored port, put it in a NetFlow packet and send it to ntop or another collector device. So it really depends on the scale your operating at, if it's only 1 server with say less than 1Gbit/s of throughput your probably OK. If it's more, sFlow is the only thing that can scale to very high data rates and still be cost effective as it's implemented in the hardware of the switches. The Extreme X350 for example is a very budget minded gigabit switch, not much layer 3, or stacking, online pricing puts it in the $2000 range for 48 GbE, and has hardware sFlow - http://www.extremenetworks.com/products/summit-x350.aspx Optional 10GbE (even 10GbaseT for 10GbE over CAT5/6/6a) as well. Can go to the high end which is roughly triple the price though offers quite a bit more features. nate