From owner-freebsd-net@FreeBSD.ORG Wed Sep 8 18:13:19 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D7FF16A4CE; Wed, 8 Sep 2004 18:13:19 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68BD843D5D; Wed, 8 Sep 2004 18:13:19 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 0AE4E7A3D2; Wed, 8 Sep 2004 11:13:19 -0700 (PDT) Message-ID: <413F4BBE.1020304@elischer.org> Date: Wed, 08 Sep 2004 11:13:18 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: Gleb Smirnoff References: <20040905121111.GA78276@cell.sick.ru> <20040908103529.V97761@murphy.imp.ch> <20040908085607.GG597@cell.sick.ru> In-Reply-To: <20040908085607.GG597@cell.sick.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Patrick.Guelat@imp.ch cc: net@freebsd.org Subject: Re: [TEST/REVIEW] Netflow implementation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 18:13:19 -0000 Gleb Smirnoff wrote: >On Wed, Sep 08, 2004 at 10:43:34AM +0000, Patrick.Guelat@imp.ch wrote: >P> > here is netgraph module which implements Netflow traffic >P> >accounting, which I'm going to add to CURRENT in recent future: >P> >[..] >P> >I've been testing it for last week on loaded 100Mbit Ethernet >P> >which serves 9 ASes, 12 prefixes :) And it works stable. >P> >P> Did some tests here, looks very nice ! At least our netflow-collector >P> is happy with the data ;-) > >The only empty fields are ASNs :) I hope to fill them in future. > >P> flowctl did not work for me, to which >P> node do you have to send the msg to ? > >I usually call node "netflow" using 'ngctl name', and then call >'flowctl netflow show'. > >P> I attached two netflow nodes on a tee, one right2left and one left2right >P> to catch both directions. > >This is working solution, but not correct. :) >To catch both directions you should feed ng_netflow with incoming traffic >from all interfaces. > using 'tee' means you are duplicating all packets. shouldn't you do collection "inline? or does this NEED to have copies of the packets? > > >