Date: Mon, 08 Feb 2010 11:01:23 -0500 From: Mike Tancsa <mike@sentex.net> To: freebsd-questions@freebsd.org Subject: netflow vs pcap Message-ID: <201002081601.o18G1IcT047369@lava.sentex.ca>
next in thread | raw e-mail | index | archive | help
I am trying to deploy more visibility into parts of my network and
started to look at netflow. However, I often find for some
deployments, I need full pcap headers to see what had been going on.
e.g. customer calls after the fact saying, "~ 36hrs ago, there was a
'problem'. Do you know what happened"... Having a full pcap (headers
anyways) helps a great deal to understand / reconstruct what the site
was actually seeing.
In my limited foray into netflow, I dont seem to have that level of
visibility where I can see how long the 3 way handshake took to
setup, if ACKs were missed due to packet loss or packets were out of
order etc etc.
That being said, there are wonderful summary tools in netflow that
allow you to quickly look for network anomalies. However, I can
always export a pcap to netflow format and then use such tools.
Is there a happy medium out there ? What are people using to audit
network traffic out there ?
Also, what are people using to capture and store netflow data ?
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201002081601.o18G1IcT047369>