Flow monitoring with PF
Daniel O'Connor
doconnor at gsoft.com.au
Thu Jun 13 01:17:08 UTC 2013
On 12/06/2013, at 9:47, "Scott, Brian" <brian.scott4 at det.nsw.edu.au> wrote:
>> I was looking at trying out flow monitoring and I found pfflowd, but unfortunately it does not work with FreeBSD >9.0. I thought about ng_netflow but that doesn't >see my tun interface which may be related to..
>> WARNING: attempt to domain_add(netgraph) after domainfinalize()
>
> Noise message. I've never seen it actually mean anything.
>
> The problem is that tun0 is a generic network interface. Ng_ether only exposes Ethernet devices. The equivalent to tun but for an Ethernet device is tap. Creating a tap device after boot immediately creates the corresponding ng_ether node which can then be plumbed into ng_netflow.
OK, for some reason I thought NG would add nodes to mirror every network interface but that was wrong..
> Some software is kind enough to work with either tun or tap as a configurable option.
Unfortunately I am using ppp which doesn't :(
>> Does anyone have any recommendations for generating flow information from PF?
>
> I've had great success with ng_netflow. I like the fact that all the processing is in-kernel.
Yeah, that is one reason I looked at it.
--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
More information about the freebsd-stable
mailing list