Monitoring traffic using Netflow: port mirroring or streaming?

Question

We have a router that we need to monitor using NetFlow. The router is very important, so we are not allowed to enable Netflow on the router itself. Instead, it will have port mirroring enabled so that it can mirror traffic to another network device.

We have now two options:

a) Using software Netflow probe on a Linux server such as nProbe to convert the mirrored traffic into Netflow

b) Buy another router and enable Netflow on the other router to concert the mirrored traffic into Netflow.

We know that we can do (a)

The question is: is it possible to do (b) ?

which is more effective (a) or (b)?

Why can't you enable Netflow on the router? After all it's meant to be used that way. — Oliver, Apr 21 '17 at 13:06
So you can't enable Netflow but you can enable port mirroring? I don't understand that logic. — joeqwerty, Apr 21 '17 at 15:27
I am afraid to break a working router which serves many clients. Seems like port mirroring is more safe operation. — Max Ivak, Apr 25 '17 at 07:57

score 1 · Answer 1 · answered Apr 21 '17 at 13:45

Buying another router won't work because routers will typically generate Netflow records only for forwarded traffic. Since you just want it to look at the traffic without actually forwarding anything, this won't work.

Using a software probe may work, but keep in mind that the mirrored traffic doesn't contain any information other than the traffic itself. Netflow can contain interface information (inbound/outbound interface), routing data (nexthop, ASN etc.) and other useful stuff which the software probe cannot know by just looking at the traffic.

If you just need to do some basic traffic accounting, the software probe is probably sufficient, but this really depends on your use-case.

score 1 · Answer 2 · answered Jul 13 '17 at 12:48

Have you considered using network Taps like Ixia's TAP products instead of port mirroring?

A TAP is a passive splitting device placed between 2 network devices and provides a monitoring connnection. The TAP duplicates all traffic and forwards it to the monitoring device, the device recieves all traffic as it were inline, including errors.

The main differences between a network TAP and port mirroring are:

A TAP captures everything on the wire including errors, in port mirroring those packets will be droped.
A TAP is unaffected by bandwidth saturation.
A TAP is simple to install, port mirroring require an engineer intervention.
A TAP is more secure, it can't be hacked, port mirroring is vulnerable.
Port mirroring is a good way to capture traffic on several ports at once.
Port mirroring is cheaper.

Monitoring traffic using Netflow: port mirroring or streaming?

2 Answers2