From owner-freebsd-isp@FreeBSD.ORG  Wed Aug 31 09:28:52 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@FreeBSD.org
Delivered-To: freebsd-isp@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CB3B816A41F
	for <freebsd-isp@FreeBSD.org>; Wed, 31 Aug 2005 09:28:52 +0000 (GMT)
	(envelope-from glebius@FreeBSD.org)
Received: from cell.sick.ru (cell.sick.ru [217.72.144.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2095543D46
	for <freebsd-isp@FreeBSD.org>; Wed, 31 Aug 2005 09:28:51 +0000 (GMT)
	(envelope-from glebius@FreeBSD.org)
Received: from cell.sick.ru (glebius@localhost [127.0.0.1])
	by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j7V9SmNt086395
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 31 Aug 2005 13:28:49 +0400 (MSD)
	(envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
	by cell.sick.ru (8.13.3/8.13.1/Submit) id j7V9Smcs086394;
	Wed, 31 Aug 2005 13:28:48 +0400 (MSD)
	(envelope-from glebius@FreeBSD.org)
X-Authentication-Warning: cell.sick.ru: glebius set sender to
	glebius@FreeBSD.org using -f
Date: Wed, 31 Aug 2005 13:28:48 +0400
From: Gleb Smirnoff <glebius@FreeBSD.org>
To: Ganbold <ganbold@micom.mng.net>
Message-ID: <20050831092848.GI60614@cell.sick.ru>
References: <6.2.1.2.2.20050830190113.035378e0@202.179.0.80>
	<20050830111049.GK60614@cell.sick.ru>
	<6.2.1.2.2.20050831173013.0355eaf0@202.179.0.80>
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <6.2.1.2.2.20050831173013.0355eaf0@202.179.0.80>
User-Agent: Mutt/1.5.6i
Cc: freebsd-isp@FreeBSD.org
Subject: Re: ng_netflow and bridging firewall
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2005 09:28:52 -0000

On Wed, Aug 31, 2005 at 05:50:21PM +0900, Ganbold wrote:
G> At 08:10 PM 8/30/2005, you wrote:
G> >On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote:
G> >G> ngctl mkpeer xl1: tee lower right
G> >G> ngctl connect xl1: xl1:lower upper left
G> >G> ngctl name xl1:lower xl1_tee
G> >G> ngctl mkpeer xl1_tee: netflow left2right iface0
G> >G> ngctl name xl1:lower.left2right netflow
G> >G> ngctl connect xl1_tee: netflow: right2left iface1
G> >G> ngctl msg netflow: setifindex { iface=0 index=2 }
G> >G> ngctl msg netflow: setifindex { iface=1 index=1 }
G> >G> ngctl mkpeer netflow: ksocket export inet/dgram/udp
G> >G> ngctl msg netflow:export connect inet/127.0.0.1:8818
G> >G>
G> >G> I'm just using second xl1 interface for ng_netflow. However when I see 
G> >the
G> >G> flow data I can only see my network addresses in
G> >G> the dstIP field. Is it correct? I thought both srcIP, dstIP should 
G> >contain
G> >G> my IPs,  because I'm trying to catch traffic which goes both directions 
G> >of
G> >G> xl1. Is my assumption correct? If I'm wrong, how to make it work in 
G> >correct
G> >G> way?
G> >
G> >No. Look at ng_ether(4) manpage, and draw your graph. You are catching only
G> >one direction with the above script.
G> 
G> OK. I see. I'm catching only incoming traffic to xl1 interface.
G> I can see it from ngctl issuing msg xl1_tee: getstats command and also 
G> flowctl netflow: show command.
G> 
G> I read the ng_ether man page and didn't quite get it.
G> 
G> I'm including xl0 interface in similar way as xl1.
G> Is following sufficient for catching outgoing traffic?
G> 
G> ngctl mkpeer xl0: tee lower right
G> ngctl connect xl0: xl0:lower upper left
G> ngctl name xl0:lower xl0_tee
G> ngctl mkpeer xl0_tee: netflow left2right iface2
G> ngctl name xl0:lower.left2right netflow0
G> ngctl msg netflow0: setifindex { iface=2 index=4 }
G> ngctl connect xl0_tee: netflow0: right2left iface3
G> ngctl msg netflow0: setifindex { iface=3 index=3 }
G> ngctl mkpeer netflow0: ksocket export inet/dgram/udp
G> ngctl msg netflow0:export connect inet/127.0.0.1:8818

Looks like correct.

G> The graph is something like:
G> 
G>         ng_ether
G> upper   |               |lower
G> left    |       |right
G>           ng_tee
G> right2left|     |left2right
G> iface0    |     |iface1
G>          ng_netflow
G> 
G> Maybe I did something wrong. How should I do it in right way?
G> I googled and didn't find good source/samples of ng_netflow.
G> 
G> thanks in advance,
G> 
G> Ganbold
G> 
G> 

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE