That did the trick I think. I'll know after an hour or so of "real" traffic going through it. It at least helped me understand it a lot better.
Thanks! --Brian On 5/5/05, Glenn Dawson <[EMAIL PROTECTED]> wrote: > At 07:26 AM 5/5/2005, you wrote: > >Hi all. I'm trying to get ng_netflow to work, and I'm having a heck > >of a time doing so. So if anyone can shed some light on my problem, > >please do so. I've tried multiple configurations, and can't get it to > >work right. I can only get it to see traffic in one direction (for > >example, flows from other PCs to the server. Flows starting from the > >server started by something like fetch or ssh don't show up as > >sourcing from the server). Here is the config that I thought would do > >that, but it's not. > > > >mkpeer fxp1: tee lower right > >connect fxp1: fxp1:lower upper left > >mkpeer fxp1:lower netflow left2right iface0 > >name fxp1:lower.left2right fxp1_netflow > >msg fxp1_netflow: setifindex { iface=0 index=5 } > >mkpeer fxp1_netflow: ksocket export inet/dgram/udp > >msg fxp1_netflow:export connect inet/127.0.0.1:9800 > > > >Using this, when I run flowctl, it shows the source interface as ppp0 > >and sometimes sl0, which isn't even connected, and a dest interface of > >fxp1. If I switch all the "left2right"s with "right2left"s, I get > >only flows going to the server...so after reading how the tee in > >netgraph works, I assumed if I switched it, it would show the other > >direction. > > Try this...I've used it to catch flows in both directions for an em > interface....you can probably tweak it to work in your situation... > > mkpeer em0: tee lower right > connect em0: em0:lower upper left > name em0:lower em0_tee > mkpeer em0_tee: netflow left2right iface0 > name em0:lower.left2right netflow > connect em0_tee: netflow: right2left iface1 > msg netflow: setifindex { iface=0 index=2 } > msg netflow: setifindex { iface=1 index=1 } > mkpeer netflow: ksocket export inet/dgram/udp > msg netflow:export connect inet/x.x.x.x:4444 > > -Glenn > > >Any thoughts, suggestions? > >Thanks, > >--Brian > > > >-- > >_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ > >Brian McCann > >Systems & Network Administrator, K12USA > > > >"I don't have to take this abuse from you -- I've got hundreds of > >people waiting to abuse me." > > -- Bill Murray, "Ghostbusters" > >_______________________________________________ > >freebsd-questions@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > -- _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ Brian McCann Systems & Network Administrator, K12USA "I don't have to take this abuse from you -- I've got hundreds of people waiting to abuse me." -- Bill Murray, "Ghostbusters" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"