From owner-freebsd-net@FreeBSD.ORG Sat Jun 9 10:02:40 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by hub.freebsd.org (Postfix) with ESMTP id A21B8106566C for ; Sat, 9 Jun 2012 10:02:40 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from dhcp170-36-red.yandex.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with ESMTP id 1F6711A78C3; Sat, 9 Jun 2012 10:01:51 +0000 (UTC) Message-ID: <4FD31F0A.5090306@FreeBSD.org> Date: Sat, 09 Jun 2012 14:01:46 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:12.0) Gecko/20120511 Thunderbird/12.0.1 MIME-Version: 1.0 To: "Kolasinski, Brent D." References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-net@freebsd.org" Subject: Re: Netgraph and Netflow-v9 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2012 10:02:40 -0000 On 09.06.2012 00:04, Kolasinski, Brent D. wrote: > Hi All, > > I have been doing some tests with the FreeBSD ng_netflow module for > netflow generation. I am trying to export v9 netflow records to another > server running SiLK (which can receive v9 Netlfow from our Cisco routers > just fine). > > When exporting v9 records from our FreeBSD-9-RELEASE server, we are > getting this error on our SiLK server (this repeats many times): > "rwflowpack[23113]: fBufNext: No Templates Present for Domain 0x000a" > > Now I modified the settemplates variable in ngctl to send a template every > 20 seconds, but we are still getting this. It should disappear after 5-10 minutes. We're using several FreeBSD v9 sensors with flowd and it seems to run fine (except first 5 minutes while waiting for template). I'm aware about the problem with templates timeout working incorrectly and I plan to fix this soon. > > As a sanity check, I tried exporting v5 netflow data from this FreeBSD box > to the Silk box, and it happily receives it and processes it. The Silk > server is receiving the v9 netflow datagrams, as I can see it with a PCAP. > > Any ideas as to what I am doing wrong? Am I using the export9 hook > correctly in the commands listed below? There is not much documentation > covering export9 out there (besides the tiny blurb in the FreeBSD9 Release > notes). > > Here is a detail of my setup: > 2 ethernet cards: > 1) bce0 -> in promiscuous mode listening to traffic off of a tap > 2) bce1 -> nic to be exporting netflow / connected to our network > > Commands I am using to export v9 netflow records in ngctl: > > mkpeer bce0: netflow lower iface0 > name bce0:lower netflow > connect bce0: netflow: upper out0 > mkpeer netflow: ksocket export9 inet/dgram/udp > msg netflow:export9 connect inet/: > > > Thanks!! > > ---------- > Brent Kolasinski > Cyber Security Program Office > Argonne National Laboratory > Phone: 630-252-2546 > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- WBR, Alexander