From owner-freebsd-net@FreeBSD.ORG Tue Feb 19 17:32:26 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 64109C69; Tue, 19 Feb 2013 17:32:26 +0000 (UTC) (envelope-from markus.jan@seznam.cz) Received: from smtp2.seznam.cz (smtp2.seznam.cz [77.75.76.43]) by mx1.freebsd.org (Postfix) with ESMTP id 932BE836; Tue, 19 Feb 2013 17:32:24 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=seznam.cz; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-Smtpd:X-Seznam-User:X-Session:X-Country; b=oYdx6/s4UNtNYQN88n7AK/wYgIHqWkjMg5o22dMiZsW8reuzavAKNNLz1g+ga4zj4 /0awnm0SFdNLau0UPkEhVcPKQo8VKrKaD52NOuovHqozBnwhkDdaNd6O6JqnpiRlt53 Mvx4/eydKqvxI1aYBjJpCzk9Fdk5HcoBiQUF13E= Received: from [10.252.0.120] (gw2.metron.cz [109.238.32.35]) by email-relay2.ng.seznam.cz (Seznam SMTPD UNKNOWN@UNKNOWN) with ESMTP; Tue, 19 Feb 2013 18:32:23 +0100 (CET) Message-ID: <5123B726.5030403@seznam.cz> Date: Tue, 19 Feb 2013 18:32:22 +0100 From: Jan Markus User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20130116 Icedove/10.0.12 MIME-Version: 1.0 To: Adrian Chadd Subject: Re: Netflow v9 with ng_netflow and nfdump References: <512358BB.1040609@seznam.cz> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Smtpd: UNKNOWN@UNKNOWN X-Seznam-User: markus.jan@seznam.cz X-Session: 13 X-Country: CZ Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2013 17:32:26 -0000 On 02/19/2013 06:02 PM, Adrian Chadd wrote: > .. I assume that your netflow collector is positioned correctly so it > can see the actual client MAC, rather than the MAC of the L3 gateway > device? Yes, we've checked with tcpdump. The mirror port simply copies the packets as they flow from our clients to routers. One more way for logging IP->MAC binding would be periodical dump from our core switch. But the solution with Netflow v9 seems much more "elegant" I think. We are using Juniper EX4200 as our core switches and, as far as I know, they support only the sFlow - sampled flow. And we are required to log every connection. > > > > adrian > > On 19 February 2013 02:49, Jan Markus wrote: >> Hello, >> >> our Ministry of the interior now requires that IP traffic logs must contain >> MAC addresses of our clients. I am trying to fulfil this with Netflow v9 >> which (allegedly) should contain the MAC addresses of IP flows. >> >> But with no success so far... >> >> We have a mirror port on our core switch and capture the VLAN tagged packets >> on em1 NIC on our FreeBSD 9.1 server. >> >> Our netflow collector is configured like this: >> >> kldload ng_ether >> kldload ng_ksocket >> kldload ng_netflow >> >> ifconfig em1 promisc -arp up >> >> ngctl mkpeer em1: netflow lower iface0 >> ngctl name em1:lower netflow >> ngctl connect em1: netflow: upper out0 >> ngctl mkpeer netflow: ksocket export9 inet/dgram/udp >> ngctl msg netflow:export9 connect inet/127.0.0.1:9995 >> >> We capture the netflow packets on the same machine like this: >> >> nfcapd -p 9995 -S 2 -T all -D -l ./ >> >> But when I try to get the log like this: >> >> nfdump -r nfcapd.201302191051> nfcapd.201302191051.out >> >> All I get is date, protocol, src and dst IP and port, and number of bytes, >> packets and flows. No information on MAC addresses whatsoever. >> >> What am I doing wrong? >> >> Thank you very much for your help, >> -Jan >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >