Never heard of it. I'll give it a shot. Another project that uses argus also looks interesting.. http://nautilus.oshean.org/wiki/Periscope
-----Original Message----- From: Ken A [mailto:k...@pacific.net] Sent: Monday, December 06, 2010 4:04 PM To: nanog@nanog.org Subject: Re: ipfix/netflow/sflow generator for Linux Have you considered argus? It can deliver "argus flows" from multiple interfaces. From http://www.qosient.com/argus/ : > Argus can be considered an implementation of the architecture > described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and > the project has actively contributed to the IPFIX effort, however, > Argus technology should be considered a superset of the IPFIX > architecture, providing "proof of concept" implementations for most > aspects of the IPFIX applicability statement. Argus technology can > read and process Cisco Netflow data, and many sites develop audits > using a mixture of Argus and Netflow records. Ken On 12/6/2010 2:44 PM, Thomas York wrote: > fprobe doesn't work properly because it has the input and output > interface IDs as both 0. In Scrutinizer, this makes the flow look like > all the data came in the interface and immediately left via the same > interface. Also, this causes problems when running multiple instances > of fprobe. > > This seems to be the issue with most of the flow software I've tried. > > -----Original Message----- From: Samuel Petreski > [mailto:sp...@georgetown.edu] Sent: Monday, December 06, 2010 3:38 PM > To: 'Thomas York'; nanog@nanog.org Subject: RE: > ipfix/netflow/sflow generator for Linux > > I've used fprobe with great success. You can run multiple instances of > fprobe for the different interfaces. > > --Samuel > > fprobe: a NetFlow probe - libpcap-based tool that collects network > traffic data and emit it as NetFlow flows towards the specified > collector. > > WWW: http://sourceforge.net/projects/fprobe > > -- Samuel Petreski Sr. Security Analyst Georgetown University > >> -----Original Message----- From: Thomas York >> [mailto:strate...@fuhell.com] Sent: Monday, December 06, 2010 2:15 PM >> To: nanog@nanog.org Subject: ipfix/netflow/sflow generator for Linux >> >> At my current place of work, we use all Linux routers. I need to do >> some > IP >> accounting/reporting and am currently trying to use Scrutinizer. > Scrutinizer >> can use netstream, jstream, ipfix, netflow, and sflow data without >> qualms. My only issue is that I can't seem to find any good software >> for Linux > that >> works with multiple interfaces to generate the flow information. >> I've > tried >> ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. >> Most of the software only works on one interface (which is useless as >> I need to do accounting for numerous interfaces). >> >> >> >> I've had the best luck with ipcad. The only thing that seems to not >> work > with >> it is that it doesn't correctly give the interface number in the flow >> information. It refers to all interfaces as interface 65535. >> I've tried > the config >> option for ipcad to map an interface directly to an SNMP interface >> ID, but that option of the config file seems to be ignored. >> >> >> >> Ntop functionally does exactly what I need, but it's extremely buggy. >> It segfaults after a few minutes, regardless of Linux distro or Ntop > version. >> So..any ideas on what I can do to get good flow information from our >> Linux routers? > > > > > -- Ken Anderson Pacific Internet - http://www.pacific.net
