From owner-freebsd-questions@FreeBSD.ORG Thu May 5 21:14:42 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C45316A4CE for ; Thu, 5 May 2005 21:14:42 +0000 (GMT) Received: from cobalt.antimatter.net (cobalt.antimatter.net [69.55.224.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3738F43D6E for ; Thu, 5 May 2005 21:14:42 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from glenn-mobile.antimatter.net (cpe-66-27-94-59.san.res.rr.com [66.27.94.59]) (authenticated bits=0)j45LESCs012951 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO); Thu, 5 May 2005 14:14:30 -0700 Message-Id: <6.1.0.6.2.20050505141221.1d658ad0@cobalt.antimatter.net> X-Sender: lists@cobalt.antimatter.net X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Date: Thu, 05 May 2005 14:13:57 -0700 To: freebsd-questions@freebsd.org From: Glenn Dawson Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: Vince Hoffman Subject: Re: netgraph & netflow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2005 21:14:42 -0000 I didn't originally copy the list on this, but since there was a "me too" post, here it is. -Glenn At 07:26 AM 5/5/2005, you wrote: >Hi all. I'm trying to get ng_netflow to work, and I'm having a heck >of a time doing so. So if anyone can shed some light on my problem, >please do so. I've tried multiple configurations, and can't get it to >work right. I can only get it to see traffic in one direction (for >example, flows from other PCs to the server. Flows starting from the >server started by something like fetch or ssh don't show up as >sourcing from the server). Here is the config that I thought would do >that, but it's not. > >mkpeer fxp1: tee lower right >connect fxp1: fxp1:lower upper left >mkpeer fxp1:lower netflow left2right iface0 >name fxp1:lower.left2right fxp1_netflow >msg fxp1_netflow: setifindex { iface=0 index=5 } >mkpeer fxp1_netflow: ksocket export inet/dgram/udp >msg fxp1_netflow:export connect inet/127.0.0.1:9800 > >Using this, when I run flowctl, it shows the source interface as ppp0 >and sometimes sl0, which isn't even connected, and a dest interface of >fxp1. If I switch all the "left2right"s with "right2left"s, I get >only flows going to the server...so after reading how the tee in >netgraph works, I assumed if I switched it, it would show the other >direction. Try this...I've used it to catch flows in both directions for an em interface....you can probably tweak it to work in your situation... mkpeer em0: tee lower right connect em0: em0:lower upper left name em0:lower em0_tee mkpeer em0_tee: netflow left2right iface0 name em0:lower.left2right netflow connect em0_tee: netflow: right2left iface1 msg netflow: setifindex { iface=0 index=2 } msg netflow: setifindex { iface=1 index=1 } mkpeer netflow: ksocket export inet/dgram/udp msg netflow:export connect inet/x.x.x.x:4444 -Glenn >Any thoughts, suggestions? >Thanks, >--Brian > >-- >_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ >Brian McCann >Systems & Network Administrator, K12USA > >"I don't have to take this abuse from you -- I've got hundreds of >people waiting to abuse me." > -- Bill Murray, "Ghostbusters" >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"