Date: Thu, 02 Apr 2015 09:05:54 +0100 (BST) From: William Waites <wwaites@tardis.ed.ac.uk> To: contact@winterei.se Cc: freebsd-net@freebsd.org Subject: Re: ng_netflow and BGP Message-ID: <20150402.090554.1118238546466593001.wwaites@tardis.ed.ac.uk> In-Reply-To: <551C9651.7050003@winterei.se> References: <20150401.115048.1362042954044146751.wwaites@tardis.ed.ac.uk> <CA%2BP_MZFpu6uwkjE6JCgE-Uk7DVUphb_AYy8x89%2B12-hErw91cw@mail.gmail.com> <551C9651.7050003@winterei.se>
next in thread | previous in thread | raw e-mail | index | archive | help
----Security_Multipart(Thu_Apr__2_09_05_54_2015_124)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
On Thu, 02 Apr 2015 10:07:29 +0900, "Paul S." <contact@winterei.se> said:
> [pmacct's] use of 'return' (with no args) on functions that are
> meant to return an int flat out makes it unable to compile on
> FreeBSD.
Yes, I found that surprising that any modern C compiler would tolerate
that at all.
> If you fix those by hand, it compiles, but just seems to
> segfault -- I didn't get the time to look into it further with
> GDB.
I also fixed this by hand but it does not segfault for me. I'll try to
make a proper patch for the ports tree and submit it in the next few
days.
One thing that it cannot not do is simply put the required information
into the flow messages and forward them on. This is a bit hard to do
for Netflow V9 because in general it means mangling the templates as
well as the flow messages themselves and according to the author the
main use case in "tee" mode is simply splitting the flow and doing
nothing else which translates to about one order of magnitude of
throughput. So you can either use nfacctd to compute aggregates, or
you can use it to split/copy flow data but you cannot use it to enrich
the data and then do the computations after the fact with standard
tools like nfdump or flow-tools.
It also seems to get confused by multiple BGP sessions (IPv4 and IPv6)
with the same router-id, as you have to do with BIRD because it does
not support a single session with multiple address families. This
causes one or the other protocol to be mis-classified depending on
which session it has decided to use. I may have mis-diagnosed this
problem, but definitely something of the kind appears to happen.
This is all on top of consuming extra RAM for BGP tables on the
collector which is just unnecessary.
> As to the ng_netflow hook, +1, excellent idea.
Great!
-w
--
William Waites <wwaites@tardis.ed.ac.uk> | School of Informatics
http://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh
http://www.hubs.net.uk/ | HUBS AS60241
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
----Security_Multipart(Thu_Apr__2_09_05_54_2015_124)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJVHPhiAAoJEHhNnKzjwx5/ss0P/3Hm92jYWkHiZ/FUv1DJ8SH3
TTRg9n/SsISpEFaleUIVzZc23Cik5RjGb/PHzQ79OeACSUEpYEt4zgbrsjNHu4Bx
z7VgVb2nLJA416nEMzq71BqFPzTT1dd8715az2qV+0uuE+Bw48hH0BvNZVZqUkbh
UhbVVr9ROFxdhpT/pdhKcr/17T4vqAM/CRyB/LP4A8l0QpvymnpO43HyGligRn5w
VHnTlwgOSLcRQjQaQECDpg8B0R1fpZcfJITxuXRZOLhBQ/1m742s22nuRgOpVplK
Z0JNYAIfnIfw8KtKZLM9WHD4I3dinSJO6vjfTDVsBXfzZIIyLXPeHyMBXEsLanZA
nl2Axil5/Ef90DHMyTJYmZ2Wixxu9SLc0cqCaxO6UhNhsD+FHi11lb+chX7nDFMJ
H++NrVxKDJVanNvcKnxpSOSHS2hw6rf5KjCekeBRLwQhn8OWvvwAOzuyDFyA07Gb
+11UiNJOyTGQtSIt6gyAimma58OTasHjIWqx579bNXvcdVz3gfhn3L8LgL/aOsvZ
O7xY/GL3JroyzHfeWhiBL4ARWY//d64wYKx1/+mqnggCF1cNEcA+MABn0nPqNl1t
2H8SUtGBVzkv4+uoTnuuajNpdLdkonYRnaE6L2W8lzKOfwqhI/sG5D3MLKUjkorJ
8yFCtWVz7SDQ/FQ+oEtU
=hdGL
-----END PGP SIGNATURE-----
----Security_Multipart(Thu_Apr__2_09_05_54_2015_124)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150402.090554.1118238546466593001.wwaites>