Re: Netflow Analysis Software

[Justin Azoff <JAzoff () UAMAIL ALBANY EDU>]

On Wed, May 04, 2011 at 10:40:28AM -0400, Kevin Wilcox wrote:
> What are you looking to accomplish? Flow data is, at its heart,
> extremely simple - two IPs, two ports, two timestamps, some flags and
> some counters.

That reminds me of a problem we have been having lately.  Many
applications these days are http based and hit CDNs and big virtual
hosting providers.  Netflow <= v9 isn't very useful at reporting on this
sort of thing.  We try to combine netflow with passive dns data, but
that isn't perfect.

I've been looking at v10/IPFIX which apparently supports other fields
like HTTP_URL.

This blog post mentions one of the example use cases:

    http://www.plixer.com/blog/scrutinizer/monitor-netflix-traffic-using-netflow-reporting/

but there doesn't seem to be as many open tools for working with this
data yet.

Is anyone actively using IPFIX now?

-- 
-- Justin Azoff
-- Network Security & Performance Analyst