On 03-09-2014 11:06, Paul S. wrote: > Hi folks, > > I've setup a netflow collector and have begun exporting flow data from > one of my OpenBSD edge systems. > > All appeared well at first glance, but I've noticed that the amount of > flow data exported appears excessive. > > (i.e: My hardware router for nearly 7-8 gbit/s of actual traffic, > configured with a sampling rate of 768 sends around 550 flows/second.) > > However, my BSD box that's forwarding 1-2 mbit/s of traffic is > generating nearly 500 flows per second as well. > > This seemed odd to me, and seems to be a sampling issue. > > Is there any way to configure the sampling rate for pflow(4) interfaces? > > I've went through the man-page > (http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pflow.4?query=pf low&sec=4&arch=i386) > and was unable to locate anything. > > My configuration is fairly basic, > > # cat /etc/hostname.pflow0 > flowsrc 10.152.212.1 flowdst 10.1.26.197:9996 pflowproto 10 > > Then on /etc/pf.conf, > > set state-defaults pflow > > I believe the pf rule mentions to sample every packet, how can I > config it to only sample only once every n packets? > > Thanks! > There was a similar question a few time ago here on misc. If I recall correctly, pf only send a flow to the pflow interface after a state is expired. That is, you'll only see it on pflow when the connection is ended, with all the begin/end and traffic values at once. It does not sample a state. There was even a diff proposed for doing this. In your case, I suggest that you only set the pflow option for the rules you need, not as a state-defaults. This might explain this large volume of flows.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
