From owner-freebsd-questions@FreeBSD.ORG  Mon Feb  8 16:01:20 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 670FA106566B
	for <freebsd-questions@freebsd.org>;
	Mon,  8 Feb 2010 16:01:20 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by mx1.freebsd.org (Postfix) with ESMTP id 386B78FC08
	for <freebsd-questions@freebsd.org>;
	Mon,  8 Feb 2010 16:01:19 +0000 (UTC)
Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id o18G1IcT047369
	for <freebsd-questions@freebsd.org>;
	Mon, 8 Feb 2010 11:01:18 -0500 (EST) (envelope-from mike@sentex.net)
Message-Id: <201002081601.o18G1IcT047369@lava.sentex.ca>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 08 Feb 2010 11:01:23 -0500
To: freebsd-questions@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: netflow vs pcap 
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2010 16:01:20 -0000

I am trying to deploy more visibility into parts of my network and 
started to look at netflow.  However, I often find for some 
deployments, I need full pcap headers to see what had been going on.
e.g. customer calls after the fact saying, "~ 36hrs ago, there was a 
'problem'.  Do you know what happened"... Having a full pcap (headers 
anyways) helps a great deal to understand / reconstruct what the site 
was actually seeing.

In my limited foray into netflow, I dont seem to have that level of 
visibility  where I can see how long the 3 way handshake took to 
setup, if ACKs were missed due to packet loss or packets were out of 
order etc etc.

That being said, there are wonderful summary tools in netflow that 
allow you to quickly look for network anomalies.  However, I can 
always export a pcap to netflow format and then use such tools.

Is there a happy medium out there ? What are people using to audit 
network traffic out there ?

Also, what are people using to capture and store netflow data ?

         ---Mike


--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike