Re: Netflow/flowscan

[Per Gregers Bilse <bilse () networksignature com>]

On Jun 21, 11:10pm, andrew matthews <exstatica () gmail com> wrote:
> Anyone ever done some major flowscan stuff?

Flowscan is perl, isn't it?

> We tried it once for a while and we had so much traffic our dual zeon
> 3.06ghz system couldn't keep up. The flows just started getting more

How much traffic do you have?

> and more behind... anyone ever succesfully graphed large amounts of
> data? If so what kind of systems did you use and what type of
> capture/processor layout did you have?

It's much more a question of the software than the hardware.  We use
Athlons (and Opterons if necessary) for architectural reasons (much
better at the mboard level), but that doesn't matter.  A single 3GHz
Intel processor can handle unsampled flow data from up to 10Gbps source
network traffic, but the software has to start with 'int main', not
"#!/usr/bin/perl" or "class virtualServlet" or some such.-)

You can't sample? Sampling is a much more scaleable solution than throwing
hardware at the problem.  A lot of people fear they miss out on important
things if they sample, but unless you need bean counter accuracy you're
fine (ie, 99% accuracy is generally good enough).

Best,

  -- Per