[netflow-tools] problems with pfflowd that don't happen with softflowd
Michael W. Lucas
mwlucas at blackhelicopters.org
Sat Apr 30 21:47:44 EST 2005
Hi,
I'm currently using softflowd on FreeBSD 5.4, trying to switch over to
pfflowd to get more timely exports of flows. (It *seems* that
softflowd exports flows much later than when the traffic actually
stops, and it *appears* that pfflowd expires these flows more
quickly.)
My collector is flow-capture, and works perfectly with softflowd. It
doesn't actually record anything with pfflowd, however.
If I run pfflowd in debug mode, it sure looks like I'm getting flows.
...
pfflowd[40500]: FLOW proto 6 direction 1
pfflowd[40500]: start 2005-04-30T07:33:36(0) finish 2005-04-30T07:33:42(6880)
pfflowd[40500]: w.x.y.z:10260 -> a.b.c.d:443 2897 bytes 11 packets
pfflowd[40500]: a.b.c.d:443 -> w.x.y.z:10260 831 bytes 9 packets
pfflowd[40500]: Sending flow packet len = 600
pfflowd[40500]: flows_exported = 36
...
tcpdump on the sensor and the collector shows that traffic is actually
reaching the collector, so I don't think I've made an error on my host
or port config.
Anyone else seen this problem?
I'm running pfflowd as:
pfflowd -n a.b.c.d:port
and softflowd as:
softflowd -i em0 -n a.b.c.d:port
Thanks for any suggestions!
==ml
--
Michael W. Lucas mwlucas at FreeBSD.org, mwlucas at BlackHelicopters.org
http://www.BlackHelicopters.org/~mwlucas/
Latest book: Cisco Routers for the Desperate
http://www.CiscoRoutersForTheDesperate.com
More information about the netflow-tools
mailing list