Netflow v9 with ng_netflow and nfdump
Adrian Chadd
adrian at freebsd.org
Tue Feb 19 17:02:23 UTC 2013
.. I assume that your netflow collector is positioned correctly so it
can see the actual client MAC, rather than the MAC of the L3 gateway
device?
adrian
On 19 February 2013 02:49, Jan Markus <markus.jan at seznam.cz> wrote:
> Hello,
>
> our Ministry of the interior now requires that IP traffic logs must contain
> MAC addresses of our clients. I am trying to fulfil this with Netflow v9
> which (allegedly) should contain the MAC addresses of IP flows.
>
> But with no success so far...
>
> We have a mirror port on our core switch and capture the VLAN tagged packets
> on em1 NIC on our FreeBSD 9.1 server.
>
> Our netflow collector is configured like this:
>
> kldload ng_ether
> kldload ng_ksocket
> kldload ng_netflow
>
> ifconfig em1 promisc -arp up
>
> ngctl mkpeer em1: netflow lower iface0
> ngctl name em1:lower netflow
> ngctl connect em1: netflow: upper out0
> ngctl mkpeer netflow: ksocket export9 inet/dgram/udp
> ngctl msg netflow:export9 connect inet/127.0.0.1:9995
>
> We capture the netflow packets on the same machine like this:
>
> nfcapd -p 9995 -S 2 -T all -D -l ./
>
> But when I try to get the log like this:
>
> nfdump -r nfcapd.201302191051 > nfcapd.201302191051.out
>
> All I get is date, protocol, src and dst IP and port, and number of bytes,
> packets and flows. No information on MAC addresses whatsoever.
>
> What am I doing wrong?
>
> Thank you very much for your help,
> -Jan
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list