[netflow-tools] Duplicate flow entry
djm at mindrot.org
Sat May 21 08:26:55 EST 2005
Jason Dixon wrote:
> I've updated the page to reflect my more recent findings. It appears
> that this behavior has something to do with state being created on both
> interfaces. That is to say, for connections that do NOT get routed
> through the firewall (in this case, binat), I am only seeing one set of
> flows (in/out) for each connection. However, if the connection is
> passing from one network to the other, I see duplicate entries for each
> flow. Obviously, a "SELECT DISTINCT" is a sufficient workaround, but I
> would like to understand why this is happening.
You are correct: pfflowd is reporting what pfsync gives it, so if pf
creates state in two places, then pfflowd will see two state entries
You can work around this by:
1) not creating state on certain traffic
2) fiddling with "set state-policy" (maybe)
3) using pfflowd's -S option
Eliminating this dupes within flowd might be tricky, because they might
not always be obvious. Consider the case of a firewall running a dynamic
routing protocol that changes the outbound interface of a flow part way
through its lifetime.
Try running tcpdump on the pfsync interface and seeing if there is any
other distinguishing features in the raw pfsync frames. pfflowd could
probably be taught to filter on these (and it does need filtering
> P.S. DJM is probably en route to the hackathon, so I'd be curious if
> anyone else in the community has any ideas.
Unfortunately I can't make it this year :(
However, I will be badgering the pf guys about making life easier for
pfflowd. Starting with 64-bit packet and octet counters in pfsync...
More information about the netflow-tools