I didn't originally copy the list on this, but since there was a "me too" post, here it is.
-Glenn
At 07:26 AM 5/5/2005, you wrote:
Hi all. I'm trying to get ng_netflow to work, and I'm having a heck of a time doing so. So if anyone can shed some light on my problem, please do so. I've tried multiple configurations, and can't get it to work right. I can only get it to see traffic in one direction (for example, flows from other PCs to the server. Flows starting from the server started by something like fetch or ssh don't show up as sourcing from the server). Here is the config that I thought would do that, but it's not.
mkpeer fxp1: tee lower right connect fxp1: fxp1:lower upper left mkpeer fxp1:lower netflow left2right iface0 name fxp1:lower.left2right fxp1_netflow msg fxp1_netflow: setifindex { iface=0 index=5 } mkpeer fxp1_netflow: ksocket export inet/dgram/udp msg fxp1_netflow:export connect inet/127.0.0.1:9800
Using this, when I run flowctl, it shows the source interface as ppp0 and sometimes sl0, which isn't even connected, and a dest interface of fxp1. If I switch all the "left2right"s with "right2left"s, I get only flows going to the server...so after reading how the tee in netgraph works, I assumed if I switched it, it would show the other direction.
Try this...I've used it to catch flows in both directions for an em interface....you can probably tweak it to work in your situation...
mkpeer em0: tee lower right
connect em0: em0:lower upper left
name em0:lower em0_tee
mkpeer em0_tee: netflow left2right iface0
name em0:lower.left2right netflow
connect em0_tee: netflow: right2left iface1
msg netflow: setifindex { iface=0 index=2 }
msg netflow: setifindex { iface=1 index=1 }
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export connect inet/x.x.x.x:4444-Glenn
Any thoughts, suggestions? Thanks, --Brian
-- _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ Brian McCann Systems & Network Administrator, K12USA
"I don't have to take this abuse from you -- I've got hundreds of people waiting to abuse me." -- Bill Murray, "Ghostbusters" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
