Re: Monitoring with labels
On Wed, 16 May 2007, Darren Spruell wrote: I suppose that the collector would also need to support sflow? DS if you wanted to collect sflow data :-) diana Past hissy-fits are a predictor of future hissy-fits. Diana Eichert(12 May 2007)
Monitoring with labels
Hello, I was wondering about using pf to monitor what is happening on our network. The idea is to connect a pf machine to the management port on the switch. I am building some rules to monitor certain protocols for all IP adresses connected to our network: pass in proto tcp from src_ip to dest_server port=protocl label src_ip_protocol pass in proto tcp from 10.10.1.1 to 10.200.1.1 port=80 label 10_10_1_1_HTTP pass in proto tcp from 10.10.1.2 to 10.200.1.1 port=80 label 10_10_1_2_HTTP pass in proto tcp from 10.10.1.3 to 10.200.1.1 port=80 label 10_10_1_3_HTTP . I think I will end up with over 2000 rules. But maybe much more. Is this something doable with pf or am I totally abusing the labeling features ? For me it seems like a quick way to get protocol statistics per connected ip going towards our servers... however I have no idea if it will work with lots of traffic ips! I am hoping some of you are doing similar things ?
Re: Monitoring with labels
* Frans Haarman [EMAIL PROTECTED] [2007-05-16 23:05]: pass in proto tcp from 10.10.1.1 to 10.200.1.1 port=80 label 10_10_1_1_HTTP pass in proto tcp from 10.10.1.2 to 10.200.1.1 port=80 label 10_10_1_2_HTTP pass in proto tcp from 10.10.1.3 to 10.200.1.1 port=80 label 10_10_1_3_HTTP . I think I will end up with over 2000 rules. But maybe much more. Is this something doable with pf or am I totally abusing the labeling features ? both. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Monitoring with labels
On 5/16/07, Frans Haarman [EMAIL PROTECTED] wrote: Hello, I was wondering about using pf to monitor what is happening on our network. The idea is to connect a pf machine to the management port on the switch. You might be better served using a tool designed for this purpose, such as Argus: http://www.qosient.com/argus/ The Argus toolkit is designed to run on a Unix host, monitor an interface, and get protocol statistics per connected ip going towards our servers, among many other things. With some limitations, the collection and reporting tools work on OpenBSD (I've been testing the release candidates for Argus 3.0 and have one open bug with 'ratop'). Long ago geek00L mentioned working on a port, once Argus is released as 3.0 I'd be willing to assist in making a port. Kevin
Re: Monitoring with labels
On 5/16/07, Frans Haarman [EMAIL PROTECTED] wrote: Hello, I was wondering about using pf to monitor what is happening on our network. The idea is to connect a pf machine to the management port on the switch. I am building some rules to monitor certain protocols for all IP adresses connected to our network: pass in proto tcp from src_ip to dest_server port=protocl label src_ip_protocol pass in proto tcp from 10.10.1.1 to 10.200.1.1 port=80 label 10_10_1_1_HTTP pass in proto tcp from 10.10.1.2 to 10.200.1.1 port=80 label 10_10_1_2_HTTP pass in proto tcp from 10.10.1.3 to 10.200.1.1 port=80 label 10_10_1_3_HTTP . I think I will end up with over 2000 rules. But maybe much more. Is this something doable with pf or am I totally abusing the labeling features ? For me it seems like a quick way to get protocol statistics per connected ip going towards our servers... however I have no idea if it will work with lots of traffic ips! Quick way, I wouldn't agree with. I wouldn't call it the right tool for the job, whereas Argus (already mentioned) or other tools such as Netflow seem are (IMHO) better suited. See also: http://www.mindrot.org/projects/flowd/ http://www.mindrot.org/projects/pfflowd/ http://www.mindrot.org/projects/softflowd/ DS
Re: Monitoring with labels
On Wed, 16 May 2007, Darren Spruell wrote: http://www.mindrot.org/projects/pfflowd/ a little off topic, but I'm trying to get some labor time of one of our summer grad students to add sflow support to pfflowd. i'll report back in a couple of months if there is anything to report. diana
Re: Monitoring with labels
On 5/16/07, Diana Eichert [EMAIL PROTECTED] wrote: On Wed, 16 May 2007, Darren Spruell wrote: http://www.mindrot.org/projects/pfflowd/ a little off topic, but I'm trying to get some labor time of one of our summer grad students to add sflow support to pfflowd. i'll report back in a couple of months if there is anything to report. That would be very cool. I suppose that the collector would also need to support sflow? DS
