Netflow v9 with ng_netflow and nfdump

Jan Markus markus.jan at seznam.cz
Tue Feb 19 17:32:26 UTC 2013 

On 02/19/2013 06:02 PM, Adrian Chadd wrote:
> .. I assume that your netflow collector is positioned correctly so it
> can see the actual client MAC, rather than the MAC of the L3 gateway
> device?

Yes, we've checked with tcpdump. The mirror port simply copies the packets as 
they flow from our clients to routers.

One more way for logging IP->MAC binding would be periodical dump from our core 
switch. But the solution with Netflow v9 seems much more "elegant" I think.

We are using Juniper EX4200 as our core switches and, as far as I know, they 
support only the sFlow - sampled flow. And we are required to log every connection.

>
>
>
> adrian
>
> On 19 February 2013 02:49, Jan Markus<markus.jan at seznam.cz>  wrote:
>> Hello,
>>
>> our Ministry of the interior now requires that IP traffic logs must contain
>> MAC addresses of our clients. I am trying to fulfil this with Netflow v9
>> which (allegedly) should contain the MAC addresses of IP flows.
>>
>> But with no success so far...
>>
>> We have a mirror port on our core switch and capture the VLAN tagged packets
>> on em1 NIC on our FreeBSD 9.1 server.
>>
>> Our netflow collector is configured like this:
>>
>>    kldload ng_ether
>>    kldload ng_ksocket
>>    kldload ng_netflow
>>
>>    ifconfig em1 promisc -arp up
>>
>>    ngctl mkpeer em1: netflow lower iface0
>>    ngctl name em1:lower netflow
>>    ngctl connect em1: netflow: upper out0
>>    ngctl mkpeer netflow: ksocket export9 inet/dgram/udp
>>    ngctl msg netflow:export9 connect inet/127.0.0.1:9995
>>
>> We capture the netflow packets on the same machine like this:
>>
>>    nfcapd -p 9995 -S 2 -T all -D -l ./
>>
>> But when I try to get the log like this:
>>
>>    nfdump -r nfcapd.201302191051>  nfcapd.201302191051.out
>>
>> All I get is date, protocol, src and dst IP and port, and number of bytes,
>> packets and flows. No information on MAC addresses whatsoever.
>>
>> What am I doing wrong?
>>
>> Thank you very much for your help,
>> -Jan
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list