10-21-2019 08:48 AM
Hi everyone. I need to do some traffic analysis on a small network, we have a 3560x switch, several 2960s switches, one fortigate 200e, and of course a couple hundred computers. If I want to do this, is SPAN my only choice? From what I´ve read, SPAN seems to be a traffic monitoring tool, not a traffic analysis tool like sflow or netflow are. What can I do?
Solved! Go to Solution.
10-22-2019 12:45 AM
Hi there,
While I agree with both @balaji.bandi and @Captain HoOmi about the use of netflow, use of a SPAN port is a valid method for traffic analysis. It depends on the fidelity of analysis you want to achieve. Keep in mind that netflow collectors sample traffic (x packets in x), extract metadata from the captured streams and export it to a netflow analyser.
A SPAN port will capture every packet and its payload. This can be used for IDS or SIEM systems, which are normally directly attached and can ingest the data arriving at a high rate.
Examples of opensource SIEM systems would be: AlienVault (https://www.alienvault.com) or Security Onion (https://securityonion.net/)
Example of a traffic analyser that uses a SPAN port would ntop (https://www.ntop.org/)
As for opensource neflow analyser, take a look at nfsen (http://nfsen.sourceforge.net/) or nsfen-ng (https://github.com/mbolli/nfsen-ng)
cheers,
Seb.
10-21-2019 09:25 AM
Sflow or netflow is the right tool for traffic analysis based on the port
here is the good document with elastic Search
https://blogs.cisco.com/security/step-by-step-setup-of-elk-for-netflow-analytics
you can also do with Fortinet FW, depends on the version you having 5.X you have this features
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/476970
10-22-2019 12:24 AM
SPAN is not a solution for this requirement . You have to configure netflow and sflow and also a netflow analyzer.
For 3560x:
https://community.cisco.com/t5/switching/netflow-configuration-on-3560x-switch/td-p/3092188
For 2960s: Netflow not supported. Is 3560x your distributed switch? Then enabling netflow on interfaces connected to 2960s switches will capture the traffic flow for analyses
For Fortigate: https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/Troubleshootin/sFlow%20support.htm
Free Flow analyser:
Cacti and Plixer Scrutinizer are good free ones, and ManageEngine netflow analyser is a good paid version
10-22-2019 12:45 AM
Hi there,
While I agree with both @balaji.bandi and @Captain HoOmi about the use of netflow, use of a SPAN port is a valid method for traffic analysis. It depends on the fidelity of analysis you want to achieve. Keep in mind that netflow collectors sample traffic (x packets in x), extract metadata from the captured streams and export it to a netflow analyser.
A SPAN port will capture every packet and its payload. This can be used for IDS or SIEM systems, which are normally directly attached and can ingest the data arriving at a high rate.
Examples of opensource SIEM systems would be: AlienVault (https://www.alienvault.com) or Security Onion (https://securityonion.net/)
Example of a traffic analyser that uses a SPAN port would ntop (https://www.ntop.org/)
As for opensource neflow analyser, take a look at nfsen (http://nfsen.sourceforge.net/) or nsfen-ng (https://github.com/mbolli/nfsen-ng)
cheers,
Seb.
10-22-2019 01:23 AM
Yep I agree with you %100 but the big difference between Netflow and SPAN is with Span you'll end up with a copy of every packet which is sent to the destination port (including payload of the packets) , I've seen SPAN mostly implemented for IPS solutions to inspect packets or for call recordings and not necessarily just for analysing traffic flows.. With Netflow you only see traffic stats based on IP, application and port. You won't have the payload of the packets.
10-22-2019 05:42 PM
Thanks to both of you, I really appreciate your comments.
10-23-2019 12:26 AM
yes many opensource growing big some of very good...i see greylogger has good gui all pre-installed. worth trying.
if this solution works your needs, mark as resolved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide