From owner-freebsd-net@FreeBSD.ORG  Tue Feb 19 10:57:19 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id A5C62B6B
 for <freebsd-net@freebsd.org>; Tue, 19 Feb 2013 10:57:19 +0000 (UTC)
 (envelope-from markus.jan@seznam.cz)
Received: from mail.metron.cz (smtp.metron.cz [109.238.32.53])
 by mx1.freebsd.org (Postfix) with ESMTP id 5D00B3CF
 for <freebsd-net@freebsd.org>; Tue, 19 Feb 2013 10:57:18 +0000 (UTC)
Received: from [10.252.0.120] (gw2.metron.cz [109.238.32.35])
 by mail.metron.cz (Postfix) with ESMTP id 31A98A448
 for <freebsd-net@freebsd.org>; Tue, 19 Feb 2013 11:49:32 +0100 (CET)
Message-ID: <512358BB.1040609@seznam.cz>
Date: Tue, 19 Feb 2013 11:49:31 +0100
From: Jan Markus <markus.jan@seznam.cz>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:10.0.12) Gecko/20130116 Icedove/10.0.12
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Subject: Netflow v9 with ng_netflow and nfdump
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2013 10:57:19 -0000

Hello,

our Ministry of the interior now requires that IP traffic logs must contain MAC 
addresses of our clients. I am trying to fulfil this with Netflow v9 which 
(allegedly) should contain the MAC addresses of IP flows.

But with no success so far...

We have a mirror port on our core switch and capture the VLAN tagged packets on 
em1 NIC on our FreeBSD 9.1 server.

Our netflow collector is configured like this:

   kldload ng_ether
   kldload ng_ksocket
   kldload ng_netflow

   ifconfig em1 promisc -arp up

   ngctl mkpeer em1: netflow lower iface0
   ngctl name em1:lower netflow
   ngctl connect em1: netflow: upper out0
   ngctl mkpeer netflow: ksocket export9 inet/dgram/udp
   ngctl msg netflow:export9 connect inet/127.0.0.1:9995

We capture the netflow packets on the same machine like this:

   nfcapd -p 9995 -S 2 -T all -D -l ./

But when I try to get the log like this:

   nfdump -r nfcapd.201302191051 > nfcapd.201302191051.out

All I get is date, protocol, src and dst IP and port, and number of bytes, 
packets and flows. No information on MAC addresses whatsoever.

What am I doing wrong?

Thank you very much for your help,
-Jan