ng_netflow and bridging firewall

Gleb Smirnoff glebius at FreeBSD.org
Wed Aug 31 09:28:52 GMT 2005 

On Wed, Aug 31, 2005 at 05:50:21PM +0900, Ganbold wrote:
G> At 08:10 PM 8/30/2005, you wrote:
G> >On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote:
G> >G> ngctl mkpeer xl1: tee lower right
G> >G> ngctl connect xl1: xl1:lower upper left
G> >G> ngctl name xl1:lower xl1_tee
G> >G> ngctl mkpeer xl1_tee: netflow left2right iface0
G> >G> ngctl name xl1:lower.left2right netflow
G> >G> ngctl connect xl1_tee: netflow: right2left iface1
G> >G> ngctl msg netflow: setifindex { iface=0 index=2 }
G> >G> ngctl msg netflow: setifindex { iface=1 index=1 }
G> >G> ngctl mkpeer netflow: ksocket export inet/dgram/udp
G> >G> ngctl msg netflow:export connect inet/127.0.0.1:8818
G> >G>
G> >G> I'm just using second xl1 interface for ng_netflow. However when I see 
G> >the
G> >G> flow data I can only see my network addresses in
G> >G> the dstIP field. Is it correct? I thought both srcIP, dstIP should 
G> >contain
G> >G> my IPs,  because I'm trying to catch traffic which goes both directions 
G> >of
G> >G> xl1. Is my assumption correct? If I'm wrong, how to make it work in 
G> >correct
G> >G> way?
G> >
G> >No. Look at ng_ether(4) manpage, and draw your graph. You are catching only
G> >one direction with the above script.
G> 
G> OK. I see. I'm catching only incoming traffic to xl1 interface.
G> I can see it from ngctl issuing msg xl1_tee: getstats command and also 
G> flowctl netflow: show command.
G> 
G> I read the ng_ether man page and didn't quite get it.
G> 
G> I'm including xl0 interface in similar way as xl1.
G> Is following sufficient for catching outgoing traffic?
G> 
G> ngctl mkpeer xl0: tee lower right
G> ngctl connect xl0: xl0:lower upper left
G> ngctl name xl0:lower xl0_tee
G> ngctl mkpeer xl0_tee: netflow left2right iface2
G> ngctl name xl0:lower.left2right netflow0
G> ngctl msg netflow0: setifindex { iface=2 index=4 }
G> ngctl connect xl0_tee: netflow0: right2left iface3
G> ngctl msg netflow0: setifindex { iface=3 index=3 }
G> ngctl mkpeer netflow0: ksocket export inet/dgram/udp
G> ngctl msg netflow0:export connect inet/127.0.0.1:8818

Looks like correct.

G> The graph is something like:
G> 
G>         ng_ether
G> upper   |               |lower
G> left    |       |right
G>           ng_tee
G> right2left|     |left2right
G> iface0    |     |iface1
G>          ng_netflow
G> 
G> Maybe I did something wrong. How should I do it in right way?
G> I googled and didn't find good source/samples of ng_netflow.
G> 
G> thanks in advance,
G> 
G> Ganbold
G> 
G> 

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE

More information about the freebsd-isp mailing list