From owner-freebsd-stable@FreeBSD.ORG Thu Jun 13 01:17:08 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 675A3691 for ; Thu, 13 Jun 2013 01:17:08 +0000 (UTC) (envelope-from doconnor@gsoft.com.au) Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10]) by mx1.freebsd.org (Postfix) with ESMTP id DD4F51DD5 for ; Thu, 13 Jun 2013 01:17:07 +0000 (UTC) Received: from ur.gsoft.com.au (Ur.gsoft.com.au [203.31.81.55]) (authenticated bits=0) by cain.gsoft.com.au (8.14.4/8.14.3) with ESMTP id r5D1GiDE085861 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 13 Jun 2013 10:46:49 +0930 (CST) (envelope-from doconnor@gsoft.com.au) Subject: Re: Flow monitoring with PF Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Content-Type: text/plain; charset=us-ascii From: "Daniel O'Connor" In-Reply-To: <7DB382CFB050654DBFF7A39B1F8056EB1DF68293@WPEXCHMBSL1021.central.det.win> Date: Thu, 13 Jun 2013 10:46:43 +0930 Content-Transfer-Encoding: quoted-printable Message-Id: <52EB2C3A-1ED7-4BF8-94C0-B6A29A0D7E18@gsoft.com.au> References: <57C2DC16-7868-4C20-AB34-5B35A939D095@gsoft.com.au> <7DB382CFB050654DBFF7A39B1F8056EB1DF68293@WPEXCHMBSL1021.central.det.win> To: "Scott, Brian" X-Mailer: Apple Mail (2.1508) X-Spam-Score: -3.052 () ALL_TRUSTED,BAYES_00,RP_MATCHES_RCVD X-Scanned-By: MIMEDefang 2.67 on 203.31.81.10 Cc: "freebsd-stable@freebsd.org stable" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jun 2013 01:17:08 -0000 On 12/06/2013, at 9:47, "Scott, Brian" = wrote: >> I was looking at trying out flow monitoring and I found pfflowd, but = unfortunately it does not work with FreeBSD >9.0. I thought about = ng_netflow but that doesn't >see my tun interface which may be related = to.. >> WARNING: attempt to domain_add(netgraph) after domainfinalize() >=20 > Noise message. I've never seen it actually mean anything. >=20 > The problem is that tun0 is a generic network interface. Ng_ether only = exposes Ethernet devices. The equivalent to tun but for an Ethernet = device is tap. Creating a tap device after boot immediately creates the = corresponding ng_ether node which can then be plumbed into ng_netflow. OK, for some reason I thought NG would add nodes to mirror every network = interface but that was wrong.. > Some software is kind enough to work with either tun or tap as a = configurable option. Unfortunately I am using ppp which doesn't :( >> Does anyone have any recommendations for generating flow information = from PF? >=20 > I've had great success with ng_netflow. I like the fact that all the = processing is in-kernel. Yeah, that is one reason I looked at it. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C