FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-06-2009, 08:39 PM
"Joseph L. Casale"
 
Default netflow colelction and analysis

Anyone got a reco on a package that can collect netflow data and accept user defined queries
for specific data, like what an ip did every hour for some said interval?

Thanks!
jlc
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-06-2009, 09:44 PM
Alan McKay
 
Default netflow colelction and analysis

On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale
<JCasale@activenetwerx.com> wrote:
> Anyone got a reco on a package that can collect netflow data and accept user defined queries
> for specific data, like what an ip did every hour for some said interval?

well, collecting is pretty easy of course - tcpdump.
And you can load the files into wireshark to query.

Though it is probably not just what you want.

In my old job I set up a sniffer appliance which basically ran
tcpdump on any interface except the main interface, and logged it all
in circular log files of a certain size. And the directory where
these were kept were served out via the web server so that anyone
could surf to the box and grab log files to look at.

You may also want to have a look at what ntop can do these days - it
has been a few years since i've looked at it.

But of course this all assumes the traffic is visible to your CentOS
box. For my sniffer appliance the way to deploy it was that all the
other NICs except the main one got plugged into a mirror port on the
switch, which mirrored the particular PC we wanted to sniff. In our
case this was fine because we only monitored our product which was a
VOIP appliance we were developing.

Alternately, running this on your router will pick up most of what you
want - but obviously not local LAN traffic


--
“Don't eat anything you've ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-06-2009, 09:48 PM
Timo Schoeler
 
Default netflow colelction and analysis

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

thus Alan McKay spake:
> On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale
> <JCasale@activenetwerx.com> wrote:
>> Anyone got a reco on a package that can collect netflow data and accept user defined queries
>> for specific data, like what an ip did every hour for some said interval?
>
> well, collecting is pretty easy of course - tcpdump.
> And you can load the files into wireshark to query.
>
> Though it is probably not just what you want.
>
> In my old job I set up a sniffer appliance which basically ran
> tcpdump on any interface except the main interface, and logged it all
> in circular log files of a certain size. And the directory where
> these were kept were served out via the web server so that anyone
> could surf to the box and grab log files to look at.
>
> You may also want to have a look at what ntop can do these days - it
> has been a few years since i've looked at it.
>
> But of course this all assumes the traffic is visible to your CentOS
> box. For my sniffer appliance the way to deploy it was that all the
> other NICs except the main one got plugged into a mirror port on the
> switch, which mirrored the particular PC we wanted to sniff. In our
> case this was fine because we only monitored our product which was a
> VOIP appliance we were developing.
>
> Alternately, running this on your router will pick up most of what you
> want - but obviously not local LAN traffic

Well, netflow is the appropriate technology for this:

http://en.wikipedia.org/wiki/Netflow

Unfortunately, I don't know a solution for the thread starters question
out of my head, so this was just for clarifying what we're talking
about...

Timo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkscNM0ACgkQO/2mgkVVV7mcngCaA7oWyotXtnrTxHakYgPdy6Od
yQUAn0UHkw/1xgAqKLtyZST1y5TfigX0
=LzLT
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-06-2009, 09:52 PM
Alan McKay
 
Default netflow colelction and analysis

> Well, netflow is the appropriate technology for this:
>
> http://en.wikipedia.org/wiki/Netflow

Oh hey, look at that - I had no idea that was a specific thing :-)

I've seen something like that before - not Netflow obviously - but
I've seen it. Now I'll just have to remember where :-)


--
“Don't eat anything you've ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-06-2009, 09:53 PM
Ray Van Dolson
 
Default netflow colelction and analysis

On Sun, Dec 06, 2009 at 11:48:45PM +0100, Timo Schoeler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> thus Alan McKay spake:
> > On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale
> > <JCasale@activenetwerx.com> wrote:
> >> Anyone got a reco on a package that can collect netflow data and accept user defined queries
> >> for specific data, like what an ip did every hour for some said interval?
> >
> > well, collecting is pretty easy of course - tcpdump.
> > And you can load the files into wireshark to query.
> >
> > Though it is probably not just what you want.
> >
> > In my old job I set up a sniffer appliance which basically ran
> > tcpdump on any interface except the main interface, and logged it all
> > in circular log files of a certain size. And the directory where
> > these were kept were served out via the web server so that anyone
> > could surf to the box and grab log files to look at.
> >
> > You may also want to have a look at what ntop can do these days - it
> > has been a few years since i've looked at it.
> >
> > But of course this all assumes the traffic is visible to your CentOS
> > box. For my sniffer appliance the way to deploy it was that all the
> > other NICs except the main one got plugged into a mirror port on the
> > switch, which mirrored the particular PC we wanted to sniff. In our
> > case this was fine because we only monitored our product which was a
> > VOIP appliance we were developing.
> >
> > Alternately, running this on your router will pick up most of what you
> > want - but obviously not local LAN traffic
>
> Well, netflow is the appropriate technology for this:
>
> http://en.wikipedia.org/wiki/Netflow
>
> Unfortunately, I don't know a solution for the thread starters question
> out of my head, so this was just for clarifying what we're talking
> about...
>
> Timo

OP wants nfdump[1]. Great tool. The web front-end is called nfsen and is
a separate package.

Ray

[1] http://nfdump.sourceforge.net/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-06-2009, 09:54 PM
Alan McKay
 
Default netflow colelction and analysis

> I've seen something like that before - not Netflow obviously - but
> I've seen it. * Now I'll just have to remember where :-)

Oh, it was the other day when I was looking at Tobi Oetiker's website.
And ad on his site for this guy :

http://community.zenoss.org/index.jspa

I have been meaning to download and try it out. When I took a quick
look at features the other day I think it does this sort of thing.


--
“Don't eat anything you've ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-06-2009, 09:55 PM
Timo Schoeler
 
Default netflow colelction and analysis

thus Alan McKay spake:
>> Well, netflow is the appropriate technology for this:
>>
>> http://en.wikipedia.org/wiki/Netflow
>
> Oh hey, look at that - I had no idea that was a specific thing :-)
>
> I've seen something like that before - not Netflow obviously - but
> I've seen it. Now I'll just have to remember where :-)

Well, Netflow is usually used at ISPs, and in bigger networks. We have
Netflow running here to do accounting for our colocation customers. The
main use of it, alas, not the only one...

Regards,

Timo

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-06-2009, 10:10 PM
"Joseph L. Casale"
 
Default netflow colelction and analysis

>OP wants nfdump[1]. Great tool. The web front-end is called nfsen and is a separate package.

Yea, that looks nice, wow...

In the meantime while I was waiting for feedback I saw that cacti has a netflow plugin. Given my
owner dumped this on me short notice before we shut down for holidays (while I have other stuff
to cram in before our closure) I am hoping the cacti solution will be quick. If it doesn't provide what
I need, I'll look into this, which I am sure after a quick read does what I want.

I need to provide records for certain users (known to be associated by ip) on a firewall overtime.

Thanks!
jlc
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-06-2009, 10:23 PM
Jake
 
Default netflow colelction and analysis

On Sun, Dec 6, 2009 at 5:53 PM, Ray Van Dolson <rayvd@bludgeon.org> wrote:

OP wants nfdump[1]. *Great tool. *The web front-end is called nfsen and is

a separate package.



Ray



[1] http://nfdump.sourceforge.net/


Needs, but maybe not "wants." :-P

I used to be in love with ntop, but it has shown to be very unstable in the last few years (memory leaks, crashing, etc. for version in fedora-epel as well as latest stable and latest svn checkout..) Ntop is what you want (at least close to what you want the interface to look like) but i have yet to find any good netflow analyser that blows my skirt up after having sampled ntop (stability issues), solarwinds realtime netflow analyser (unknown reliability, plus only meant for live troubleshooting, not trending), solarwinds orion netflow module (too cumbersome to navigate to find simple answers like "what was on the wire during a certain time frame), and the cisco network analysis module for the 6500 (maybe the best i've seen even if its interface is ugly as hell.) If anyone has had a good experience with something user-friendly on the reporting side at least, I'd be thrilled to hear about it.


nfdump/nfsen does look like it could hold some value but i haven't evaluated it yet.

--
Jake Paulus
JakePaulus@gmail.com

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-06-2009, 10:33 PM
Alan McKay
 
Default netflow colelction and analysis

> I used to be in love with ntop, but it has shown to be very unstable in the
> last few years (memory leaks, crashing, etc. for version in fedora-epel as

And here I thought it was just my PC. I finally converted my home PC
to Linux last week (cough, cough Ubuntu cough) and one of the first
things I did was install ntop. As soon as I started it, my PC hung
solid.


--
“Don't eat anything you've ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 01:02 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org