On Tue, 30 Aug 2005, Viktor Steinmann wrote:
We used netflow on all external interfaces towards upstream & peerings, so we could find out, how much traffic we were exchaning with which AS. It's quite a nice feature for peering policy decisions (or the decision, if you should change your upstream)
The tool we used was flowscan (http://www.caida.org/tools/utilities/flowscan/), but I hear there are others as well (especially, if you are willing to shed out some money :-))
Another nice use for netflow data are intrusion detection systems, that can find out unusual traffic patterns with heuristic methods. Since those systems are quite expensive, I don't have any first-hand experience, but I hear, they have a long learning period, need a lot of tweaking until they do, what they're supposed to do... If you're interested in this stuff, I guess Nico (Fischbach) is your man :-)
As I have worked with Nico on this area (security uses of NetFlow), i'll take the freedom to hijack his potential answer :) The fact is, you don't necessarily need to put big bucks, and simple heuristics such as top speakers (top in bytes, packets, and / or duration) can learn you a lot about potential misuses on your network. Good free software is avalaible for that (nfdump / nfsen has already been advertized by his author :))
In fact, we have set up a list [1] to host this kind of discussions related to NetFlow: analysis, heuristics to be used, database design (or not), ... At the end of the day, i'm not sure we all can come with something as cool as the arbor products, but if it permits to get the job done ...
(sorry for you nanogers)
- yann