Date: Wed, 31 Aug 2005 17:50:21 +0900 From: Ganbold <ganbold@micom.mng.net> To: Gleb Smirnoff <glebius@FreeBSD.org> Cc: freebsd-isp@freebsd.org Subject: Re: ng_netflow and bridging firewall Message-ID: <6.2.1.2.2.20050831173013.0355eaf0@202.179.0.80> In-Reply-To: <20050830111049.GK60614@cell.sick.ru> References: <6.2.1.2.2.20050830190113.035378e0@202.179.0.80> <20050830111049.GK60614@cell.sick.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
At 08:10 PM 8/30/2005, you wrote:
>On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote:
>G> ngctl mkpeer xl1: tee lower right
>G> ngctl connect xl1: xl1:lower upper left
>G> ngctl name xl1:lower xl1_tee
>G> ngctl mkpeer xl1_tee: netflow left2right iface0
>G> ngctl name xl1:lower.left2right netflow
>G> ngctl connect xl1_tee: netflow: right2left iface1
>G> ngctl msg netflow: setifindex { iface=0 index=2 }
>G> ngctl msg netflow: setifindex { iface=1 index=1 }
>G> ngctl mkpeer netflow: ksocket export inet/dgram/udp
>G> ngctl msg netflow:export connect inet/127.0.0.1:8818
>G>
>G> I'm just using second xl1 interface for ng_netflow. However when I see the
>G> flow data I can only see my network addresses in
>G> the dstIP field. Is it correct? I thought both srcIP, dstIP should contain
>G> my IPs, because I'm trying to catch traffic which goes both directions of
>G> xl1. Is my assumption correct? If I'm wrong, how to make it work in
>correct
>G> way?
>
>No. Look at ng_ether(4) manpage, and draw your graph. You are catching only
>one direction with the above script.
OK. I see. I'm catching only incoming traffic to xl1 interface.
I can see it from ngctl issuing msg xl1_tee: getstats command and also
flowctl netflow: show command.
I read the ng_ether man page and didn't quite get it.
I'm including xl0 interface in similar way as xl1.
Is following sufficient for catching outgoing traffic?
ngctl mkpeer xl0: tee lower right
ngctl connect xl0: xl0:lower upper left
ngctl name xl0:lower xl0_tee
ngctl mkpeer xl0_tee: netflow left2right iface2
ngctl name xl0:lower.left2right netflow0
ngctl msg netflow0: setifindex { iface=2 index=4 }
ngctl connect xl0_tee: netflow0: right2left iface3
ngctl msg netflow0: setifindex { iface=3 index=3 }
ngctl mkpeer netflow0: ksocket export inet/dgram/udp
ngctl msg netflow0:export connect inet/127.0.0.1:8818
The graph is something like:
ng_ether
upper | |lower
left | |right
ng_tee
right2left| |left2right
iface0 | |iface1
ng_netflow
Maybe I did something wrong. How should I do it in right way?
I googled and didn't find good source/samples of ng_netflow.
thanks in advance,
Ganbold
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.1.2.2.20050831173013.0355eaf0>