You're best bet is UDP Samplicator. I've used it extensively for replicating NetFlow, sFlow, and syslog. Preserves the source IP and provides a relatively simple configuration file format.
http://freshmeat.net/projects/samplicator/ - Adam On 8/22/06 10:08 PM, "jay alvarez" <[EMAIL PROTECTED]> wrote: > > > --- Jonathan Glass <[EMAIL PROTECTED]> > wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I gave up on using flow-fanout to distribute flows, >> and bought a flow >> mirroring appliance from Lancope.com > > How about flow-send? Anyone who knows an opensource > tool to distribute flows to other collectors without > modifying its contents, specially exporterip? > > >> >> Jonathan G. >> >> jay alvarez wrote: >>> Hi, >>> >>> Supposed we have a netflow collector which >> captures >>> raw flows using flow-scan, throws a copy of each >> to a >>> flow-capture listening on loopback and another >> copy on >>> a remote machine. >>> >>> The ip which runs flow-fanout is 192.168.1.19. >>> The ip of another collector is 192.168.1.20 >>> >>> >>> Flow-fanout was started like this: >>> >>> /usr/bin/flow-fanout 192.168.1.19/0/2054 >>> 127.0.0.1/0/2054 192.168.1.19/192.168.1.20/2054 >>> >>> Flow-capture was started like this: >>> /usr/bin/flow-capture -w /var/netflow/ft/all >>> 127.0.0.1/0/2054 -S5 -V5 -e864 -n287 -N0 >>> >>> Now, I have encountered several problems, which I >>> think pertains to the "Bugs" section of >> flow-fanout >>> manpage: >>> >>> >>> First, the flows being received by flow-capture, >> has >>> now a router exporter ip of 127.0.0.1. With this, >> I >>> got weird netflows having random ifindex numbers >> above >>> 100. The same erroneous flows arrives on >> 192.168.1.20. >>> The manpage says this is a bug (having the >> exporter >>> router ip lost when using flow-fanout), and I >> assume >>> that this is the cause why I am getting wrong >>> ifindexes, and a workaround would be to use IP >> aliases >>> and localip option. Can you please clarify how >> this >>> should be done, and why this bug is happening. The >>> exporterip as well as the ifindex is important to >> us >>> because, there is an instance when a host appears >> at >>> the top talkers but when we ping it, it doesn't >> reply, >>> and we are assuming that it's either filtered or >> the >>> ip is spoofed. However, to find out if this is >>> spoofed, we have find out what interface on the >>> exporter router it enters. Only that, it is not >>> possible with flows received from flow-fanout.. >>> >>> >>> That's all for now. Thanks. >>> >>> >>> >>> >>> >>> __________________________________________________ >>> Do You Yahoo!? >>> Tired of spam? Yahoo! Mail has the best spam >>> protection around >>> http://mail.yahoo.com >>> >>> __________________________________________________ >>> Do You Yahoo!? >>> Tired of spam? Yahoo! Mail has the best spam >> protection around >>> http://mail.yahoo.com >>> _______________________________________________ >>> Flow-tools mailing list >>> [EMAIL PROTECTED] >>> >> > http://mailman.splintered.net/mailman/listinfo/flow-tools >>> >> >> >> - -- >> Jonathan Glass, RHCE, MCP Information Security >> Engineer III >> OIT Information Security Georgia Institute of >> Technology >> Atlanta, Georgia 30332-0700 Office/Cell: >> 404-385-6900 >> Key ID: 0xAB50FF20 Size: 2048 Bits Created: >> 11/17/2004 >> Fingerprint: 3CD2 1BC6 4485 720B AB45 FF3E 8B3B D6F5 >> AB50 FF20 >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.2.6 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - >> http://enigmail.mozdev.org >> >> > iD8DBQFE6u/YizvW9atQ/yARAspkAJ0YwJuJno5wk7yCM0upabSqYJ5SoQCbBqCQ >> 2jh8JsTkhqQbG7mtKL+lyKk= >> =xIio >> -----END PGP SIGNATURE----- >> > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > Flow-tools mailing list > [EMAIL PROTECTED] > http://mailman.splintered.net/mailman/listinfo/flow-tools _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
