pmacct includes sfacctd which is an sflow collector.. Accessible via the same methods as it's nfacctd collector or pcap based collector..
-- Tim On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko <de...@visp.net.lb> wrote: > On 2014-11-21 18:41, Peter Phaal wrote: >>>> >>>> Actually, sFlow from many vendors is pretty good (per your points about >>>> flow >>>> burstiness and delays), and is good enough for dDoS detection. Not for >>>> security forensics, or billing at 99.99% accuracy, but good enough for >>>> traffic visibility, peering analytics, and (d)DoS detection. >>> >>> >>> Well, if it is available, except hardware limitations, there is second >>> obstacle, >>> software licensing cost. On latest JunOS, for example on EX2200, you need >>> to purchase license (EFL), and if am not wrong it is $3000 for 48port >>> units. >>> So if only sFlow feature is on stake, it worth to think, to purchase >>> license, >>> or to purchase server. >> >> >> Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2): >> >> >> http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf >> >> I am not aware of any vendor requiring an additional license to enable >> sFlow. >> >> sFlow (packet sampling) works extremely well for the DDoS flood >> detection / mitigation use case. The measurements are build into low >> cost commodity switch hardware and can be enabled operationally >> without adversely impacting switch performance. A flood attack >> generates high packet rates and sampling a 10G port at 1-in-10,000 >> will reliably detect flood attacks within seconds. >> >> For most use cases, it is much less expensive to use switches to >> perform measurement than to attach taps / mirror port probes. If your >> switches don't already support sFlow, you can buy a 10G capable white >> box switch for a few thousand dollars that will let you monitor 1.2 >> Terabits/sec. If you go with an open platform such as Cumulus Linux, >> you could even run your DDoS mitigation software on the switch and >> dispense with the external server. Embedded instrumentation is simple >> to deploy and reduces operational complexity and cost when compared to >> add on probe solutions. >> >> Peter Phaal >> InMon Corp. > > Wow, that's great news then, i'm using mostly Cisco gear now, but seems will > have to take a look to Juniper, thanks for information. > If it is free, then if EX2200 available, it is much easier to run sFlow and > write custom collector for it, than installing custom probe(in most common > cases). > > --- > Best regards, > Denys
