[AusNOG] Inline TAP to extract flow data?

Roland Dobbins rdobbins at arbor.net
Sun Aug 24 10:29:05 EST 2014


On Aug 24, 2014, at 7:19 AM, Andrew Yager <andrew at rwts.com.au> wrote:

> As an alternative, given what we do with flow collection and analysis, it could be much better/cost effective to put inline taps and sample off device.

The main drawback to this approach is that you lose the interface traceback information for traffic ingress/egress.

Taps are generally better than SPAN/port mirroring, as the replicated traffic doesn't count against the forwarding budget of network infrastructure devices.

fprobe and nprobe can generate flow telemetry from captured traffic.  You can build your own boxes to do this using decent NICs, and there are commercial solutions from companies like Endace.

----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

    		   	  -- Laocoön



More information about the AusNOG mailing list