8 Replies Latest reply on Sep 14, 2012 3:58 PM by KMSigma

    NetFlow Repeater

    KMSigma

      I know that many people probably are running into a similar problem that I just did.  We've got software on the network that we want to use as targets for NetFlow traffic.  Since most hardware (in our case Cisco) only can point to two different NetFlow targets, I had to try and find a way to handle move this information around without too much complexity.

       

      WIth that in mind, I started my searching and stumbled across a few documents talking about a software package called "samplicate" or "samplicator."  I played with it for a bit and was astounded that it worked so simply.  It's also got a very small footprint on VMware's Hypervisor.

       

      I decided to blog about it and also to create an OVA file that anyone can import directly to the Hypervisor.  Take a look at it, and hit me back with any questions or comments.

       

      Blog Link: NetFlow Repeater Virtual Appliance on Ubuntu (Samplicate) | Kevin's Ramblings

        • Re: NetFlow Repeater
          Deltona

          Sounds good. Did you test it out with SolarWinds Orion NTA? Does NTA recognize the flow being received by Ubuntu?

            • Re: NetFlow Repeater
              KMSigma

              Yes, I can confirm that NTA has no problem interpreting the packets.  There is a parameter passed to the program (-S) which states that it should re-transmit the UDP Packets with the original IP Address.  Basically, this masquerades the packet as if it is from the original source - nothing is the wiser.  If I created the configuration file correctly (which I've tested pretty exhaustively), the NetFlow Repeaters will never show up in NTA and only the traffic from the devices will show.

               

              We have two of these built within our production environment; one in each data center.  All of our NetFlow endpoints (primarily Cisco Routers) have these two IP's as the targets for the NetFlow Traffic.  I used Orion NCM to push out these changes.

               

              It's working flawlessly, with the exception that I had to really go through our Flow Sources in NTA to make sure that we were capturing exactly what we wanted.

            • Re: NetFlow Repeater
              DanielleH

              Thanks for sharing this bit of information with the community, KMSigma.

               

              DH

                • Re: NetFlow Repeater
                  KMSigma

                  No problem DanielleH.

                   

                  Thinking that Solarwinds might benefit from offering a piece of software like this. My implementation is simple, but there are plenty of ways that just this simple software can be expanded for any UDP traffic - like SNMP Traps or syslogs.

                • Re: NetFlow Repeater
                  radekn

                  Hi,

                  Samplicator can be compiled and run by Cygwin under MS windows.

                    • Re: NetFlow Repeater
                      KMSigma

                      That's probably very true, but I've found that the memory footprint that is taken with cygwin applications is horrible.

                      Here's how ours are currently working:

                      Processor Used:     51%

                      Memory Used:     3%

                      Network:          Sending about 8 GB / hour of flow data to 5 recipients over the last week.

                                               In the last 24 hours, it's process 34.3 GB of NetFlow data.

                       

                      The hardware is:

                      2 Virtual CPU's (using approx 3226 MHz) with 4 GB of memory (using 40 MB) on an ESX 5 host.