From owner-freebsd-net@FreeBSD.ORG Wed Mar 29 19:34:44 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D4A416A400 for ; Wed, 29 Mar 2006 19:34:44 +0000 (UTC) (envelope-from kreios@gmail.com) Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.22.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3470D43D46 for ; Wed, 29 Mar 2006 19:34:43 +0000 (GMT) (envelope-from kreios@gmail.com) Received: from [128.194.177.153] (ungwe.tamu.edu [128.194.177.153]) (authenticated bits=0) by smtp-relay.tamu.edu (8.13.4/8.13.3) with ESMTP id k2TJYYUH069450 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Wed, 29 Mar 2006 13:34:42 -0600 (CST) (envelope-from kreios@gmail.com) In-Reply-To: <003201c65354$fb99d980$020b000a@bartwrkstxp> References: <003201c65354$fb99d980$020b000a@bartwrkstxp> Mime-Version: 1.0 (Apple Message framework v746.3) X-Priority: 3 Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <369AC6B9-9D69-4C15-9C1D-F84E1E6A8D18@gmail.com> Content-Transfer-Encoding: 7bit From: David Duchscher Date: Wed, 29 Mar 2006 13:34:27 -0600 To: Bart Van Kerckhove X-Mailer: Apple Mail (2.746.3) Received-SPF: pass (tamu-relay.tamu.edu: 128.194.177.153 is authenticated by a trusted mechanism) Cc: "freebsd-net@FreeBSD.org" Subject: Re: ng_netflow documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2006 19:34:44 -0000 On Mar 29, 2006, at 11:19 AM, Bart Van Kerckhove wrote: > Dear list, > > I have been looking into ng_netflow lately for traffic analyzing. > It seems that this would do everything i'd ever need - though I > have a hard > time tracking down (working) examples, or FAQ's/howto's/documentation. > I've done the most obvious things, googled it, searched the -net > lists, but > to no (useful) effect. > I was wondering if this list could provide me with any useful links > or info > regarding ng_netflow. That would be greatly appreciated! Script that is working on one of my systems (fxp0 is its only interface): kldload ng_ether kldload ng_ksocket kldload ng_tee kldload ng_netflow # Tap interface ngctl mkpeer fxp0: tee lower right ngctl name fxp0:lower tee0 ngctl connect fxp0: tee0: upper left # Hook up netflow to tap ngctl mkpeer tee0: netflow right2left iface0 ngctl name tee0:right2left netflow0 ngctl connect tee0: netflow0: left2right iface1 # Hook up netflow export to ksocket ngctl msg netflow0: setifindex { iface=0 index=1 } ngctl msg netflow0: setifindex { iface=1 index=2 } ngctl mkpeer netflow0: ksocket export inet/dgram/udp ngctl name netflow0:export nfexport ngctl msg nfexport: connect inet/127.0.0.1:9996 Then you just need something to capture the netflow data like ports/net-mgmt/flow-tools. You can also change 127.0.0.1 to any routable host and the netflow packets will be sent to that host. Hope this helps, -- DaveD