Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 6 Feb 2021 11:10:29 -0500
From:      petru garstea <peter.garshtja@ambient-md.com>
To:        Lutz Donnerhacke <lutz@donnerhacke.de>
Cc:        freebsd-net@freebsd.org
Subject:   Re: netgraph with ng_netflow and ng_gridge nodes
Message-ID:  <b9350b57-f6f0-39c5-4744-a07c646b23ef@ambient-md.com>
In-Reply-To: <20210202202651.GA31946@belenus.iks-jena.de>
References:  <43cf5dc9-521c-dcc4-f025-398173608062@ambient-md.com> <20210202201649.GA31653@belenus.iks-jena.de> <20210202202651.GA31946@belenus.iks-jena.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
Greetings,

I have come up with a graph with no use of ng_tee, ng_hub or ng_one2many.

Also I validated the flows on a collector

In case anybody has the same use case I am sharing the graph

mkpeer re0: netflow lower iface0
name re0:lower netflow
connect re0: netflow: upper out1
mkpeer netflow: bridge out0 link0
name netflow:out0 re0bridge
connect re0bridge: netflow: link1 iface1
mkpeer re0bridge: eiface link2 ether
name re0bridge:link2 ng0
mkpeer netflow: ksocket export9 inet/dgram/udp
msg re0: setpromisc 1
msg re0: setautosrc 0
msg netflow: setconfig {iface=0 conf=11}
msg netflow: setconfig {iface=1 conf=11}
msg netflow:export9 connect inet/${collector_ip}:${port}

Cheers,

Petru Garstea

On 2/2/21 3:26 PM, Lutz Donnerhacke wrote:
> On Tue, Feb 02, 2021 at 09:16:49PM +0100, Lutz Donnerhacke wrote:
>> fxp0.lower -- iface0.netgraph.out0 -- link1.bridge.link2 -- upper.fxp0
>>                                                   \.link3 -- ether.eiface
> The strange thing is, that both fxp0 and eiface provide an interface to the
> kernel IP stack. This is confusing (for the kernel).
>
> I'd like to point you to ng_tee instead of ng_bridge for a read only access
> to the communitcation (depending on the direction). Even ng_one2many or
> ng_hub might be a better solution.
>
> If you only need the eiface to attach tcpdump, you can omit it completely,
> because tcpdump is able to sniff on the fxp0 even if the netgraph hooks are
> set.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b9350b57-f6f0-39c5-4744-a07c646b23ef>