North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hope this isnt a redundant question : Cisco IOS Netflowanalysis mechanisms?

  • From: Erik Haagsman
  • Date: Mon Sep 26 15:06:37 2005

On Mon, 2005-09-26 at 11:42 -0700, Will Yardley wrote:
> On Mon, Sep 26, 2005 at 02:37:00PM -0400, Drew Weaver wrote:
> 
> > We're looking for a method of actively monitoring certain
> > metrics on our network via software or a somewhat inexpensive hardware
> > solution (those metrics being which AS numbers are the highest
> > destinations for our network) and information like that which will help
> > us with capacity planning. We are looking for suggestions if anyone has
> > any real-world knowledge of anything that would tell us for example:
> > 
> > 8% of our traffic is destined to AS 2828 (XO communications) etc.
> 
> I've found ntop (along with exported flow data) fairly useful for stuff
> like this.

ntop is pretty useful but I'd go with flow-tools if you want a far more
powerful yet simple base to build a toolset on. The whole flow-
capture/flow-report/flow-nfilter tool-chain alone allows you to write
little scripts for text only reports telling you just about anything you
like as fine grained as you want in a matter of hours (or perhaps
minutes if you're a fast man-page reader and comfortable with a *nix
command-line ;-) and the output is easily parsible in any kind of
scripting language. It also comes with a patched FlowScan including
CUFlow/CampusIO/SubnetIO to work with flow-capture instead of cflowd, so
depending on your exact needs you might be able to use that out of the
box or with reasonably basic changes to the (well documented) FlowScan
perl scripts. Take the type of info you're looking for into account
before setting up exporting flows from your routers and collecting them
on a server. NetFlow V8 uses aggregation on a specific key (AS number,
source prefix, destination prefix, etc.) to decrease flow-file size, but
it's a rather lossy format compared to the detailed information inside
NetFlow V5. If you're not sure yet which metrics you'll be looking for
always collect NetFlow V5 to prevent ending up with flows that don't
contain the information you might need in the future.

Hope this helps, 

Erik


-- 
Erik Haagsman
Network Architect
We Dare BV
tel: +31.10.7507008
fax: +31.10.7507005

http://www.we-dare.nl