summary of ipflow/netflow appliance

Here a summary of the answers I got. Again thanks for your help.

mail from Joe

-Try fprobe, open source:

reply from Samuel

-nProbe by is pretty robust tool for generating v5/v9 flows and
fairly inexpensive.

mail from Roland

-Lancope offer a productized version of this, I believe Endace too, too.

I talked to Lancope, they might provide me in 1 or 2 years with a 10G

mail from Frank

I just had an extended briefing with a company called Xangati. Very
interesting stuff, but they didn't talk about ways to obtain netflows if
your router isn't able to natively generate them.

answer from Adam

I can attest to this. nProbe is your best bet for a “virtual NetFlow
exporter”. It performs well and has tons of export formats and features. We
use it extensively for QA and testing. You do, however, have to pay a bit
or it whereas fprobe and others are free.

I talked to Peter Shaw
here his answer

Thanks for contacting us. Yes, our Probe can handle the traffic level you
describe. Our typical, hardware-accelerated Probe has 2 Gigabit ports, and
shows less than 10% CPU utilisation when generating NetFlow records at the
full 2Gbps. We can readily build a Probe using 10Gig ports, and do not
expect any performance challenge at the traffic level you describe.
I have a couple of further questions/comments for you;
1) what Collector system do you plan to send the NetFlow records to ? We
can work with any NetFlow-aware collector, but we do find that many of them
struggle to keep up with the high volume of records from our Probe. We are
working on our own Collector/buffer system to reduce this problem, and
expect this to be available in Q2'08.

I talked also to Luca Deri <>
here the answer

the nPulse appliance is based on an old version of nProbe I have
developed years ago. We offer nBox appliances (
) with a new accelerated nProbe version not available to anyone but
us. Next month we plan to introduce a new model based on a accelerated
card developed with a a twin company, able to outperform existing
solutions but with a lower price.

for 10G at the moment we use the Endace platform (NinjaProbe) or
Tilera (see
and search for nProbe) cards for wire rate. If you have a few Gbits, a
software nBox can also be enough, but if you go above a hardware card
is definitively needed.
In late 2008 we should have our custom 10G card available but until
then we rely on external hardware solutions.

unless you want to buy the appliance from Endace and the software from
me, I can currently offer an nbox with dual 10G capability featuring
software packet capture acceleration for about 6K Euro. This model is
suitable for monitoring 2-3 Gbit of traffic. As I have stated before,
10G hardware capture acceleration still needs some time.

next mail from gert

Has any of you done a reality-check before recommending these tools,
whether one of them can actually *handle* a 10G-link?
Sniffing 10G without losing packets is *hard*.
Sniffing 10G and doing any sort of math with it is *very hard*.
Any "sniff packets and do flow exports from there" application that
aims to do better than the flow hardware on the PFC3 needs to be really,
really, *really* good.


It is not easy to find a device to capture a 10G interface and generate the

When I have news, I will will inform you.

Best Stefan