[clug] Measuring Bandwidth usage by Application Protocol
jeffm at ghostgun.com
Tue Nov 3 15:07:18 MST 2009
Dale Shaw wrote:
> What application-layer detail do you need that a NetFlow-based
> solution doesn't give you? Usually (from what I've seen) this is done
> in the reporting engine, rather than the collector itself -- sometimes
> these functions are combined into one system/product. It's usually
> limited (again, based on my experience) to application recognition
> based on network and transport layer information (e.g. src/dst IP
> addresses, IP protocol numbers, TCP/UDP port numbers).
At a minimum the applications I'd like to identifiy are
Bit Torrent and other peer to peer
ftp and other file transfer protocols
http (grouped by well known URLs)
VPNs including PPTP, IP-SEC, etc
SMTP, POP, IMAP
and quite a few I've mostly likely left off this list, plus the
forgotten unknown category.
> Digging deeper into the packet gets pretty expensive in terms of
> network device resources, so perhaps a port mirror or TAP solution
> utilising a passive probe would give you the insight you need.
True. I already have all traffic mirrored to a dedicated box which is
used for netflow.
> Anyway, which collector are you using? Are you strictly looking for a
> $free solution?
fprobe and flow-tools.
Lets see budget....ZERO dollars which is the usual problem faced when
doing this sort of thing. For the sake of discussion feel free to
mention the non-free.
A couple of people have suggested Cisco NBR. The only problem is that I
don't have a cisco capable of this at the right location in the network.
More information about the linux