Jeffrey,
If you are looking for detailed network information , I would like to
recommend you to look at the Narus Semantic Traffic Analyzer (STA) approach.
Our network passive analysis device could provide you with deep information
which include not only NetFlow-like parameters, but also TCP specific QoS
(retransmission, latency, etc.) and layer 7 protocol attributes (HTTP URLs,
server response time, H.323 signaling, RTSP media characteristics and many
more).
Please do not hesitate to contact me if you need any more information.
Sincerely
Stas Khirman
CTO
Narus Inc
-----Original Message-----
From: Jeffrey Papen [mailto:jpapen@yahoo-inc.com]
Sent: Wednesday, July 11, 2001 10:43 AM
To: Mark Fullmer
Cc: 'dproscin@oracle.com'; cflowd@caida.org
Subject: Re: NDE Version 7 (Cat 6509)
Very bad news folks for NetFlow on the newer 6509.
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm
the above URL details all of the fields in a Version 7 flow that are set to
zero. They include next_hop_ip, both source and destination AS, source and
destination
port, source IP address, and protocol.
my $soapbox = 1;
Essentially, if you have a 6500 with a Sup 1a and MSFC1, you're golden. If
you have a Sup2 w/ MSFC2 then NetFlow is dead to you. Cisco did the same
thing when they added the 3 port Gig card to their GSR line. Cisco went to
Netflow Version 8 which is an "aggregation" - read labotomization - of any
useful flow data. It bums me out considerably that the only way Cisco makes
their stuff faster is to strip out all of the features hardcore users
require. What's next SNMP? How about ACLs?
Thank God for Juniper! Cisco deserves to get their lunch eaten. When it
happens, I'll dance a jig on the grave of the GSR.
$soapbox = 0;
- Jeffrey
Mark Fullmer wrote:
> On Mon, Jul 09, 2001 at 06:44:25PM -0700, Jeffrey Papen wrote:
> > Is that a for sale product? What is so great about it? I have a
similar problem and am looking for version 5 type formats from a Catalyst
6500.
>
> flow-tools 0.54 has a utility that will translate export versions. This
> should allow you to use version 7 exports with cflowd by translating
> to version 5.
>
> % flow-receive 0/exporterip/port | flow-xlate -V5 | flow-send
0/127.0.0.1/port2
>
> Where exporterip and port are the IP address and port of the router
providing
> the flows and port2 is the port cflowd is listening on.
>
> This will not currently work with the native IOS version of the 6500 due
> to how they mix the CPU and hardware accelerated flows together on the
> same UDP port. flow-tools will be able to support this in the next
release
> though.
>
> mark
> --
> cflowd mailing list
> cflowd@caida.org
-- Yahoo! BGP/Peering Engineer email: jeffrey@papen.com beep: page-jeffrey@papen.com work: 408-349-3897 fax: 408-349-5307 cell: 650-580-2684 page: 877-701-1126 Yahoo Messenger ID: jpapen-- cflowd mailing list cflowd@caida.org -- cflowd mailing list cflowd@caida.org
This archive was generated by hypermail 2b29 : Wed Jul 11 2001 - 12:23:31 PDT