Re: Netflow v9 with ng_netflow and nfdump

Tue, 19 Feb 2013 09:32:35 -0800 

On 02/19/2013 06:02 PM, Adrian Chadd wrote:

.. I assume that your netflow collector is positioned correctly so it
can see the actual client MAC, rather than the MAC of the L3 gateway
device?



Yes, we've checked with tcpdump. The mirror port simply copies the packets as 
they flow from our clients to routers.



One more way for logging IP->MAC binding would be periodical dump from our core 
switch. But the solution with Netflow v9 seems much more "elegant" I think.



We are using Juniper EX4200 as our core switches and, as far as I know, they 
support only the sFlow - sampled flow. And we are required to log every connection.






adrian

On 19 February 2013 02:49, Jan Markus<markus....@seznam.cz>  wrote:

Hello,

our Ministry of the interior now requires that IP traffic logs must contain
MAC addresses of our clients. I am trying to fulfil this with Netflow v9
which (allegedly) should contain the MAC addresses of IP flows.

But with no success so far...

We have a mirror port on our core switch and capture the VLAN tagged packets
on em1 NIC on our FreeBSD 9.1 server.

Our netflow collector is configured like this:

   kldload ng_ether
   kldload ng_ksocket
   kldload ng_netflow

   ifconfig em1 promisc -arp up

   ngctl mkpeer em1: netflow lower iface0
   ngctl name em1:lower netflow
   ngctl connect em1: netflow: upper out0
   ngctl mkpeer netflow: ksocket export9 inet/dgram/udp
   ngctl msg netflow:export9 connect inet/127.0.0.1:9995

We capture the netflow packets on the same machine like this:

   nfcapd -p 9995 -S 2 -T all -D -l ./

But when I try to get the log like this:

   nfdump -r nfcapd.201302191051>  nfcapd.201302191051.out

All I get is date, protocol, src and dst IP and port, and number of bytes,
packets and flows. No information on MAC addresses whatsoever.

What am I doing wrong?

Thank you very much for your help,
-Jan

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"




_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"






















					Reply via email to