Home page logo
/

nanog logo nanog mailing list archives

Re: Interesting netflow entry
From: Bill Nash <billn () odyssey billn net>
Date: Tue, 7 Feb 2006 14:13:18 -0500 (EST)



On Tue, 7 Feb 2006, Christopher L. Morrow wrote:

Are you sure you're getting everything?

he did previously state he was only using about 120mbps... and it'd depend
upon his/your sample rates as well...

Missed that part. Even so, 120mbps of actual usage, I would expect to see a higher volume. Sampling would definitely bring this down a bit, but for a volume that small, why bother sampling? You'll miss too much.

One problem I had while checking out various packages, flow-tools specifically, is that some can't handle differing flow versions. Also, flow generation from a routing-capable 6509 is configured in two different places, so the potential to lose flow traffic due to poor documentation (of both the collector and the generator) definitely exists. Flow-tools picks which version it processes based on the version of the first flow packet it receives, and then discards all else.

- billn


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault