Date: Tue, 19 Feb 2013 18:32:22 +0100 From: Jan Markus <markus.jan@seznam.cz> To: Adrian Chadd <adrian@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: Netflow v9 with ng_netflow and nfdump Message-ID: <5123B726.5030403@seznam.cz> In-Reply-To: <CAJ-VmonThLc2oi=9bEYbda%2BN_qOk0Ng9Xfx_wu5SDe%2B8L%2B9daw@mail.gmail.com> References: <512358BB.1040609@seznam.cz> <CAJ-VmonThLc2oi=9bEYbda%2BN_qOk0Ng9Xfx_wu5SDe%2B8L%2B9daw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/19/2013 06:02 PM, Adrian Chadd wrote: > .. I assume that your netflow collector is positioned correctly so it > can see the actual client MAC, rather than the MAC of the L3 gateway > device? Yes, we've checked with tcpdump. The mirror port simply copies the packets as they flow from our clients to routers. One more way for logging IP->MAC binding would be periodical dump from our core switch. But the solution with Netflow v9 seems much more "elegant" I think. We are using Juniper EX4200 as our core switches and, as far as I know, they support only the sFlow - sampled flow. And we are required to log every connection. > > > > adrian > > On 19 February 2013 02:49, Jan Markus<markus.jan@seznam.cz> wrote: >> Hello, >> >> our Ministry of the interior now requires that IP traffic logs must contain >> MAC addresses of our clients. I am trying to fulfil this with Netflow v9 >> which (allegedly) should contain the MAC addresses of IP flows. >> >> But with no success so far... >> >> We have a mirror port on our core switch and capture the VLAN tagged packets >> on em1 NIC on our FreeBSD 9.1 server. >> >> Our netflow collector is configured like this: >> >> kldload ng_ether >> kldload ng_ksocket >> kldload ng_netflow >> >> ifconfig em1 promisc -arp up >> >> ngctl mkpeer em1: netflow lower iface0 >> ngctl name em1:lower netflow >> ngctl connect em1: netflow: upper out0 >> ngctl mkpeer netflow: ksocket export9 inet/dgram/udp >> ngctl msg netflow:export9 connect inet/127.0.0.1:9995 >> >> We capture the netflow packets on the same machine like this: >> >> nfcapd -p 9995 -S 2 -T all -D -l ./ >> >> But when I try to get the log like this: >> >> nfdump -r nfcapd.201302191051> nfcapd.201302191051.out >> >> All I get is date, protocol, src and dst IP and port, and number of bytes, >> packets and flows. No information on MAC addresses whatsoever. >> >> What am I doing wrong? >> >> Thank you very much for your help, >> -Jan >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5123B726.5030403>