I am looking for Sflow analytical software that can tell me automatically over say a period of 24 hours (or any time period I select) the average mbit of data consumed for any IP address within our entire AS.
(Without configuring a rule or billing group for each IP address or customer within our network)
The purpose is to help quickly work out IP addressees which are using more bandwidth (in or out) than what we consider to be acceptable usage.
For example, I would like to review a report or be automatically alerted to any IP address using more than an average of 50mbit within the past 24 hour plus have the capability to review data say over a month.
Any names of software of suggestions would be great which I can investigate, happy to look at both commercial software and open source or if you have a Sflow billing solution for data consumption which is simple and easy to use please let me know
Take a look at pmacct, it will be able to handle your needs with a number of modifications. The section I linked below should give you a good starting point. Change the traffic dump to a MySQL database, add some indexes, craft some SQL queries, then you’re off to the races. As for billing notifications, a cron script would need to calculate the usages, and alert based on your set thresholds.
For added bonus points, combine it with a BGP feed, and know where your traffic is going outbound, that way intelligent routing changes can be made much quicker.
I’ve had good results using Traffic Sentinel from Inmon. It’s got a nice queriable database backend and you don’t have to do much manual setup to get good results. The UI feels a bit 1995, but it works, and the API is practical and useful. It’s quite fast, too.
They can probably give you trial licenses to see if it works for you.
Actually the sflow standard is flexible, and there are many fields widely available, including input interface and output interface, vlan/vxlan/mpls headers, etc. The sending device just needs to support the fields.
Now I know I'm pushing my luck... but do certain vendors more fully embrace sFlow than others? maybe one of the whitebox vendors if not one of the majors?
Hacking support into something isn't the worse thing in the world, but if there is any experience on this to leverage off of, that is helpful.
The goal is to compile a list of equipment and network operating systems that pass the tests and publish the results on sFlow.org. Failed tests can be passed to vendors to help them improve their implementations. In addition to identifying feature support, there are also stress tests to ensure accurate results under production workloads (rapid detection of DDoS etc).
Involvement of operators would be great. If there are tests that are missing from the suite, please submit an enhancement request, or even better, a pull request, on GitHub. If you have a test lab and can run the tests on your own hardware, please share the results.
The open source Host sFlow agent, https://sflow.net/, has been ported to a number of white box network operating systems and provides an opportunity for the community to extend sFlow functionality and address issues in the white box ecosystem. Operator involvement in this project would be most welcome.