On Wed, Jan 5, 2011 at 3:54 AM, Bernd Bornkessel <bbornkes...@dunkel.de> wrote: > I plan to move our core routers from FreeBSD to OpenBSD. Currently I use > netgraph and ng_netflow on the FreeBSD machines for netflow accounting. > > As there is a netflow kernel implentation with pflow in OpenBSD, too, I > decided to use this. > Unfortunately I seems that flows are exported twice for each connection. > > The routers are running on OpenBSD 4.8 RELEASE (no patch applied) > > A quick example: > > I have a machine named bsd-01 (192.168.89.4) that collects the netflows > using flowd (I have also used flow-tools with the same result). > The test networks 192.168.89/24 and 192.168.92/24 are connected via the > OpenBSD routers (HA pair with carp) which have pflow enabled for netflow > accounting. > > /etc/hostname.pflow0: > flowsrc 192.168.89.150 flowdst 192.168.89.4:2100 > > /etc/pf.conf: > set skip on lo > pass quick proto tcp from 192.168.89.55 to 192.168.92.55 port 5001 keep > state (pflow) > pass keep state > block in on ! lo0 proto tcp to port 6000:6010
What happens if you limit this to one direction and/or interface? For example: pass out quick on egress proto tcp from 192.168.89.55 to 192.168.92.55 port 5001 keep state (pflow) > Now i generate some packets from 192.168.89.55 to 192.168.92.55 in order > to get accounting data > > grabnebel:~# nuttcp -i1 192.168.92.55 > 108.2655 MB / 1.00 sec = 908.1545 Mbps > 110.5109 MB / 1.00 sec = 927.0402 Mbps > 111.6529 MB / 1.00 sec = 936.6258 Mbps > 111.6529 MB / 1.00 sec = 936.6277 Mbps > 111.6598 MB / 1.00 sec = 936.6641 Mbps > 111.6529 MB / 1.00 sec = 936.5949 Mbps > 111.6529 MB / 1.00 sec = 936.6212 Mbps > 111.6529 MB / 1.00 sec = 936.6296 Mbps > 111.6598 MB / 1.00 sec = 936.6632 Mbps > 111.6529 MB / 1.00 sec = 936.5940 Mbps > > 1113.5000 MB / 10.01 sec = 932.8309 Mbps 5 %TX 20 %RX > grabnebel:~# > > In pf's state table I see two records - one for each direction of the > connection. > > rtr-fra-01# pfctl -vss | grep -A2 5001 > > all tcp 192.168.92.55:5001 <- 192.168.89.55:41068 > FIN_WAIT_2:FIN_WAIT_2 > [638328050 + 5888] wscale 6 [1759713472 + 1636288] wscale 6 > age 00:00:46, expires in 00:00:54, 806350:403706 pkts, > 1209519584:20998868 bytes, rule 0, pflow > all tcp 192.168.89.55:41068 -> 192.168.92.55:5001 > FIN_WAIT_2:FIN_WAIT_2 > [1759713472 + 1636288] wscale 6 [638328050 + 5888] wscale 6 > age 00:00:46, expires in 00:00:54, 806350:403706 pkts, > 1209519584:20998868 bytes, rule 0, pflow > rtr-fra-01# > > After the states have expired on the router the flows are exported to > the collector and I can read them from the logfile. > > bsd-01# flowd-reader /var/log/flowd > > FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 > agent [192.168.89.150] src [192.168.89.55]:41068 dst > [192.168.92.55]:5001 packets 806350 octets 1209519584 > FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 > agent [192.168.89.150] src [192.168.92.55]:5001 dst > [192.168.89.55]:41068 packets 403706 octets 20998868 > FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 > agent [192.168.89.150] src [192.168.89.55]:41068 dst > [192.168.92.55]:5001 packets 806350 octets 1209519584 > FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 > agent [192.168.89.150] src [192.168.92.55]:5001 dst > [192.168.89.55]:41068 packets 403706 octets 20998868 > bsd-01# > > I can see that the accounted octects match the traffic data in the state > table. But unfortunately it seems that both RX and TX traffic data are > exported for each record which results in redundant accounting data. > Correct me if I'm wrong but for correct traffic accounting there should > be only one flow for RX and one for TX, shouldn't it? > > Any suggestions?
