From owner-freebsd-net@FreeBSD.ORG Tue Feb 19 16:21:59 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 48E7D368 for ; Tue, 19 Feb 2013 16:21:59 +0000 (UTC) (envelope-from barney_cordoba@yahoo.com) Received: from nm29-vm0.bullet.mail.ne1.yahoo.com (nm29-vm0.bullet.mail.ne1.yahoo.com [98.138.91.43]) by mx1.freebsd.org (Postfix) with ESMTP id 1571B152 for ; Tue, 19 Feb 2013 16:21:57 +0000 (UTC) Received: from [98.138.90.57] by nm29.bullet.mail.ne1.yahoo.com with NNFMP; 19 Feb 2013 16:21:50 -0000 Received: from [98.138.87.11] by tm10.bullet.mail.ne1.yahoo.com with NNFMP; 19 Feb 2013 16:21:49 -0000 Received: from [127.0.0.1] by omp1011.mail.ne1.yahoo.com with NNFMP; 19 Feb 2013 16:21:49 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 591377.58735.bm@omp1011.mail.ne1.yahoo.com Received: (qmail 41730 invoked by uid 60001); 19 Feb 2013 16:21:49 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1361290909; bh=Z+wv8OSgj47AFbfe5TcXV1FhKNKNSzV8pfjMEr1GNUI=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=b2FCrafDcKYHjqdCbStZIXTUZ7bCNa1XxIM1bbUv9qcTFyKsrpVonyGjeDHqaSj1ZKV+iP4j+XirUEE4vrbCP88dNfXdx4Z8q3oLOChPjBdqEt/ECw+WGN9RJf+R5Fb/WOlxH9x9TeifBJkA/GiNqVulzcBg/R//wbpYFJCGpq4= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=1+7xa9C+zDfuM0veVn+l/CLay7rUk8oLW+dkVhgf54Wcoj83bivZyfSyy+r68473Js+n0DMBuByns4fCiCtfSochjFhlV3MRFATsZV3CuMrYxH7YJ3jirDYeOcFonLkjpxN92hGNomIB6gN6zWt1JL4aO/N+aQ6Xqxxr1Nc9BIc=; X-YMail-OSG: CJH1Rx8VM1kTHT.GNBHegKfprzsWnz1E2nm1N5y7meizZDS ija9VGeHi.6eyKk3x320QGp8_TbJl8GnMkxgGxurQABaIrAAdoySMUZDmdEY jRZ9akpAX0foDuFKunQVW0zwU4zJCQ5usTXltz9EgEEYEBUz8wKc0VgDT6CU P6KBg4Rfu8DsQQ23iLRHWB3TECx20C7E4pEn8MZ2spNliToGq6XINaP29T5c VUkcAHp1RQ3WT1cP_l9jErUeu2bvicj8JWtFp5d0hl0_aTrR6n2cE53kG9ks WpsJWN7zHPf1f8TdxyrKiKQcNpHZrf2MmnQ2I6.sM9dJBmngSQs_WUU1cZqW S0h9UKYCEmJMz_3I15SXjsj0b9692cIydPbZoNlvfoRUiOKJ8thfpP0mYTZc rk1RoO2Jmj.Ix.TG6hO0AEB4gpxXog6m40swKtj0nZgONiomBPzUkMAR4n_u kRsAYHqDmqpiv2rvf381Del2X58gouwKYY6kPwsBnU5BXJcxImWtUz7tAxWN z7w_vYqrQ4Jo1QRGFg07zfbGzETMXKyvb.fqhCUBd_IObs3ybY6TrmC6ff3W O_WRku0jMxrXzaxAZOacorzrf7YWBSeMSN7cPWkunNQtmoWg- Received: from [208.102.228.236] by web121603.mail.ne1.yahoo.com via HTTP; Tue, 19 Feb 2013 08:21:49 PST X-Rocket-MIMEInfo: 001.001, aHR0cDovL3d3dy5iYXVlci1tYy5kZS9sbGNma3JyL3QyY3gzZWx6eXZmcS9oNms1Z3hrbjh2d2pqMmR2cGYBMAEBAQE- X-Mailer: YahooMailWebService/0.8.134.513 Message-ID: <1361290909.39265.YahooMailNeo@web121603.mail.ne1.yahoo.com> Date: Tue, 19 Feb 2013 08:21:49 -0800 (PST) From: Barney Cordoba Subject: Barney Cordoba To: freebsd-net@freebsd.org, erichsfreebsdlist , linimon , freebsd-isp@freebsd.org, khatfield , squid-users-subscribe@squid-cache.org, friends , freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Barney Cordoba List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2013 16:21:59 -0000 http://www.bauer-mc.de/llcfkrr/t2cx3elzyvfq/h6k5gxkn8vwjj2dvpf From owner-freebsd-net@FreeBSD.ORG Tue Feb 19 17:02:23 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 75494EBD for ; Tue, 19 Feb 2013 17:02:23 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) by mx1.freebsd.org (Postfix) with ESMTP id 14E3764B for ; Tue, 19 Feb 2013 17:02:22 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id dr13so5545348wgb.26 for ; Tue, 19 Feb 2013 09:02:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=z0WDLfXNWSFCV2uaO33IC6KQMFS04qOESUyv+jO3RSY=; b=CBg4SwkTDd0MM1sJfEJhj8Wx37EiH94oPbSa1S7VkRhPJv5e8SdmH3DohReDGJj0rZ aBFoRCDzobXsuRxoqoTPn2VkZgGX8iNMQtxb8BhXC6SeH4s8mGga1jjqvvL1uICRx1q+ KGL9F/ZElnw7GtdnIPz9dTg57pJdgtkH4sxG/p3cnRQ1Z1JHv+XHin6Sh02K30IWeEky yZNWakPaJF6hwTdYsCwk66SULh2BlhoCUmbdKvQJVRg8Dy7hh3SYwGtOyzIXJcF6H2GO mw6eZInZ+9Qd5RNHbb7y61z3wMQZLZ7Ar9qvJaSPmxeNbC0BaW6GdOIEzuy75acBeLlA d/OQ== MIME-Version: 1.0 X-Received: by 10.180.93.234 with SMTP id cx10mr28856826wib.34.1361293335916; Tue, 19 Feb 2013 09:02:15 -0800 (PST) Sender: adrian.chadd@gmail.com Received: by 10.216.236.88 with HTTP; Tue, 19 Feb 2013 09:02:15 -0800 (PST) In-Reply-To: <512358BB.1040609@seznam.cz> References: <512358BB.1040609@seznam.cz> Date: Tue, 19 Feb 2013 09:02:15 -0800 X-Google-Sender-Auth: _U09twirOqJf-siiHxQ73V1cZ4I Message-ID: Subject: Re: Netflow v9 with ng_netflow and nfdump From: Adrian Chadd To: Jan Markus Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2013 17:02:23 -0000 .. I assume that your netflow collector is positioned correctly so it can see the actual client MAC, rather than the MAC of the L3 gateway device? adrian On 19 February 2013 02:49, Jan Markus wrote: > Hello, > > our Ministry of the interior now requires that IP traffic logs must contain > MAC addresses of our clients. I am trying to fulfil this with Netflow v9 > which (allegedly) should contain the MAC addresses of IP flows. > > But with no success so far... > > We have a mirror port on our core switch and capture the VLAN tagged packets > on em1 NIC on our FreeBSD 9.1 server. > > Our netflow collector is configured like this: > > kldload ng_ether > kldload ng_ksocket > kldload ng_netflow > > ifconfig em1 promisc -arp up > > ngctl mkpeer em1: netflow lower iface0 > ngctl name em1:lower netflow > ngctl connect em1: netflow: upper out0 > ngctl mkpeer netflow: ksocket export9 inet/dgram/udp > ngctl msg netflow:export9 connect inet/127.0.0.1:9995 > > We capture the netflow packets on the same machine like this: > > nfcapd -p 9995 -S 2 -T all -D -l ./ > > But when I try to get the log like this: > > nfdump -r nfcapd.201302191051 > nfcapd.201302191051.out > > All I get is date, protocol, src and dst IP and port, and number of bytes, > packets and flows. No information on MAC addresses whatsoever. > > What am I doing wrong? > > Thank you very much for your help, > -Jan > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"