Sniff to NetFlow

L

LoZio

Hi
I'm running softflowd to gather data from mirror interfaces and send them to nfsen. It works reasonably but sometimes softflowd catches up lots of cpu. Also I saw this is abandoned software.
Is there some other sniff-to-Netflow program that is currently mantained?
Thanks
 
Well, my machine is not the router of the networks. It has 6 interfaces, connected to 5 interfaces on catalyst switches, configured for mirroring interesting VLANs.
This is why I need to SNIFF traffic, and then send to nfsen as it came from a Netflow enabled switch.
As far as I can understand, netgraph is based on the internals of the IP stack, ad assumes to give you info about processes it governs.
The system does no really "sees" the traffic.
Bye
 
I thought it was obvious ;) My cat have no Netflow support. Only high end and even with special features have it.
Bye
 
Not sure, but I think you should still experiment with ng_netflow. It looks like it just needs to see traffic entering an interface, and if you're sniffing, the traffic is entering the interface.
 
It looks somewhat interesting, but googling around results in very old post about very old implementations, and I wasn't able to fine a guide other than programmer oriented.
I'm going to experiment, but if you have some hints please share them as it!
Thanks
 
aragon said:
Not sure, but I think you should still experiment with ng_netflow. It looks like it just needs to see traffic entering an interface, and if you're sniffing, the traffic is entering the interface.
Click to expand...

Well, I report my findings here for all the perople needing this.
My setup is that I have the interfaces ho receives mirrored traffic from my DMZ renamed to DMZ.
I have a NFSEN setup listening on port 9994 on my_nfsen_host
Just start your ngctl and spit this into:

Code: 
mkpeer dmz: netflow lower iface0
name dmz:lower nfdmz
connect dmz: nfdmz: upper out0
mkpeer nfdmz: ksocket export inet/dgram/udp
msg nfdmz:export connect inet/my_nfsen_host:9994

Well, you'll see... Nothing. As we were discussing, traffic is not sent up through the IP stack until we also type:

[cmd=]ifconfig dmz promisc[/cmd]

to gather all the mirrored traffic that is coming.
That's all!

My findings on resource usage also are impressive: I had each of the softflowd processes eating up 25/30% of my 3.3 Xeon (8 of them are in the machine). Now the load on the machine is under 5% total...

Thanks for helping and hope this will be useful to others too.
Bye
 
You must log in or register to reply here.
Back
Top