netgraph & netflow

Glenn Dawson glenn at antimatter.net
Fri May 6 11:50:21 PDT 2005


At 05:15 AM 5/6/2005, Brian McCann wrote:
>That did the trick I think.  I'll know after an hour or so of "real"
>traffic going through it.  It at least helped me understand it a lot
>better.

Excellent.

One quick note to clarify things a little.  According to Cisco's 
documentation on netflow, when it's enabled on an interface it only counts 
inbound traffic.  If you want to count traffic going in two directions, you 
have to enable it on two interfaces, which is why (I assume) the examples 
in the man page are the way they are.

-Glenn


>Thanks!
>--Brian
>
>On 5/5/05, Glenn Dawson <glenn at antimatter.net> wrote:
> > At 07:26 AM 5/5/2005, you wrote:
> > >Hi all.  I'm trying to get ng_netflow to work, and I'm having a heck
> > >of a time doing so.  So if anyone can shed some light on my problem,
> > >please do so.  I've tried multiple configurations, and can't get it to
> > >work right.  I can only get it to see traffic in one direction (for
> > >example, flows from other PCs to the server.  Flows starting from the
> > >server started by something like fetch or ssh don't show up as
> > >sourcing from the server).  Here is the config that I thought would do
> > >that, but it's not.
> > >
> > >mkpeer fxp1: tee lower right
> > >connect fxp1: fxp1:lower upper left
> > >mkpeer fxp1:lower netflow left2right iface0
> > >name fxp1:lower.left2right fxp1_netflow
> > >msg fxp1_netflow: setifindex { iface=0 index=5 }
> > >mkpeer fxp1_netflow: ksocket export inet/dgram/udp
> > >msg fxp1_netflow:export connect inet/127.0.0.1:9800
> > >
> > >Using this, when I run flowctl, it shows the source interface as ppp0
> > >and sometimes sl0, which isn't even connected, and a dest interface of
> > >fxp1.  If I switch all the "left2right"s with "right2left"s, I get
> > >only flows going to the server...so after reading how the tee in
> > >netgraph works, I assumed if I switched it, it would show the other
> > >direction.
> >
> > Try this...I've used it to catch flows in both directions for an em
> > interface....you can probably tweak it to work in your situation...
> >
> > mkpeer em0: tee lower right
> > connect em0: em0:lower upper left
> > name em0:lower em0_tee
> > mkpeer em0_tee: netflow left2right iface0
> > name em0:lower.left2right netflow
> > connect em0_tee: netflow: right2left iface1
> > msg netflow: setifindex { iface=0 index=2 }
> > msg netflow: setifindex { iface=1 index=1 }
> > mkpeer netflow: ksocket export inet/dgram/udp
> > msg netflow:export connect inet/x.x.x.x:4444
> >
> > -Glenn
> >
> > >Any thoughts, suggestions?
> > >Thanks,
> > >--Brian
> > >
> > >--
> > >_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_
> > >Brian McCann
> > >Systems & Network Administrator, K12USA
> > >
> > >"I don't have to take this abuse from you -- I've got hundreds of
> > >people waiting to abuse me."
> > >                 -- Bill Murray, "Ghostbusters"
> > >_______________________________________________
> > >freebsd-questions at freebsd.org mailing list
> > >http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > >To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
> >
> >
>
>
>--
>_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_
>Brian McCann
>Systems & Network Administrator, K12USA
>
>"I don't have to take this abuse from you -- I've got hundreds of
>people waiting to abuse me."
>                 -- Bill Murray, "Ghostbusters"




More information about the freebsd-questions mailing list