CatchWire as Network Flow Exporter

In network environments, NetFlow is the de-facto standard for network traffic accounting. CatchWire can be configured as a NetFlow v5/v9/IPFIX light network probe that can be used for network monitoring, analysis and troubleshooting. Metadata collected by CatchWire is sent towards collector and analytics platforms, inline or out of band using wireless technologies.


In order to satisfy emerging needs for inexpensive Network Flow exporter sensors, we developed nTAP, our CatchWire appliance loaded with the latest nProbe software from ntop. Please refer to the slides dedicated to nProbe by Prof. Luca Deri's in his Sharkfest 2015 presentation [PDF || PPT || Video].
NetFlow can be used to implement the network as a sensor concept, allowing for deep and broad visibility into unknown and unusual traffic patterns, and into compromised devices. Here are the advantages of using nTAP over other network monitoring equipment:

- nTAP extends Flexible NetFlow, Cisco’s next-generation NetFlow that can track a wide range of Layer 2, IPv4, and IPv6 flow information with over a hundred custom metadata fields, including Layer 7 application visibility (250+ applications including Skype, BitTorrent and Citrix).
- nTAP provides full IPFIX support: PEN (Private Enterprise Numbers) and Variable length encoding.
- To gain network visibility, Test Access Ports (TAPs) or Switched Port Analyzer (SPAN) ports must be configured when the Cisco NetFlow Generation Appliance (NGA) or other sensors are deployed. CatchWire, on the other hand, does not have such a requirement.
- Many network infrastructure components, including legacy Cisco equipment, are not capable of producing unsampled NetFlow data at line rate.
- Rack mounted units have a high purchase cost, are bulky, heavy, and have a high power consumption. CatchWire is a light, small form factor, easily deployable physical network probe with a very low power consumption (under 3 W). As a result, it does not require infrastructure changes and it can be easily moved within the network depending on the target for security monitoring.