nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [EXTERNAL] Re: Flow collection and analysis

From: "Compton, Rich A" <Rich.Compton () charter com>
Date: Tue, 25 Jan 2022 23:50:27 +0000
Elastiflow is pretty cool.  https://www.elastiflow.com  or the old open source version: 
https://github.com/robcowart/elastiflow
You can pretty much do the same thing with Elastic’s filebeat 
(https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html).
Pmacct is also good for grabbing netflow http://www.pmacct.net  and sending it somewhere (file, database, kafka, etc.) 
You can also grab BMP and streaming telemetry with it.
If you’re looking for open source DDoS detection using netflow, check out https://github.com/pavel-odintsov/fastnetmon
Shameless plug, check out my tool to look for spoofed UDP amplification request traffic coming into your network 
https://github.com/racompton/tattle-tale
FYI, you can send netflow to multiple collectors with https://github.com/sleinen/samplicator

-Rich

From: NANOG <nanog-bounces+rich.compton=charter.com () nanog org> on behalf of David Bass <davidbass570 () gmail com>
Date: Tuesday, January 25, 2022 at 11:06 AM
To: Christopher Morrow <morrowc.lists () gmail com>
Cc: NANOG list <nanog () nanog org>
Subject: [EXTERNAL] Re: Flow collection and analysis

CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking 
links, or following guidance.
Most of these things, yes.

Add:
Troubleshooting/operational support
Customer reporting




On Tue, Jan 25, 2022 at 1:38 PM Christopher Morrow <morrowc.lists () gmail com<mailto:morrowc.lists () gmail com>> 
wrote:


On Tue, Jan 25, 2022 at 10:53 AM David Bass <davidbass570 () gmail com<mailto:davidbass570 () gmail com>> wrote:
Wondering what others in the small to medium sized networks out there are using these days for netflow data collection, 
and your opinion on the tool?

a question not asked, and answer not provided here, is:
  "What are you actually trying to do with the netflow?"

Answers of the form:
  "Dos detection and mitigation planning"
  "Discover peering options/opportunities"
  "billing customers"
  "traffic analysis for future network planning"
  "abuse monitoring/management/investigations"
  "pretty noc graphs"

are helpful.. I'm sure other answers would as well.. but: "how do you collect?" is "with a collector" and isn't super 
helpful if the collector can't feed into the tooling / infrastructure / long-term goal you have.
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain 
confidential and/or legally privileged information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this 
message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly prohibited.
Previous By Date Next
Previous By Thread Next

Current thread: