Hi Michael, Thanks for your feedback, however I don't believe Argus is compatible with NfSen/NFSDUMP due to the fact that it's not a standard flow format (Netflow, IPFIX, etc). I'd like to be able to use NfSen/NFSDUMP and other standard tools for collection/analysis.
-C > Michael Mercier <mailto:mmerc...@gmail.com> > March 2, 2014 at 10:56 AM > Hello Chris, > > Have you ever looked at Qosient Argus (http://qosient.com/argus/). I > believe it has what you are looking for. > > I have played (extremely basic setup) with it on Linux, have not tried > to compile on OpenBSD. > > Thanks, > Mike > > > Chris Jones <mailto:jo...@chrisdavid.ca> > March 2, 2014 at 9:58 AM > Good morning folks, > > I'm looking for advice on a freely available IPFIX probe/sensor for flow > export of our company's corporate firewall (Juniper SRX) traffic. An > unfortunate limitation of these firewalls is that J-Flow (Juniper's > version of Netflow) is unsupported when operating in an HA firewall > cluster (which we have). I could replace the firewalls with a pair of > OpenBSD firewalls, and would prefer this, however I'm unable to at this > point for reasons I won't get into. > > I've setup port-mirroring on our Brocade ICX switch that monitors all > the SRX firewall interfaces and mirrors to an interface on an OpenBSD > 5.4 server I setup to act as sensor/collector. I'd like to be able > promiscuously capture the mirror port traffic and export in IPFIX format > to something like NfSen/NFDUMP. The sensor solution needs to support > 802.1q as we have several VLAN interfaces on the firewall so traffic > sampled from the mirror-port interface contains both tagged and untagged > traffic. > > I've tried using softflowd exporting to flowd but it doesn't seem to > support 802.1q or IPFIX (yet). Any other suggestions or advice is > greatly appreciated. > > Cheers, > -Chris
