Netflow v9 with ng_netflow and nfdump
Jan Markus
markus.jan at seznam.cz
Tue Feb 19 10:57:19 UTC 2013
Hello,
our Ministry of the interior now requires that IP traffic logs must contain MAC
addresses of our clients. I am trying to fulfil this with Netflow v9 which
(allegedly) should contain the MAC addresses of IP flows.
But with no success so far...
We have a mirror port on our core switch and capture the VLAN tagged packets on
em1 NIC on our FreeBSD 9.1 server.
Our netflow collector is configured like this:
kldload ng_ether
kldload ng_ksocket
kldload ng_netflow
ifconfig em1 promisc -arp up
ngctl mkpeer em1: netflow lower iface0
ngctl name em1:lower netflow
ngctl connect em1: netflow: upper out0
ngctl mkpeer netflow: ksocket export9 inet/dgram/udp
ngctl msg netflow:export9 connect inet/127.0.0.1:9995
We capture the netflow packets on the same machine like this:
nfcapd -p 9995 -S 2 -T all -D -l ./
But when I try to get the log like this:
nfdump -r nfcapd.201302191051 > nfcapd.201302191051.out
All I get is date, protocol, src and dst IP and port, and number of bytes,
packets and flows. No information on MAC addresses whatsoever.
What am I doing wrong?
Thank you very much for your help,
-Jan
More information about the freebsd-net
mailing list