Hi folks, I plan to move our core routers from FreeBSD to OpenBSD. Currently I use netgraph and ng_netflow on the FreeBSD machines for netflow accounting.
As there is a netflow kernel implentation with pflow in OpenBSD, too, I decided to use this. Unfortunately I seems that flows are exported twice for each connection. The routers are running on OpenBSD 4.8 RELEASE (no patch applied) A quick example: I have a machine named bsd-01 (192.168.89.4) that collects the netflows using flowd (I have also used flow-tools with the same result). The test networks 192.168.89/24 and 192.168.92/24 are connected via the OpenBSD routers (HA pair with carp) which have pflow enabled for netflow accounting. /etc/hostname.pflow0: flowsrc 192.168.89.150 flowdst 192.168.89.4:2100 /etc/pf.conf: set skip on lo pass quick proto tcp from 192.168.89.55 to 192.168.92.55 port 5001 keep state (pflow) pass keep state block in on ! lo0 proto tcp to port 6000:6010 Now i generate some packets from 192.168.89.55 to 192.168.92.55 in order to get accounting data grabnebel:~# nuttcp -i1 192.168.92.55 108.2655 MB / 1.00 sec = 908.1545 Mbps 110.5109 MB / 1.00 sec = 927.0402 Mbps 111.6529 MB / 1.00 sec = 936.6258 Mbps 111.6529 MB / 1.00 sec = 936.6277 Mbps 111.6598 MB / 1.00 sec = 936.6641 Mbps 111.6529 MB / 1.00 sec = 936.5949 Mbps 111.6529 MB / 1.00 sec = 936.6212 Mbps 111.6529 MB / 1.00 sec = 936.6296 Mbps 111.6598 MB / 1.00 sec = 936.6632 Mbps 111.6529 MB / 1.00 sec = 936.5940 Mbps 1113.5000 MB / 10.01 sec = 932.8309 Mbps 5 %TX 20 %RX grabnebel:~# In pf's state table I see two records - one for each direction of the connection. rtr-fra-01# pfctl -vss | grep -A2 5001 all tcp 192.168.92.55:5001 <- 192.168.89.55:41068 FIN_WAIT_2:FIN_WAIT_2 [638328050 + 5888] wscale 6 [1759713472 + 1636288] wscale 6 age 00:00:46, expires in 00:00:54, 806350:403706 pkts, 1209519584:20998868 bytes, rule 0, pflow all tcp 192.168.89.55:41068 -> 192.168.92.55:5001 FIN_WAIT_2:FIN_WAIT_2 [1759713472 + 1636288] wscale 6 [638328050 + 5888] wscale 6 age 00:00:46, expires in 00:00:54, 806350:403706 pkts, 1209519584:20998868 bytes, rule 0, pflow rtr-fra-01# After the states have expired on the router the flows are exported to the collector and I can read them from the logfile. bsd-01# flowd-reader /var/log/flowd FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 agent [192.168.89.150] src [192.168.89.55]:41068 dst [192.168.92.55]:5001 packets 806350 octets 1209519584 FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 agent [192.168.89.150] src [192.168.92.55]:5001 dst [192.168.89.55]:41068 packets 403706 octets 20998868 FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 agent [192.168.89.150] src [192.168.89.55]:41068 dst [192.168.92.55]:5001 packets 806350 octets 1209519584 FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 agent [192.168.89.150] src [192.168.92.55]:5001 dst [192.168.89.55]:41068 packets 403706 octets 20998868 bsd-01# I can see that the accounted octects match the traffic data in the state table. But unfortunately it seems that both RX and TX traffic data are exported for each record which results in redundant accounting data. Correct me if I'm wrong but for correct traffic accounting there should be only one flow for RX and one for TX, shouldn't it? Any suggestions? Best regards and thanks in advance, Bernd
