On Mon, Nov 10, 2014 at 2:36 AM, jean-yves boisiaud <[email protected]> wrote: > I use OpenBSD 5.5 as a firewall gateway. > > I also use nfsen/nfdump as the netflow collector/analyzer. > > pf.conf enables netflow for every pf rule (set state-defaults pflow). > > On the netflow collector host, when I analyse traffic using nfdump, > some packets are missing. But on the firewall, tcpdump shows there is > traffic for these missing packets. > > The missing packets are using a carp interface and are natted. The IP > used for the nat is an alias, not the main IP address of the carp > interface. > > Do you know if there a problem with netflow + carp alias + nat ?
Are you using pflowproto 10 by any chance? When doing this with 5.5 and nfdump-1.6.10 I noticed many Sequence Errors in nfcapd's logs and had to revert to pflowproto 5 to have accurate traffic accounting (I have not yet checked to see if this issue is present in 5.6 and nfdump-1.6.12).
