From owner-freebsd-net@FreeBSD.ORG Mon Jun 11 22:39:42 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A5D81065670; Mon, 11 Jun 2012 22:39:42 +0000 (UTC) (envelope-from bkolasinski@anl.gov) Received: from dickinson.anl.gov (dickinson.anl.gov [146.137.14.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4443F8FC0A; Mon, 11 Jun 2012 22:39:42 +0000 (UTC) Received: from HETFIELD.anl.gov ([146.137.14.7]) by dickinson.anl.gov ([146.137.14.3]) with mapi; Mon, 11 Jun 2012 17:38:34 -0500 From: "Kolasinski, Brent D." To: "Alexander V. Chernikov" Date: Mon, 11 Jun 2012 17:38:49 -0500 Thread-Topic: Netgraph and Netflow-v9 Thread-Index: Ac1IIu5teLAvVrcNRZyiZprYcSq7fg== Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.2.2.120421 acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-net@freebsd.org" Subject: Re: Netgraph and Netflow-v9 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2012 22:39:42 -0000 It appears that it may be something with my current collector. While debugging today, I decided to attempt to run Silk locally on the FreeBSD netflow box. =20 When exporting locally, it is reading the netflow-v9 records. Yay! Our collector is an older Linux box with a manually compiled current version of Silk (not that it should matter which OS is running on the collector) with the libfixbuf patch installed. I wonder what is going on there, alas, that is not your problem :) Thanks for the help! ---------- Brent Kolasinski Cyber Security Program Office Argonne National Laboratory Phone: 630-252-2546 On 6/11/12 5:16 PM, "Kolasinski, Brent D." wrote: > >On 6/11/12 12:36 PM, "Alexander V. Chernikov" >wrote: >> >>It seems so. >> >>Can you show "ngctl msg netflow: info" ouput ? > >Rec'd response "info" (805306369) from "[16]:": >Args: { IPv4 bytes=3D4828162266587 IPv4 packets=3D1005674835 IPv4 records >used=3D61793 fibs allocated=3D1 Active expiries=3D26901592 Inactive >expiries=3D133410564 Inactive timeout=3D15 Active timeout=3D1800 } > > >Now I am generating v5 netflow as well so I can compare - which I am >seeing on the collector. I can turn that off and just leave v9 on if that >helps for debugging purposes. > >> >> > 1) bce0 -> in promiscuous mode listening to traffic off of a tap >> >>Does bce0 have both UP and RUNNING flags set ? > >Yup. Status is: > >bce0: flags=3D28943 >metric 0 mtu 1500 > options=3Dc01bb, >TSO4,VLAN_HWTSO,LINKSTATE> > ether 00:19:b9:**:**:** > nd6 options=3D29 > media: Ethernet autoselect (1000baseT ) > status: active > > >--Brent >