From owner-freebsd-net@FreeBSD.ORG  Fri Sep 10 01:09:12 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6DE4416A4CF; Fri, 10 Sep 2004 01:09:12 +0000 (GMT)
Received: from terror.hungry.com (terror.hungry.com [199.181.107.40])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 11D7243D2F; Fri, 10 Sep 2004 01:09:12 +0000 (GMT)
	(envelope-from tspencer@hungry.com)
Received: from [192.168.0.169] (nat.lindenlab.com [66.150.244.126])
  (AUTH: LOGIN tspencer, TLS: TLSv1/SSLv3,128bits,RC4-SHA)
  by terror.hungry.com with esmtp; Thu, 09 Sep 2004 18:09:11 -0700
In-Reply-To: <4140B8DF.FB83435C@freebsd.org>
References: <20040905121111.GA78276@cell.sick.ru>
	<4140834C.3000306@freebsd.org> <20040909171018.GA11540@cell.sick.ru>
	<414093DE.A6DC6E67@freebsd.org> <20040909194117.GB12168@cell.sick.ru>
	<4140B8DF.FB83435C@freebsd.org>
Mime-Version: 1.0 (Apple Message framework v619)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <F2D8E415-02C5-11D9-87A1-000A95C4EC66@hungry.com>
Content-Transfer-Encoding: 7bit
From: Tim Spencer <tspencer@hungry.com>
Date: Thu, 9 Sep 2004 18:08:39 -0700
To: Andre Oppermann <andre@freebsd.org>
X-Mailer: Apple Mail (2.619)
cc: net@freebsd.org
Subject: Re: [TEST/REVIEW] Netflow implementation
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2004 01:09:12 -0000

On Sep 9, 2004, at 1:11 PM, Andre Oppermann wrote:
> Just because you have to use Netflow on Cisco IOS doesn't mean you 
> don't
> have (or can invent) better tools on FreeBSD.
>
	Netflow is really useful for auditing and forensics.  If you have it 
enabled for your routers, you can see who did what when, and how much 
they did it.  Thus, if you have a breakin, you can go back and see what 
IP addresses they came from, what places they pulled their tools down 
from, and where else they went afterwards.
	You can also look at the logs that are generated and scan for "scary" 
or "odd" traffic, and thus see trends of what people are doing in your 
network.  This allows you to get ahead of the curve and start thinking 
about what happens when everybody starts running that new VOIP thing 
that seems to send out millions of 64 byte packets or whatever.  It 
also allows you to look at what has been filling up your pipe over the 
past few days, and thus be able to give precise answers to management 
when they ask why things have been so slow recently.
	The CAIDA flow-tools stuff allows you to visualize a lot of this stuff 
easily, and there are a lot of other good tools that work with standard 
netflow data out there as well.  So believe me, netflow stuff is way 
cool!  The more we can support it, the better!

		-tspencer