Date: Tue, 19 Feb 2013 11:49:31 +0100 From: Jan Markus <markus.jan@seznam.cz> To: freebsd-net@freebsd.org Subject: Netflow v9 with ng_netflow and nfdump Message-ID: <512358BB.1040609@seznam.cz>
next in thread | raw e-mail | index | archive | help
Hello, our Ministry of the interior now requires that IP traffic logs must contain MAC addresses of our clients. I am trying to fulfil this with Netflow v9 which (allegedly) should contain the MAC addresses of IP flows. But with no success so far... We have a mirror port on our core switch and capture the VLAN tagged packets on em1 NIC on our FreeBSD 9.1 server. Our netflow collector is configured like this: kldload ng_ether kldload ng_ksocket kldload ng_netflow ifconfig em1 promisc -arp up ngctl mkpeer em1: netflow lower iface0 ngctl name em1:lower netflow ngctl connect em1: netflow: upper out0 ngctl mkpeer netflow: ksocket export9 inet/dgram/udp ngctl msg netflow:export9 connect inet/127.0.0.1:9995 We capture the netflow packets on the same machine like this: nfcapd -p 9995 -S 2 -T all -D -l ./ But when I try to get the log like this: nfdump -r nfcapd.201302191051 > nfcapd.201302191051.out All I get is date, protocol, src and dst IP and port, and number of bytes, packets and flows. No information on MAC addresses whatsoever. What am I doing wrong? Thank you very much for your help, -Jan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?512358BB.1040609>