[clug] Measuring Bandwidth usage by Application Protocol

jm jeffm at ghostgun.com
Tue Nov 3 15:07:18 MST 2009

Dale Shaw wrote:
> What application-layer detail do you need that a NetFlow-based
> solution doesn't give you? Usually (from what I've seen) this is done
> in the reporting engine, rather than the collector itself -- sometimes
> these functions are combined into one system/product. It's usually
> limited (again, based on my experience) to application recognition
> based on network and transport layer information (e.g. src/dst IP
> addresses, IP protocol numbers, TCP/UDP port numbers).

At a minimum the applications I'd like to identifiy are

Bit Torrent and other peer to peer
ftp and other file transfer protocols
http (grouped by well known URLs)
VPNs including PPTP, IP-SEC, etc

and quite a few I've mostly likely left off this list, plus the 
forgotten unknown category.
> Digging deeper into the packet gets pretty expensive in terms of
> network device resources, so perhaps a port mirror or TAP solution
> utilising a passive probe would give you the insight you need.
True. I already have all traffic mirrored to a dedicated box which is 
used for netflow.

> Anyway, which collector are you using? Are you strictly looking for a
> $free solution?
fprobe and flow-tools.

Lets see budget....ZERO dollars which is the usual problem faced when 
doing this sort of thing. For the sake of discussion feel free to 
mention the non-free.

A couple of people have suggested Cisco NBR. The only problem is that I 
don't have a cisco capable of this at the right location in the network.


More information about the linux mailing list