Elastiflow is pretty cool. https://www.elastiflow.com or the old open source version: https://github.com/robcowart/elastiflow You can pretty much do the same thing with Elastic’s filebeat (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html). Pmacct is also good for grabbing netflow http://www.pmacct.net and sending it somewhere (file, database, kafka, etc.) You can also grab BMP and streaming telemetry with it. If you’re looking for open source DDoS detection using netflow, check out https://github.com/pavel-odintsov/fastnetmon Shameless plug, check out my tool to look for spoofed UDP amplification request traffic coming into your network https://github.com/racompton/tattle-tale FYI, you can send netflow to multiple collectors with https://github.com/sleinen/samplicator
-Rich From: NANOG <nanog-bounces+rich.compton=charter....@nanog.org> on behalf of David Bass <davidbass...@gmail.com> Date: Tuesday, January 25, 2022 at 11:06 AM To: Christopher Morrow <morrowc.li...@gmail.com> Cc: NANOG list <nanog@nanog.org> Subject: [EXTERNAL] Re: Flow collection and analysis CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. Most of these things, yes. Add: Troubleshooting/operational support Customer reporting On Tue, Jan 25, 2022 at 1:38 PM Christopher Morrow <morrowc.li...@gmail.com<mailto:morrowc.li...@gmail.com>> wrote: On Tue, Jan 25, 2022 at 10:53 AM David Bass <davidbass...@gmail.com<mailto:davidbass...@gmail.com>> wrote: Wondering what others in the small to medium sized networks out there are using these days for netflow data collection, and your opinion on the tool? a question not asked, and answer not provided here, is: "What are you actually trying to do with the netflow?" Answers of the form: "Dos detection and mitigation planning" "Discover peering options/opportunities" "billing customers" "traffic analysis for future network planning" "abuse monitoring/management/investigations" "pretty noc graphs" are helpful.. I'm sure other answers would as well.. but: "how do you collect?" is "with a collector" and isn't super helpful if the collector can't feed into the tooling / infrastructure / long-term goal you have. E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
