Date: Tue, 19 Feb 2013 19:48:33 +0400 From: "Alexander V. Chernikov" <melifaro@FreeBSD.org> To: Jan Markus <markus.jan@seznam.cz> Cc: freebsd-net@freebsd.org Subject: Re: Netflow v9 with ng_netflow and nfdump Message-ID: <51239ED1.6020609@FreeBSD.org> In-Reply-To: <512358BB.1040609@seznam.cz> References: <512358BB.1040609@seznam.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19.02.2013 14:49, Jan Markus wrote: > Hello, Hello. > > our Ministry of the interior now requires that IP traffic logs must > contain MAC addresses of our clients. I am trying to fulfil this with > Netflow v9 which (allegedly) should contain the MAC addresses of IP flows. Netflow version 9 is flexible and allows you to use only necessary fields grouped in 'templates'. Currently ng_netflow supports 2 statically-defined templates (for v4 and v6 L3+L4) and SRC_MAC/DST_MAC are not included there.. > > But with no success so far... > > We have a mirror port on our core switch and capture the VLAN tagged > packets on em1 NIC on our FreeBSD 9.1 server. > > Our netflow collector is configured like this: > > kldload ng_ether > kldload ng_ksocket > kldload ng_netflow > > ifconfig em1 promisc -arp up > > ngctl mkpeer em1: netflow lower iface0 > ngctl name em1:lower netflow > ngctl connect em1: netflow: upper out0 > ngctl mkpeer netflow: ksocket export9 inet/dgram/udp > ngctl msg netflow:export9 connect inet/127.0.0.1:9995 > > We capture the netflow packets on the same machine like this: > > nfcapd -p 9995 -S 2 -T all -D -l ./ > > But when I try to get the log like this: > > nfdump -r nfcapd.201302191051 > nfcapd.201302191051.out > > All I get is date, protocol, src and dst IP and port, and number of > bytes, packets and flows. No information on MAC addresses whatsoever. > > What am I doing wrong? > > Thank you very much for your help, > -Jan > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- WBR, Alexander
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51239ED1.6020609>