summary of ipflow/netflow appliance

[Stefan Hegger <Stefan.Hegger () lycos-europe com>]

Here a summary of the answers I got. Again thanks for your help.

mail from Joe 
> -Try fprobe, open source:  http://sourceforge.net/projects/fprobe 

reply from Samuel
> -nProbe by ntop.org is pretty robust tool for generating v5/v9 flows and 
> fairly inexpensive. http://www.ntop.org/nProbe.html

mail from Roland 
> -Lancope offer a productized version of this, I believe Endace too, too.

I talked to Lancope, they might provide me in 1 or 2 years with a 10G 
interface.

mail from Frank
> I just had an extended briefing with a company called Xangati.  Very
> interesting stuff, but they didn't talk about ways to obtain netflows if
> your router isn't able to natively generate them.

answer from Adam
> I can attest to this. nProbe is your best bet for a “virtual NetFlow 
> exporter”. It performs well and has tons of export formats and features. We 
> use it extensively for QA and testing. You do, however, have to pay a bit 
> or it whereas fprobe and others are free.

I talked to Peter Shaw peter () npulsenetworks com
here his answer

> Thanks for contacting us.  Yes, our Probe can handle the traffic level you
> describe. Our typical, hardware-accelerated Probe has 2 Gigabit ports, and
> shows less than 10% CPU utilisation when generating NetFlow records at the
> full 2Gbps.  We can readily build a Probe using 10Gig ports, and do not
> expect any performance challenge at the traffic level you describe.
> I have a couple of further questions/comments for you;
> 1) what Collector system do you plan to send the NetFlow records to ?  We
> can work with any NetFlow-aware collector, but we do find that many of them
> struggle to keep up with the high volume of records from our Probe.  We are
> working on our own Collector/buffer system to reduce this problem, and
> expect this to be available in Q2'08.

I talked also to Luca Deri <deri () ntop org>
here the answer

> the nPulse appliance is based on an old version of nProbe I have  
> developed years ago. We offer nBox appliances (http://www.nmon.net/nBox.html 
> ) with a new accelerated nProbe version not available to anyone but  
> us. Next month we plan to introduce a new model based on a accelerated  
> card developed with a a twin company, able to outperform existing  
> solutions but with a lower price.

> for 10G at the moment we use the Endace platform (NinjaProbe) or  
> Tilera (see http://www.tilera.com/pdf/ProductBrief_TILExpress_V1.pdf  
> and search for nProbe) cards for wire rate. If you have a few Gbits, a  
> software nBox can also be enough, but if you go above a hardware card  
> is definitively needed.
> In late 2008 we should have our custom 10G card available but until  
> then we rely on external hardware solutions.

> unless you want to buy the appliance from Endace and the software from  
> me, I can currently offer an nbox with dual 10G capability featuring  
> software packet capture acceleration for about 6K Euro. This model is  
> suitable for monitoring 2-3 Gbit of traffic. As I have stated before,  
> 10G hardware capture acceleration still needs some time.

next mail from gert
> Has any of you done a reality-check before recommending these tools,
> whether one of them can actually *handle* a 10G-link?
> Sniffing 10G without losing packets is *hard*.
> Sniffing 10G and doing any sort of math with it is *very hard*.
> Any "sniff packets and do flow exports from there" application that 
> aims to do better than the flow hardware on the PFC3 needs to be really,
> really, *really* good.


conclusion:

It is not easy to find a device to capture a 10G interface and generate the 
netflow.

When I have news, I will will inform you.

Best Stefan

-- 
Stefan Hegger
Internet System Engineer

Lycos Europe GmbH
Carl-Bertelsmann Str. 29
Postfach 315
33312 Gütersloh 

Phone:
Tel: +49 5241 8071 334
Fax: +49 5241 80671 334
Mobile: +49 170 1892720

Sitz der Gesellschaft: Gütersloh
Amtsgericht Gütersloh, HRB 2157
Geschäftsführer: Christoph Mohn 

  <http://www.lycos-europe.com/L/A/>