Thanks for the feedback folks. Pmacct looks interesting as a promiscuous NetFlow/IPFIX probe and may do the trick as it also supports 802.1q.
Cheers, -C > Diana Eichert <mailto:deich...@wrench.com> > March 3, 2014 at 5:53 AM > On Sun, 2 Mar 2014, Hrvoje Popovski wrote: > SNIP > > my US$.02 from collecting flow data for years. > > nfdump does not have native support for sflow, it takes the sampled > sflow data and do a best effort to convert to netflow. We have > seen discrepancies between data collected via sfcapd vs data collected > by Inmon Traffic Sentinel. The folks at Inmon wrote the sflow RFC so > I'm pretty sure their tool represents the actual data correctly. > > g.day > > diana > > Hrvoje Popovski <mailto:hrv...@srce.hr> > March 2, 2014 at 12:15 PM > > Or you could export sflow (i know it's not ipfix) from switch directly > to nfdump. > > Hrvoje Popovski <mailto:hrv...@srce.hr> > March 2, 2014 at 12:04 PM > > Hi, > > maybe you could try http://www.pmacct.net/ > > Chris Jones <mailto:jo...@chrisdavid.ca> > March 2, 2014 at 9:58 AM > Good morning folks, > > I'm looking for advice on a freely available IPFIX probe/sensor for flow > export of our company's corporate firewall (Juniper SRX) traffic. An > unfortunate limitation of these firewalls is that J-Flow (Juniper's > version of Netflow) is unsupported when operating in an HA firewall > cluster (which we have). I could replace the firewalls with a pair of > OpenBSD firewalls, and would prefer this, however I'm unable to at this > point for reasons I won't get into. > > I've setup port-mirroring on our Brocade ICX switch that monitors all > the SRX firewall interfaces and mirrors to an interface on an OpenBSD > 5.4 server I setup to act as sensor/collector. I'd like to be able > promiscuously capture the mirror port traffic and export in IPFIX format > to something like NfSen/NFDUMP. The sensor solution needs to support > 802.1q as we have several VLAN interfaces on the firewall so traffic > sampled from the mirror-port interface contains both tagged and untagged > traffic. > > I've tried using softflowd exporting to flowd but it doesn't seem to > support 802.1q or IPFIX (yet). Any other suggestions or advice is > greatly appreciated. > > Cheers, > -Chris
