[LibreQoS] Fwd: Open source Netflow analysis for monitoring AS-to-AS traffic

[LibreQoS] Fwd: Open source Netflow analysis for monitoring AS-to-AS traffic

[Dave Taht]

[-- Attachment #1: Type: text/plain, Size: 1804 bytes --]

---------- Forwarded message ---------
From: Brian Knight via NANOG <nanog@nanog.org>
Date: Tue, Mar 26, 2024, 5:06 PM
Subject: Open source Netflow analysis for monitoring AS-to-AS traffic
To: <nanog@nanog.org>


What's presently the most commonly used open source toolset for monitoring
AS-to-AS traffic?

I want to see with which ASes I am exchanging the most traffic across my
transits and IX links. I want to look for opportunities to peer so I can
better sell expansion of peering to upper management.

Our routers are mostly $VENDOR_C_XR so Netflow support is key.

In the past, I've used AS-Stats <https://github.com/manuelkasper/AS-Stats>
for this purpose. However, it is particularly CPU and disk IO intensive.
Also, it has not been actively maintained since 2017.

InfluxDB wants to sell me
<https://www.influxdata.com/what-are-netflow-and-sflow/> on Telegraf +
InfluxDB + Chronograf + Kapacitor, but I can't find any clear guide on what
hardware I would need for that, never mind how to set up the software. It
does appear to have an open source option, however.

pmacct seems to be good at gathering Netflow, but doesn't seem to analyze
data. I don't see any concise howto guides for setting this up for my
purpose, however.

I'm aware Kentik does this very well, but I have no budget at the moment,
my testing window is longer than the 30 day trial, and we are not prepared
to share our Netflow data with a third party.

Elastiflow <https://www.elastiflow.com/> appears to have been open source
<https://github.com/robcowart/elastiflow?tab=readme-ov-file> at one time in
the past, but no longer. Since it too appears to be hosted, I have the same
objections as I do with Kentik above.

On-list and off-list replies are welcome.

Thanks,

-Brian

[-- Attachment #2: Type: text/html, Size: 3341 bytes --]

Re: [LibreQoS] Fwd: Open source Netflow analysis for monitoring AS-to-AS traffic

[Hayden Simon]

[-- Attachment #1: Type: text/plain, Size: 2768 bytes --]

We run Akvorado (which has its own interface, but can also interface with Grafana.

Depending on the level of traffic you are doing it is pretty hungry though – we recently moved ours to bare metal.

Hope that helps?

HAYDEN​​​​ SIMON
UBER GROUP LIMITED
MANAGING DIRECTOR
[https://uber.nz/app/uploads/signatures/uber-facebook-icon.png]<https://www.facebook.com/UberGroup?_rdr=p>
[https://uber.nz/app/uploads/signatures/uber-twitter-icon.png]<https://twitter.com/ubergroupltd>
E: h@uber.nz<mailto:h@uber.nz>
M: 021 0707 014<tel:021%200707%20014>
W: www.uber.nz<http://www.uber.nz/>
53 PORT ROAD | PO BOX 5083 | WHANGAREI | NEW ZEALAND





From: LibreQoS <libreqos-bounces@lists.bufferbloat.net> On Behalf Of Dave Taht via LibreQoS
Sent: Sunday, June 9, 2024 6:53 AM
To: libreqos <libreqos@lists.bufferbloat.net>
Subject: [LibreQoS] Fwd: Open source Netflow analysis for monitoring AS-to-AS traffic


---------- Forwarded message ---------
From: Brian Knight via NANOG <nanog@nanog.org<mailto:nanog@nanog.org>>
Date: Tue, Mar 26, 2024, 5:06 PM
Subject: Open source Netflow analysis for monitoring AS-to-AS traffic
To: <nanog@nanog.org<mailto:nanog@nanog.org>>

What's presently the most commonly used open source toolset for monitoring AS-to-AS traffic?

I want to see with which ASes I am exchanging the most traffic across my transits and IX links. I want to look for opportunities to peer so I can better sell expansion of peering to upper management.

Our routers are mostly $VENDOR_C_XR so Netflow support is key.

In the past, I've used AS-Stats<https://github.com/manuelkasper/AS-Stats> for this purpose. However, it is particularly CPU and disk IO intensive. Also, it has not been actively maintained since 2017.

InfluxDB wants to sell me<https://www.influxdata.com/what-are-netflow-and-sflow/> on Telegraf + InfluxDB + Chronograf + Kapacitor, but I can't find any clear guide on what hardware I would need for that, never mind how to set up the software. It does appear to have an open source option, however.

pmacct seems to be good at gathering Netflow, but doesn't seem to analyze data. I don't see any concise howto guides for setting this up for my purpose, however.

I'm aware Kentik does this very well, but I have no budget at the moment, my testing window is longer than the 30 day trial, and we are not prepared to share our Netflow data with a third party.

Elastiflow<https://www.elastiflow.com/> appears to have been open source<https://github.com/robcowart/elastiflow?tab=readme-ov-file> at one time in the past, but no longer. Since it too appears to be hosted, I have the same objections as I do with Kentik above.

On-list and off-list replies are welcome.

Thanks,

-Brian


[-- Attachment #2: Type: text/html, Size: 15929 bytes --]

[LibreQoS] Fwd: Open source Netflow analysis for monitoring AS-to-AS traffic

[Dave Taht]

[-- Attachment #1: Type: text/plain, Size: 2718 bytes --]

Yes, according to nanog this is popular.

---------- Forwarded message ---------
From: Marinos Dimolianis <dimolianis.marinos@gmail.com>
Date: Wed, Mar 27, 2024, 4:11 PM
Subject: Re: Open source Netflow analysis for monitoring AS-to-AS traffic
To: Andrew Hoyos <hoyosa@gmail.com>, Brian Knight <ml@knight-networks.com>
Cc: North American Operators' Group <nanog@nanog.org>


Brian,

I have used Akvorado in an environment with ~80G of traffic and I was super
happy.

It can be easily set via a docker-compose file and amongst its key benefits
is the user-friendly UI that allows you to gain insight into your network
traffic.

There is also a demo instance available to find out what to expect:
https://demo.akvorado.net/

My only "concern" was that it did not provide an API for consuming data
externally.

- Marinos
On 3/27/2024 2:55 AM, Andrew Hoyos wrote:

Brian,

Take a peek at Akvorado - https://github.com/akvorado/akvorado
We recently set up a lab instance, and seems to check the boxes below.

On Mar 26, 2024, at 19:04, Brian Knight via NANOG <nanog@nanog.org>
<nanog@nanog.org> wrote:

What's presently the most commonly used open source toolset for monitoring
AS-to-AS traffic?

I want to see with which ASes I am exchanging the most traffic across my
transits and IX links. I want to look for opportunities to peer so I can
better sell expansion of peering to upper management.

Our routers are mostly $VENDOR_C_XR so Netflow support is key.

In the past, I've used AS-Stats <https://github.com/manuelkasper/AS-Stats>
for this purpose. However, it is particularly CPU and disk IO intensive.
Also, it has not been actively maintained since 2017.

InfluxDB wants to sell me
<https://www.influxdata.com/what-are-netflow-and-sflow/> on Telegraf +
InfluxDB + Chronograf + Kapacitor, but I can't find any clear guide on what
hardware I would need for that, never mind how to set up the software. It
does appear to have an open source option, however.

pmacct seems to be good at gathering Netflow, but doesn't seem to analyze
data. I don't see any concise howto guides for setting this up for my
purpose, however.

I'm aware Kentik does this very well, but I have no budget at the moment,
my testing window is longer than the 30 day trial, and we are not prepared
to share our Netflow data with a third party.

Elastiflow <https://www.elastiflow.com/> appears to have been open source
<https://github.com/robcowart/elastiflow?tab=readme-ov-file> at one time in
the past, but no longer. Since it too appears to be hosted, I have the same
objections as I do with Kentik above.

On-list and off-list replies are welcome.

Thanks,

-Brian

[-- Attachment #2: Type: text/html, Size: 6074 bytes --]

Re: [LibreQoS] Open source Netflow analysis for monitoring AS-to-AS traffic

[Dave Taht]

[-- Attachment #1: Type: text/plain, Size: 4266 bytes --]

We are in the process of adding netflow collection to libreqos. Any
potential testers using any of these backends described below out there?

On Thu, Mar 28, 2024, 5:02 PM Brian Knight via NANOG <nanog@nanog.org>
wrote:

> Thanks to all who took the time to comment and make suggestions.
>
> To summarize the private messages, one respondent suggested Argus as a
> collector. Another mentioned that they are still using AS-Stats.
>
> I'm drawn to Akvorado. I like the self-contained nature of the
> application. NF collector, database, and modern web GUI are all bundled in
> one docker container. The full-featured demo <https://demo.akvorado.net/>
> is fantastic. That the app can enrich the Netflow data with BMP is an added
> bonus.
>
> The best part is, the GUI has the report viz I need, and it is actually
> the default visualization in the demo. It also has the graph types that I
> didn't know I needed, like the Sankey graph.
>
> FlowViewer looks interesting as well. I suspect getting the reports right
> may take some time, given the amount of GUI filtering options.
>
> pmacct and Argus seem to be capable tools that have been around for a long
> time, but I haven't seen a concise stack building guide to get Netflow data
> into a good GUI using these. Looks like there are some older Docker images
> available for both. I could write my own SQL or roll my own stack, but I'd
> much rather spend my time on other things.
>
> I appreciate the conversation around sFlow. I actually wasn't aware that
> XR supported it. AS path probably doesn't add a whole lot of value given
> that I'm focused on flows across our IP transit circuits. I'm able to
> determine my next AS hop simply by looking at the flow's associated tuple
> of (flow exporter, interface). I can use other tools like RouteViews or
> RIPE's RIS to determine the destination AS's upstreams if needed. The rest
> of the path is probably not too helpful for determining peering
> opportunities.
>
> I think I'm going to get Akvorado running in my environment. If that
> doesn't pan out, I'll likely go back to AS-Stats.
>
> Can those running Akvorado comment on their system specs? The only spec
> I've seen is a mention in this blog post
> <https://vincent.bernat.ch/en/blog/2022-akvorado-flow-collector>:
> "Akvorado is performant enough to handle 100 000 flows per second with 64
> GB of RAM and 24 vCPU. With 2 TB of disk, you should expect to keep data
> for a few years."
>
> Thanks again all,
>
> -Brian
>
>
> On 2024-03-26 19:04, Brian Knight via NANOG wrote:
>
> What's presently the most commonly used open source toolset for monitoring
> AS-to-AS traffic?
>
> I want to see with which ASes I am exchanging the most traffic across my
> transits and IX links. I want to look for opportunities to peer so I can
> better sell expansion of peering to upper management.
>
> Our routers are mostly $VENDOR_C_XR so Netflow support is key.
>
> In the past, I've used AS-Stats <https://github.com/manuelkasper/AS-Stats>
> for this purpose. However, it is particularly CPU and disk IO intensive.
> Also, it has not been actively maintained since 2017.
>
> InfluxDB wants to sell me
> <https://www.influxdata.com/what-are-netflow-and-sflow/> on Telegraf +
> InfluxDB + Chronograf + Kapacitor, but I can't find any clear guide on what
> hardware I would need for that, never mind how to set up the software. It
> does appear to have an open source option, however.
>
> pmacct seems to be good at gathering Netflow, but doesn't seem to analyze
> data. I don't see any concise howto guides for setting this up for my
> purpose, however.
>
> I'm aware Kentik does this very well, but I have no budget at the moment,
> my testing window is longer than the 30 day trial, and we are not prepared
> to share our Netflow data with a third party.
>
> Elastiflow <https://www.elastiflow.com/> appears to have been open source
> <https://github.com/robcowart/elastiflow?tab=readme-ov-file> at one time
> in the past, but no longer. Since it too appears to be hosted, I have the
> same objections as I do with Kentik above.
>
> On-list and off-list replies are welcome.
>
> Thanks,
>
> -Brian
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 5955 bytes --]