Giancarlo,
Thank you for your reply.
Unfortunately, this is a gateway box -- there aren't really any firewall
rules that I can individually apply the filter to.
On 9/4/2014 午前 01:22, Giancarlo Razzolini wrote:
On 03-09-2014 11:06, Paul S. wrote:
Hi folks,
I've setup a netflow collector and have begun exporting flow data from
one of my OpenBSD edge systems.
All appeared well at first glance, but I've noticed that the amount of
flow data exported appears excessive.
(i.e: My hardware router for nearly 7-8 gbit/s of actual traffic,
configured with a sampling rate of 768 sends around 550 flows/second.)
However, my BSD box that's forwarding 1-2 mbit/s of traffic is
generating nearly 500 flows per second as well.
This seemed odd to me, and seems to be a sampling issue.
Is there any way to configure the sampling rate for pflow(4) interfaces?
I've went through the man-page
(http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pflow.4?query=pflow&sec=4&arch=i386)
and was unable to locate anything.
My configuration is fairly basic,
# cat /etc/hostname.pflow0
flowsrc 10.152.212.1 flowdst 10.1.26.197:9996 pflowproto 10
Then on /etc/pf.conf,
set state-defaults pflow
I believe the pf rule mentions to sample every packet, how can I
config it to only sample only once every n packets?
Thanks!
There was a similar question a few time ago here on misc. If I recall
correctly, pf only send a flow to the pflow interface after a state is
expired. That is, you'll only see it on pflow when the connection is
ended, with all the begin/end and traffic values at once. It does not
sample a state. There was even a diff proposed for doing this. In your
case, I suggest that you only set the pflow option for the rules you
need, not as a state-defaults. This might explain this large volume of
flows.
Cheers,
