I am trying to create some monitoring based on flow-tools: I have flow-capture running to log things into directories. Now I need to merge files together for my analysation interval. I have looked at the manpage for flow-cat and flow-merge. They talk about interleaving and chronological order. As the files by flow-capture are already quite sorted, I wonder, what the real difference is in my case?
We have a number of Linux servers for which I would like to capture netflow data to be processed by a netflow analyzer. I've been spoiled by the ease in which Mikrotik routers allow netflow data generation, but I haven't managed to find an opensource tool that is able to generate netflow data for multiple interfaces on a Linux system.
I have come across fprobe but it seems quite buggy. Admittedly I haven't spent much time with it yet since I'd also like to evaluate some other possibilities. The other tool I've seen mentioned is nprobe, which appears to be GPL, but is not available as a free download since it is only offered for a fee.
The servers on which I plan to generate netflow data are all Gentoo systems, but this shouldn't really make any difference. At most it means I would have to manually compile a tool from source.
Summary: I'm looking for an opensource netflow generator that will work on Linux and allows capturing flows for multiple interfaces.
We currently have a dual-NIC Ubuntu server at our data centre acting as the gateway router between our public networks and our ISP. We have a /30 cross connect network on the ISP-facing NIC, and one IP from each of the three networks attached to our interior-facing NIC.
I would like to configure network traffic statistic generation and collection on this server, using Cisco's Netflow protocols. This will allow me to confirm our ISP's billing, as well as break-down data flow within our network.
What tools or packages would you recommend to passively capture traffic statistics and record them for later processing? Extra points if the Netflow collector has a MySQL data-store connector.
I'm implementing a network monitoring solution for a very large network (approximately 5000 network devices). We'd like to have all devices on our network send SNMP traps to a single box (technically this will probably be an HA pair of boxes) and then have that box pass the SNMP traps on to the real processing boxes. This will allow us to have multiple back-end boxes handling traps, and to distribute load among those back end boxes.
One key feature that we need is the ability to forward the traps to a specific box depending on the source address of the trap. Any suggestions for the best way to handle this?
Among the things we've considered are:
We've currently implemented and are testing the last solution, with a Linux box with IPTables configured to receive the traps, and then depending on the source address of the trap, rewrite it with a destination nat (DNAT) so the packet gets sent to the proper server. For example:
# Range: 10.0.0.0/19 Site: abc01 Destination: foo01
iptables -t nat -A PREROUTING -p udp --dport 162 -s 10.0.0.0/19 -j DNAT --to-destination 10.1.2.3
# Range: 10.0.33.0/21 Site: abc01 Destination: foo01
iptables -t nat -A PREROUTING -p udp --dport 162 -s 10.0.33.0/21 -j DNAT --to-destination 10.1.2.3
# Range: 10.1.0.0/16 Site: xyz01 Destination: bar01
iptables -t nat -A PREROUTING -p udp --dport 162 -s 10.1.0.0/16 -j DNAT --to-destination 10.3.2.1
This should work with excellent efficiency for basic trap routing, but it leaves us completely limited to what we can mach and filter on with IPTables, so we're concerned about flexibility for the future.
Another feature that we'd really like, but isn't quite a "must have" is the ability to duplicate or mirror the UDP packets. Being able to take one incoming trap and route it to multiple destinations would be very useful.
Has anyone tried any of the possible solutions above for SNMP traps (or Netflow, general UDP, etc) load balancing? Or can anyone think of any other alternatives to solve this?
Is there a free netflow collector that I can throw on a windows box?