Andy <a...@brandwatch.com> writes: > I have an issue where one of my 'real-time' queues is much busier than > it should be. I suspect that someone is running something on the > network and setting the diffserv bits (or something else funky..) and > so the firewall is placing the traffic into the higher priority queue > which is screwing with our VoIP traffic :( > > Does anyone know of how I can view the pflow or even just the states > for /all/ traffic in just one queue?
If you're only interested in the traffic that hits one queue, my suggestion would be that you temporarily alter your rule set so only the rule that assigns traffic to that queue exports pflow data. Then set up collection (I like nfsen/nfdump, but there are others) and mine the data. On a busy network finding the offending traffic can still take a bit of work, but with proper flow data collection at least you get a haystack ;) - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
