On Saturday 26 March 2016 18:54:25 Kapetanakis Giannis wrote: > On 26/03/16 17:02, Eike Lantzsch wrote: > > Hi: > > > > For learning purposes I want to set up collecting NetFlow data from my > > small office router (5.8 release on a PC-Engines Alix 2D13 device). > > I'm trying to follow > > http://bsdly.blogspot.ca/2014/02/yes-you-too-can-be-evil-network.html > > and I have Peter N. M. Hansteen's fine Book of PF (3) at hand - chapter 9 > > "Collecting NetFlow Data with pflow(4)". > > However I seem to have a hard time to understand some details. > > > > I set up > > /etc/pf.conf > > # options: > > set state-defaults pflow > > > > and > > /etc/hostname.pflow0 > > > > and get this: > > > > # ifconfig pflow0 > > pflow0: flags=41<UP,RUNNING> mtu 1448 > > > > priority: 0 > > pflow: sender: 192.168.12.1 receiver: 192.168.12.31:9995 version: > > 10 > > groups: pflow > > > > 192.168.12 is my internal small network. I plan to set up a collector on > > 192.168.12.31, which is an OpenBSD-vm on my work station. > > (Did I get this right? Or should I use the address which I get from my ISP > > as a souce address?) > > > > However > > # tcpdump -nettti pflow0 > > tcpdump: Failed to open bpf device for pflow0: Device not configured > > > > In /dev/ I got bpf0 up to bpf9 > > > > I did not set up a collector right now - just wanted to see if I get any > > NetFlow data. > > > > What did I miss setting up the pflow pseudo-device? > > Try > tcpdump -i vr0 host 192.168.12.31 and port 9995 > if vr0 is the interface to 192.168.1.31 > > G Thank you Giannis! That interface would be vether0, vr0 is facing my ISP. No, there are no UDP packets for 192.168.12.31:9995. Does pflow have a problem with virtual ethernet interfaces? I bridged vr1, athn0 and vether0 I will try to use vr2 for pflow, using another network just for that purpose. There is another NIC available in the computer with the VM with the collector so that I will be able to catch the data later on - if I ever get the sensor to work ...
Eike
