ng_netflow and bridging firewall

Ganbold ganbold at micom.mng.net
Wed Aug 31 08:54:02 GMT 2005 

At 08:10 PM 8/30/2005, you wrote:
>On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote:
>G> ngctl mkpeer xl1: tee lower right
>G> ngctl connect xl1: xl1:lower upper left
>G> ngctl name xl1:lower xl1_tee
>G> ngctl mkpeer xl1_tee: netflow left2right iface0
>G> ngctl name xl1:lower.left2right netflow
>G> ngctl connect xl1_tee: netflow: right2left iface1
>G> ngctl msg netflow: setifindex { iface=0 index=2 }
>G> ngctl msg netflow: setifindex { iface=1 index=1 }
>G> ngctl mkpeer netflow: ksocket export inet/dgram/udp
>G> ngctl msg netflow:export connect inet/127.0.0.1:8818
>G>
>G> I'm just using second xl1 interface for ng_netflow. However when I see the
>G> flow data I can only see my network addresses in
>G> the dstIP field. Is it correct? I thought both srcIP, dstIP should contain
>G> my IPs,  because I'm trying to catch traffic which goes both directions of
>G> xl1. Is my assumption correct? If I'm wrong, how to make it work in 
>correct
>G> way?
>
>No. Look at ng_ether(4) manpage, and draw your graph. You are catching only
>one direction with the above script.

OK. I see. I'm catching only incoming traffic to xl1 interface.
I can see it from ngctl issuing msg xl1_tee: getstats command and also 
flowctl netflow: show command.

I read the ng_ether man page and didn't quite get it.

I'm including xl0 interface in similar way as xl1.
Is following sufficient for catching outgoing traffic?

ngctl mkpeer xl0: tee lower right
ngctl connect xl0: xl0:lower upper left
ngctl name xl0:lower xl0_tee
ngctl mkpeer xl0_tee: netflow left2right iface2
ngctl name xl0:lower.left2right netflow0
ngctl msg netflow0: setifindex { iface=2 index=4 }
ngctl connect xl0_tee: netflow0: right2left iface3
ngctl msg netflow0: setifindex { iface=3 index=3 }
ngctl mkpeer netflow0: ksocket export inet/dgram/udp
ngctl msg netflow0:export connect inet/127.0.0.1:8818

The graph is something like:

         ng_ether
upper   |               |lower
left    |       |right
           ng_tee
right2left|     |left2right
iface0    |     |iface1
          ng_netflow

Maybe I did something wrong. How should I do it in right way?
I googled and didn't find good source/samples of ng_netflow.

thanks in advance,

Ganbold

More information about the freebsd-isp mailing list