Hi,
On 06/11/2015 12:42 PM, Borja Marcos wrote: > > Hello, > > We are deploying several netflow servers, with one of them forwarding some > netflow records to others. > > I have set up separate channels for each data source in order to avoid > confusion, but the forwarding > has made the searches by "router-ip" useless. > > Imagine that routers R1 and R2 send the netflow records to server S1, which > forwards them to S2. > > If I examine the flows from R1 and R2 in S2, the "router-ip" value I see for > the flows is the IP address > of S1, instead of the IP addresses of R1 and R2, which would be more than > desirable. > > What about adding a "force router-ip" parameter to nfcapd? That parameter > would make nfcapd change > the router-ip for all the flows going through it. > > Right now, I have separate nfcapd processes for R1 and R2 both in S1 and S2, > so a simple parameter > would solve it. I am sure others have stumbled upon the same problem. > I solved this by using a separate server as a netflow-proxy running the software samplicator ( (wget https://github.com/sleinen/samplicator/archive/master.zip ) https://github.com/sleinen/samplicator/ This little proxy-tool can forward the flows to multiple destinations while it is able to "spoof" the source-address. Usage: samplicate [option...] receiver... Supported options: -p <port> UDP port to accept flows on (default 2000) -s <address> Interface address to accept flows on (default any) -d <level> debug level -b <size> set socket buffer size (default 65536) -n don't compute UDP checksum (leave at 0) -S maintain (spoof) source addresses -x <delay> transmit delay in microseconds -c <configfile> specify a config file to read -f fork program into background -m <pidfile> write process ID to file -4 IPv4 only -6 IPv6 only -h print this usage message and exit Start via: samplicate -p 10001 -n -S -f 10.10.11.12 (listens on port 10001 and forwards to 10.10.11.12 keeping the original source - default destination port is 2000) This has also the advantage that you can configure the same exporter-destination ip on all netflow sources. Maybe this looks like a faster solution for you than waiting for a nfsen switch (which would be nice, I agree..) best greetings Gunther NetCologne Systemadministration -- NetCologne Gesellschaft für Telekommunikation mbH Am Coloneum 9 ; 50829 Köln Geschäftsführer: Jost Hermanns, Mario Wilhelm Vorsitzender des Aufsichtsrates: Dr. Andreas Cerbe HRB 25580, AG Köln ------------------------------------------------------------------------------ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
