From owner-freebsd-net@FreeBSD.ORG  Thu Jun 14 18:16:21 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 13B2516A49A
	for <freebsd-net@freebsd.org>; Thu, 14 Jun 2007 18:16:21 +0000 (UTC)
	(envelope-from george.uhl@gsfc.nasa.gov)
Received: from rattler.eos.nasa.gov (rattler.eos.nasa.gov [198.119.22.20])
	by mx1.freebsd.org (Postfix) with ESMTP id E581613C4C1
	for <freebsd-net@freebsd.org>; Thu, 14 Jun 2007 18:16:20 +0000 (UTC)
	(envelope-from george.uhl@gsfc.nasa.gov)
Received: from rattler.eos.nasa.gov (localhost.localdomain [127.0.0.1])
	by rattler.eos.nasa.gov (Postfix) with SMTP id 3F431644E4
	for <freebsd-net@freebsd.org>; Thu, 14 Jun 2007 13:26:27 -0400 (EDT)
Mime-Version: 1.0
Message-Id: <p06210207c2970bf52632@[192.168.4.25]>
Date: Thu, 14 Jun 2007 13:54:51 -0400
To: freebsd-net@freebsd.org
From: George Uhl <george.uhl@gsfc.nasa.gov>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Subject: ng_netflow unable to capture data
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2007 18:16:21 -0000


I'm using a freebsd 6.2-RELEASE host as a passive monitor between two 
routers.  I have a netoptics fiber tap that I use to split out the 
transmit signal from each router and I run them into two fiber 
interfaces on my host.  With ng_eiface I've created a virtual 
ethernet interface that I use to combine the two transmit streams 
using ng_one2many.  I can see the combined transmit streams on the 
virtual interface using tcpdump.   However, I'm unable to capture 
netflow data.  Any help would be appreciated.

Script to set up netflow using netgraph:

#!/bin/sh

kldload ng_ether
kldload ng_tee
kldload ng_one2many
kldload ng_netflow
kldload ng_ksocket

# ifaces accepting transmit streams from the routers
ifconfig em2 promisc -arp up
ifconfig em3 promisc -arp up

# create a netgraph virtual interface and attach a tee node to it
ngctl mkpeer . eiface hook ether
ngctl mkpeer ngeth0: tee lower right
ngctl name ngeth0:lower tee0

# bring up ngeth0
ifconfig ngeth0 promisc -arp up

# create a one2many node, attach tapped interfaces to it and hook it 
to tee node
ngctl mkpeer tee0: one2many left one
ngctl name tee0:left o2m0
ngctl connect em2: o2m0: lower many0
ngctl connect em3: o2m0: lower many1

# hook up netflow to tap
ngctl mkpeer tee0: netflow right2left iface0
ngctl name tee0:right2left flow0

# hook up netflow export to ksocket
ngctl mkpeer flow0: ksocket export inet/dgram/udp
ngctl msg flow0:export connect inet/127.0.0.1:4444


-- 

-----------------------------------------------
George Uhl
ESDIS Network Prototyping Lab
email: george.uhl@gsfc.nasa.gov
phone: 301-614-5155