Elastiflow is pretty cool.  https://www.elastiflow.com  or the old open source 
version: https://github.com/robcowart/elastiflow
You can pretty much do the same thing with Elastic’s filebeat 
(https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html).
Pmacct is also good for grabbing netflow http://www.pmacct.net  and sending it 
somewhere (file, database, kafka, etc.) You can also grab BMP and streaming 
telemetry with it.
If you’re looking for open source DDoS detection using netflow, check out 
https://github.com/pavel-odintsov/fastnetmon
Shameless plug, check out my tool to look for spoofed UDP amplification request 
traffic coming into your network https://github.com/racompton/tattle-tale
FYI, you can send netflow to multiple collectors with 
https://github.com/sleinen/samplicator

-Rich

From: NANOG <nanog-bounces+rich.compton=charter....@nanog.org> on behalf of 
David Bass <davidbass...@gmail.com>
Date: Tuesday, January 25, 2022 at 11:06 AM
To: Christopher Morrow <morrowc.li...@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Subject: [EXTERNAL] Re: Flow collection and analysis

CAUTION: The e-mail below is from an external source. Please exercise caution 
before opening attachments, clicking links, or following guidance.
Most of these things, yes.

Add:
Troubleshooting/operational support
Customer reporting




On Tue, Jan 25, 2022 at 1:38 PM Christopher Morrow 
<morrowc.li...@gmail.com<mailto:morrowc.li...@gmail.com>> wrote:


On Tue, Jan 25, 2022 at 10:53 AM David Bass 
<davidbass...@gmail.com<mailto:davidbass...@gmail.com>> wrote:
Wondering what others in the small to medium sized networks out there are using 
these days for netflow data collection, and your opinion on the tool?

a question not asked, and answer not provided here, is:
  "What are you actually trying to do with the netflow?"

Answers of the form:
  "Dos detection and mitigation planning"
  "Discover peering options/opportunities"
  "billing customers"
  "traffic analysis for future network planning"
  "abuse monitoring/management/investigations"
  "pretty noc graphs"

are helpful.. I'm sure other answers would as well.. but: "how do you collect?" 
is "with a collector" and isn't super helpful if the collector can't feed into 
the tooling / infrastructure / long-term goal you have.
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Reply via email to