On 06/04/18 13:28, Stuart Longland wrote: >> If you have data on the traffic (netflow comes to mind) it might be >> worth the effort to see if there's a pattern where the traffic >> originated. It could be down to some common misconfiguration, maybe even >> too many naive followers of a slightly misguidedly written HOWTO somewhere. > > This is something I'm looking to investigate, some sort of traffic > accounting so I can track per IP/protocol/port, how much traffic passes > through my router. I did something similar on Linux a year or two back, > I just have to research how to do the equivalent in OpenBSD. > > A quick Google search suggests netflow is a Cisco router feature. > https://hackaday.io/project/10529/log/146422-new-router shows the > installation of the APU2, no Cisco kit here, it's basically a patch > cable between the ADSL2 modem and the APU2's `em1` port. If there is an > equivalent on OpenBSD, I'll gladly have a look. > > My guide was `man pf.conf`, perhaps skimmed over too quickly. I'm not > willing to blame the OpenBSD team just yet, more probable I > misunderstood something, hence the query of whether this line of > investigation is worth pursuing.
You're in luck, we have pflow(4) which requires only minimal pf.conf surgery and a collector somewhere. I wrote about that at one point (with the essentials also in The Book of PF): https://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html - but do note that once you have 'keep state' or similar with specific options on a rule, remember to append pflow to the list of options. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
