[Bro] Bro vs NetFlow

Alec Waters Alec.Waters at dataline.co.uk
Sat Oct 5 08:54:54 PDT 2013


Hi Jay,

We use both NetFlow and Bro.

Each has its pros and cons of course, but from my point of view NetFlow is a "truer" picture of flow activity because it's a 100% layer3 export - things like malformed TCP streams sometimes won't get logged by apps that take a layer4-or-higher view of the world. It's also unidirectional - apps that that mung the A->B traffic together with the B->A traffic occasionally suffer from ambiguity of client/server identity, which makes report writing hard. Finally, NetFlow can be configured to prematurely export long-lived flows meaning that you can see how many bytes were transferred at different points in the flow, rather than just knowing that X bytes were transferred in total.

In my experience, having a two or more tools doing the "same" job in different ways isn't the galactic waste it may appear to be :)

alec
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131005/009ceb2a/attachment.html 


More information about the Bro mailing list