From owner-freebsd-net@FreeBSD.ORG  Mon Feb 23 23:47:09 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0026416A4CE; Mon, 23 Feb 2004 23:47:08 -0800 (PST)
Received: from mail.zvezda.number.ru (unknown [213.247.150.169])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8207E43D1F; Mon, 23 Feb 2004 23:47:08 -0800 (PST)
	(envelope-from blacksir@number.ru)
Received: from host212-5-99-220.izmaylovo.ru ([212.5.99.220] helo=blacksir)
	by mail.zvezda.number.ru with smtp (Exim)
	id 1AvXHC-000C4G-Tk; Tue, 24 Feb 2004 10:46:46 +0300
From: "Vasenin Alexander aka BlackSir" <blacksir@number.ru>
To: "Gleb Smirnoff" <glebius@cell.sick.ru>
Date: Tue, 24 Feb 2004 10:46:44 +0300
Message-ID: <NKEJKOHEKMBIMCCEHEPKOEDJCFAA.blacksir@number.ru>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="koi8-r"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
In-Reply-To: <20040223194648.GB72475@cell.sick.ru>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
X-Spam-Score: -100.0 (---------------------------------------------------)
X-Spam-Report: Spam detection software, running on the system
	"inet.zvezda.number.ru", hasmessageblock
	similar future email.  If you have any questions, see
	the administrator of that system for details.	Content preview:  > 
	Content analysis details:   (-100.0 points, 5.0 required)
	pts rule name              description
	--------------------------------------------------
	-100 USER_IN_WHITELIST      From: address is in the user's white-list
cc: freebsd-isp@freebsd.org
cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
cc: Julian Elischer <julian@elischer.org>
cc: freebsd-net@freebsd.org
Subject: RE: ng_netflow: testers are welcome
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2004 07:47:09 -0000

> -----Original Message-----
> From: owner-freebsd-isp@freebsd.org
> [mailto:owner-freebsd-isp@freebsd.org]On Behalf Of Gleb Smirnoff
> Sent: Monday, February 23, 2004 10:47 PM
> To: Vasenin Alexander aka BlackSir
> Cc: freebsd-isp@freebsd.org; Bjoern A. Zeeb; Julian Elischer;
> freebsd-net@freebsd.org
> Subject: Re: ng_netflow: testers are welcome

> I'd be glad if you show me your current netgraph setup script. Surely
> I can reproduce it myself, but live example would be better than
> imaginary.

Here it is(latest version - 'echotee'):

---cut---
# Create ng_tee node
mkpeer . tee dummy left
name .dummy tee

# Create ng_netflow node
mkpeer tee: netflow left2right iface0
name tee:.left2right netflow
msg netflow: setifindex { iface=0 index=1 }
msg netflow: setdlt { iface=0 dlt=12 }

# Create ng_ksocket for exporting netflow data
mkpeer netflow: ksocket export inet/dgram/udp
name netflow:.export export_ksocket
msg export_ksocket: connect inet/127.0.0.1:8000

# Create ng_echo node for returning data from divert socket
mkpeer tee: echo right echo_hook
name tee:.right echo

# Destroy dummy hook
rmhook dummy

# Create divert ng_ksocket
mkpeer tee: ksocket left inet/raw/divert
name tee:.left divert_ksocket
msg divert_ksocket: bind inet/0.0.0.0:8888
---cut---


This config assumes that packets needed to catch via ng_netflow is simply
diverted by ipfw rule:
divert 8888 ip from any to any in - or something like that
Seems everything works fine! (I'm using ipfw2 in 4.9) Packets going throught
divert and reinjected in ipfw ;-)
but I've not tested this in production yet...


Thanks again!

	Vasenin Alexander aka BlackSir