Cisco routers

What particular aspects of Netflow would you like to see supported in Zabbix?

There is already a great Netflow collector in the form of ntop, so perhaps an ntop integration module for Zabbix would be a better idea?

I think a integration module with ntop would be excellent, but and the integration of the events as would be?

That's what I'm asking you. What Netflow parameters would you like to monitor? Per-interface? Per-host? Down to individual source:port dest:port level?

Sorry, i like to monitor Netflow estatistics per host and per interface, and analize protocols like ntop.
Thanks.
Mauricio

I have a huge need for this as well.

Me also, i would like to see netflow support on next ZABBIX major release.

We also have a huge need for Netflow.

Some thoughts from an enterprise network monitoring/automation professional who deployed commercial netflow systems.

A Netflow collector will need to scale better than OSS NTOP does. With the enterprise network we have to maintain, we find that NTOP crashes under just about any netflow feed we give it. Typical netflow feeds are about 50k flows per second (and that's sampled) and we actual send small fractions of this feed and we still get crashes. We simply cannot use NTOP for large scenarios so Zabbix should consider how their SNMP poller/distributed system architecture will scale compared to NTOP. I think you need your own flow listener and it should be distributed as well.

Additionally one must consider the netflow version to be supported. v5 is very common in production networks these days but v9 and IPFIX are showing up more often. Jflow, Sflow and other flow implementations should also be considered for support. Perhaps zabbix.com should have a survey for network device platforms so the range of protocols to support are understood. Such information could be used by the zabbix folks for template creation as well.

As for what we should be monitoring here are some suggestions.

1.) Graph all flows for a given interface and compare the SNMP stats for the same to find out if flows are missing (calibration).
2.) Use standard deviation formulas to determine if a DDOS attack is happening on a transit link (detection).
3.) Take some IP addresses and show flows tied to them as one single entity like a product line, division or department (analysis).
4.) Provide capacity analytics for this and the traditional SNMP data sets (capacity planning).
5.) Watch for evil IPs like known C&C control addresses entering the network. (detection)
6.) Observe customer bandwidth usage (billing).
7.) Look for missing flows (SLA monitoring,website is down)

These are probably the biggest payoffs for a netflow system so use cases should include the above in my opinion.

Could we monitoring a jflow (Juniper) with Zabbix?, How can do it?, there is an add-on to this funtionality?

Thanks

I have need for this too, I am looking for an application to do this, it would be great if zabbix had this feature native.

We need to see the consumption of interfaces per protocol, per ip destinations, per ip origin, per ports and alerts of custom thresholds too.

Implementing Netflow is probably not just about adding yet another item to monitor.
I assume this needs significant amount of time for investigation and developing.

However, even when not being that familiar with *flow, I can see a big benefit for the "network monitoring" domain and hope enough people will find together to (co-)sponsor this.

There is a large need for this feature today.  nprobe now requires a per system license to use.  I use Zabbix for monitoring everything in our environment.  The ability to collect and display sFlow data is the only thing I have not been able to get Zabbix to do.  A feature set similar to ntop-ng community with a  built-in collector would be a perfect starting point.

This is a very important peace still missing with Zabbix.

Not sure if this is mentioned earlier. It would be good to have an option to use zabbix agent to export NetFlow directly from a server that is subject of monitoring. Ideally to be able also to turn it on on-demand when some really detailed troubleshooting is needed.