Proxying NetFlow traffic correctly

Sami · June 6, 2017, 9:43pm

Hello,
I have been searching for a solution that collects/duplicates NetFlow traffic properly for a while but i couldn't find any.
Do you know any good unix alternative to ntopng, flowd, flow-tools?

nprobe of netflow seems to be the closest one to fit my needs but i want to see if there are any other solution.

My goal is to centralize NetFlow traffic into a single machine and then proxy some flows to other destinations for further analysis

Best Regards,
Sami

Tim_Raphael · June 6, 2017, 11:35pm

nProbe is what you want, it’s another product from NTop.

http://www.ntop.org/products/netflow/nprobe/

- Tim

Mike_Sabbota · June 6, 2017, 11:38pm

Check out samplicator.

https://github.com/sleinen/samplicator

--Mike

Hugo_Slabbert1 · June 6, 2017, 11:39pm

Flexible: pmacct[1][2]
Simple and does what you ask: samplicate[3]

Hugo_Slabbert1 · June 6, 2017, 11:45pm

Hello,
I have been searching for a solution that collects/duplicates NetFlow traffic properly for a while but i couldn't find any.
Do you know any good unix alternative to ntopng, flowd, flow-tools?

nprobe of netflow seems to be the closest one to fit my needs but i want to see if there are any other solution.

My goal is to centralize NetFlow traffic into a single machine and then proxy some flows to other destinations for further analysis

Best Regards,
Sami

Flexible: pmacct[1][2]
Simple and does what you ask: samplicate[3]

Actually: samplicate is more all-or-nothing as far as I'm aware. So it could proxy a full set of flows, but the "some flows" part of your request I'm not so sure about.

Dobbins_Roland · June 7, 2017, 2:39am

My goal is to centralize NetFlow traffic into a single machine and then proxy some flows to other destinations for further analysis

<https://github.com/sleinen/samplicator>

Or nprobe, as was already mentioned.

Selphie_Keller · June 7, 2017, 2:56am

samplicate is very good, been using it for 6 years for netflow duplication
using botth the spoofing and non, depending on the sensor's needs if it
needs to retain the source ip or not.

Joe_Loiacono · June 7, 2017, 1:19pm

You may want to check out the SiLK netflow capture and analysis tool
suite. Look in particular at it's SiLK Administrators Tools section which
provides extensive flexibility for manipulating netflow exports. The
analysis tools are quite good too.

http://tools.netsa.cert.org/silk/silk-reference-guide.pdf

Joe

jejenone · June 8, 2017, 5:02am

We use pmacct with it's tee plugin - it gets the job done beautifully and
it's a one-liner config.

https://github.com/pmacct/pmacct/blob/master/CONFIG-KEYS