[AusNOG] What tool shows this?

Seamus Ryan s.ryan at uber.com.au
Sun Feb 16 23:59:47 EST 2014


+1 to nfsen/ndump.

This has been an extremely valuable, light weight (that's the important part) tool to provide excellent analysis of whats going on where in our network (not specific to abnormalities, just traffic metadata in general).

We looked at a number of commercial products like netflow analzer and prtg but the one thing they had in common was that they were sluggish and stupidly expensive even for a basic set of features. All I want to know is "what are the top 10/20/100 takers on our network at any given time" sorted by pps, bps, protocol, port, incoming or outgoing on whatever I feel like.

Roll in nfdump and a few minutes of bash scripting and you can pull out all the data you want from the dump files, at about 10x the speed of the commercial products we tested. The only "gotcha" is that it isn't particularly ideal for historical (ie months old ) data, something like cacti is always preferred in that area. But if you have endless amounts of storage you could keep your flows forever.

NB: Not a network abnormality application, though it does have plugins for that and it isn't particularly hard to write some yourself.

- Seamus



-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Dobbins, Roland
Sent: Saturday, 15 February 2014 3:56 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] What tool shows this?


On Feb 15, 2014, at 11:28 AM, Jimmy <mupperoni at gmail.com> wrote:

> Also what is a good network monitoring tool (open source preferred) that collects netflow data and can easily show a current traffic anomaly e.g. a ddos attack quickly and succinctly? 

This one is open source:

<http://www.akmalabs.com/flowmatrix.php>

There's another one I've heard about, but I can't remember its name, and my search-engine-fu is apparently weak.

Most NetFlow anomaly-detection systems are commercial.

[Full disclosure:  I work for a vendor of such systems.]

That being said, you can do a lot with something like nfdump/nfsen or SiLK or ntop and a Mark I Eyeball.  I strongly recommend investigating and getting some operational experience with open-source NetFlow collection/analysis tools; they may provide all the functionality you need, and if you later decide to investigate commercial solutions, you'll have a solid foundation for evaluating them.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list