From owner-freebsd-net@FreeBSD.ORG Wed Jun 1 18:10:56 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD81E16A431 for ; Wed, 1 Jun 2005 18:10:56 +0000 (GMT) (envelope-from Maksim.Yevmenkin@savvis.net) Received: from mailgate1b.savvis.net (mailgate1b.savvis.net [216.91.182.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4583943D55 for ; Wed, 1 Jun 2005 18:10:53 +0000 (GMT) (envelope-from Maksim.Yevmenkin@savvis.net) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailgate1b.savvis.net (Postfix) with ESMTP id 43E593BF37; Wed, 1 Jun 2005 13:10:53 -0500 (CDT) Received: from mailgate1b.savvis.net ([127.0.0.1]) by localhost (mailgate1b.savvis.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 07357-01-68; Wed, 1 Jun 2005 13:10:53 -0500 (CDT) Received: from out001.email.savvis.net (out001.apptix.savvis.net [216.91.32.44]) by mailgate1b.savvis.net (Postfix) with ESMTP id 1A74B3BE2D; Wed, 1 Jun 2005 13:10:53 -0500 (CDT) Received: from s228130hz1ew171.apptix-01.savvis.net ([10.146.4.29]) by out001.email.savvis.net with Microsoft SMTPSVC(6.0.3790.211); Wed, 1 Jun 2005 13:10:08 -0500 Received: from [10.254.186.111] ([66.35.239.94]) by s228130hz1ew171.apptix-01.savvis.net with Microsoft SMTPSVC(6.0.3790.211); Wed, 1 Jun 2005 13:10:23 -0500 Message-ID: <429DFA07.7070500@savvis.net> Date: Wed, 01 Jun 2005 11:10:15 -0700 From: Maksim Yevmenkin User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050404) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matthew Reimer References: <200506011103.41726.mreimer@vpop.net> In-Reply-To: <200506011103.41726.mreimer@vpop.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Jun 2005 18:10:23.0832 (UTC) FILETIME=[2E274580:01C566D5] X-Virus-Scanned: amavisd-new at savvis.net Cc: freebsd-net@freebsd.org Subject: Re: Packets don't flow from ng_netflow X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 18:10:57 -0000 Matthew Reimer wrote: > I'm trying to use ng_netflow to monitor our network traffic but for some > reason NetFlow packets aren't emitted unless tcpdump is running on the > interface configured with ng_netflow. > > The box is running FreeBSD 4.11-STABLE and the latest ng_netflow from ports. > It has two NICs: the main NIC fxp0 which is configured for IP, and a second > NIC dc0 which is up but with no IP configuration. I've configured port > mirroring on our Cisco switch to tee all traffic going through our upstream > port to dc0: > > # ifconfig dc0 > dc0: flags=8843 mtu 1500 > ether 00:04:5a:79:72:f7 > media: Ethernet autoselect (100baseTX ) > status: active > > netgraph config: > > + mkpeer dc0: netflow lower iface0 > + name dc0:lower netflow > + mkpeer netflow: ksocket export inet/dgram/udp > + msg netflow:export connect inet/192.168.1.2:1234 > > > The problem is that no NetFlow packets are emitted unless I run tcpdump on > dc0. Is this not a valid configuration? Or is there a bug in > netgraph/ng_netflow? nope. tcpdump(1) puts interface into promiscuous mode. by default your dc0 interface will only pick packets destined for it and/or broadcast packets. please use # ifconfig dc0 promisc thanks, max