Re: [pfSense] NetFlow analysis tools

2015-01-16 Thread Jon Gerdes
On Thu, 2015-01-15 at 17:08 +0100, b...@todoo.biz wrote:
 Hello, 
 
 I would like to know which flow-tools you are using in conjunction with 
 pfflowd / netflow 
 
 I am particularly interested in GUI back-end. 
 
 If you have any good pointer, that would really be helpful. 
 
 
 
 Sincerely yours. 

Softflowd - Logstash receiver - Redis - Logstash indexer -
Elasticsearch - Kibana

Logstash has a Netflow input and then I use the GeoIP and DNS filters to
augment the data, finally in Kibana I plot the flows on a map from the
GeoIP.  That single report has told me an awful lot.

For example someone came to our office and had a SSL VPN of some sort,
they also use an external web proxy.  Before they fired up the VPN their
flows were going through European IPs.  As soon as the VPN was started,
their 443/tcp flows instantly switched to the US.  When the VPN was shut
down it moved back to Europe.  Coincidence - perhaps.  I couldn't do
much more testing in the time available.

Cheers
Jon


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] substantial packet loss on em interfaces (Superserver 5015A-EHF-D525)

2015-01-16 Thread Vick Khera
On Fri, Jan 16, 2015 at 3:35 AM, Tim Jansen tim...@byte-site.de wrote:

 some SuperMicro systems (and yours as well) have an IPMI interface running
 via the 1st onboard NIC, which means IPMI shares the phys. NIC with the
 typically LAN configuration on OS level while the IPMI interface is
 configured within the Bios.


This has caused issues for me too. If you have the IPMI interface enabled,
make sure that the sharing mode for the ethernet port is suitable for your
configuration. I personally always put the LAN interface on the shared port
as that causes the fewest problems for me. I usually set the interfaces to
share mode with the IPMI.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] substantial packet loss on em interfaces (Superserver 5015A-EHF-D525)

2015-01-16 Thread Geoff Nordli

On 15-01-16 07:34 AM, Vick Khera wrote:


On Fri, Jan 16, 2015 at 3:35 AM, Tim Jansen tim...@byte-site.de 
mailto:tim...@byte-site.de wrote:


some SuperMicro systems (and yours as well) have an IPMI interface
running via the 1st onboard NIC, which means IPMI shares the phys.
NIC with the typically LAN configuration on OS level while the
IPMI interface is configured within the Bios.


This has caused issues for me too. If you have the IPMI interface 
enabled, make sure that the sharing mode for the ethernet port is 
suitable for your configuration. I personally always put the LAN 
interface on the shared port as that causes the fewest problems for 
me. I usually set the interfaces to share mode with the IPMI.


Hi Vick.

I think you are on to something there.  The part that really confused me 
is I have two of those servers.  One was working OK and the other was 
failing miserably.  It is quite possible the working server had the IPMI 
interface on the LAN port.


The intermittent failure was enough to drive me crazy!!

thanks,

Geoff




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold