I`m not afraid to mix open source tools with commercial products, and this follows on from some testing on the Netflow front.
Not everyone has a netflow capable switch or router on the network, and similarly the following can be achieved just as easily with a snort sensor, or Cisco IPS/3rd party supported IDS/IPS Sensor, (the better options) and is purely for reference.
There are open source tools available, that will simply sniff the network, via a tap/span port, and spit this out in Netflow.
One such tool is nProbe, which is a An Extensible NetFlow v5/v9/IPFIX GPL Probe for IPv4/v6.
And there are others too for instance NDSAD. But for my testing i used nProbe.
Now we can simply send the Netflow records to MARS, and MARS will process these.
and similarly looking at an individual session
and an example raw event message
You will get an obvious error, when this is submitted, and there was no SNMP available from my nProbe box, but this can be ignored,
and similarly the session and raw event information.
As a final note, remember this is a very inefficient use of the MARS box`s resources, so it would not be recommended on a large production network!
So dont be blaming me!, if you ever try it out. :-)