Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 6 May 2005 08:15:44 -0400
From:      Brian McCann <bjmccann@gmail.com>
To:        Glenn Dawson <glenn@antimatter.net>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: netgraph & netflow
Message-ID:  <2b5f066d05050605155071dcd1@mail.gmail.com>
In-Reply-To: <6.1.0.6.2.20050505104409.1d581b30@cobalt.antimatter.net>
References:  <2b5f066d050505072671fff21b@mail.gmail.com> <6.1.0.6.2.20050505104409.1d581b30@cobalt.antimatter.net>

next in thread | previous in thread | raw e-mail | index | archive | help
That did the trick I think.  I'll know after an hour or so of "real"
traffic going through it.  It at least helped me understand it a lot
better.

Thanks!
--Brian

On 5/5/05, Glenn Dawson <glenn@antimatter.net> wrote:
> At 07:26 AM 5/5/2005, you wrote:
> >Hi all.  I'm trying to get ng_netflow to work, and I'm having a heck
> >of a time doing so.  So if anyone can shed some light on my problem,
> >please do so.  I've tried multiple configurations, and can't get it to
> >work right.  I can only get it to see traffic in one direction (for
> >example, flows from other PCs to the server.  Flows starting from the
> >server started by something like fetch or ssh don't show up as
> >sourcing from the server).  Here is the config that I thought would do
> >that, but it's not.
> >
> >mkpeer fxp1: tee lower right
> >connect fxp1: fxp1:lower upper left
> >mkpeer fxp1:lower netflow left2right iface0
> >name fxp1:lower.left2right fxp1_netflow
> >msg fxp1_netflow: setifindex { iface=3D0 index=3D5 }
> >mkpeer fxp1_netflow: ksocket export inet/dgram/udp
> >msg fxp1_netflow:export connect inet/127.0.0.1:9800
> >
> >Using this, when I run flowctl, it shows the source interface as ppp0
> >and sometimes sl0, which isn't even connected, and a dest interface of
> >fxp1.  If I switch all the "left2right"s with "right2left"s, I get
> >only flows going to the server...so after reading how the tee in
> >netgraph works, I assumed if I switched it, it would show the other
> >direction.
>=20
> Try this...I've used it to catch flows in both directions for an em
> interface....you can probably tweak it to work in your situation...
>=20
> mkpeer em0: tee lower right
> connect em0: em0:lower upper left
> name em0:lower em0_tee
> mkpeer em0_tee: netflow left2right iface0
> name em0:lower.left2right netflow
> connect em0_tee: netflow: right2left iface1
> msg netflow: setifindex { iface=3D0 index=3D2 }
> msg netflow: setifindex { iface=3D1 index=3D1 }
> mkpeer netflow: ksocket export inet/dgram/udp
> msg netflow:export connect inet/x.x.x.x:4444
>=20
> -Glenn
>=20
> >Any thoughts, suggestions?
> >Thanks,
> >--Brian
> >
> >--
> >_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_
> >Brian McCann
> >Systems & Network Administrator, K12USA
> >
> >"I don't have to take this abuse from you -- I've got hundreds of
> >people waiting to abuse me."
> >                 -- Bill Murray, "Ghostbusters"
> >_______________________________________________
> >freebsd-questions@freebsd.org mailing list
> >http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.=
org"
>=20
>=20


--=20
_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_-=3D-_
Brian McCann
Systems & Network Administrator, K12USA

"I don't have to take this abuse from you -- I've got hundreds of
people waiting to abuse me."
                -- Bill Murray, "Ghostbusters"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2b5f066d05050605155071dcd1>