Netflow v9 with ng_netflow and nfdump
Alexander V. Chernikov
melifaro at FreeBSD.org
Tue Feb 19 15:49:14 UTC 2013
On 19.02.2013 14:49, Jan Markus wrote:
> Hello,
Hello.
>
> our Ministry of the interior now requires that IP traffic logs must
> contain MAC addresses of our clients. I am trying to fulfil this with
> Netflow v9 which (allegedly) should contain the MAC addresses of IP flows.
Netflow version 9 is flexible and allows you to use only necessary
fields grouped in 'templates'.
Currently ng_netflow supports 2 statically-defined templates (for v4 and
v6 L3+L4) and SRC_MAC/DST_MAC are not included there..
>
> But with no success so far...
>
> We have a mirror port on our core switch and capture the VLAN tagged
> packets on em1 NIC on our FreeBSD 9.1 server.
>
> Our netflow collector is configured like this:
>
> kldload ng_ether
> kldload ng_ksocket
> kldload ng_netflow
>
> ifconfig em1 promisc -arp up
>
> ngctl mkpeer em1: netflow lower iface0
> ngctl name em1:lower netflow
> ngctl connect em1: netflow: upper out0
> ngctl mkpeer netflow: ksocket export9 inet/dgram/udp
> ngctl msg netflow:export9 connect inet/127.0.0.1:9995
>
> We capture the netflow packets on the same machine like this:
>
> nfcapd -p 9995 -S 2 -T all -D -l ./
>
> But when I try to get the log like this:
>
> nfdump -r nfcapd.201302191051 > nfcapd.201302191051.out
>
> All I get is date, protocol, src and dst IP and port, and number of
> bytes, packets and flows. No information on MAC addresses whatsoever.
>
> What am I doing wrong?
>
> Thank you very much for your help,
> -Jan
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
--
WBR, Alexander
More information about the freebsd-net
mailing list