[netflow-tools] too little flows with pfflowd

joerg at lemonnet.de joerg at lemonnet.de
Thu Jun 29 07:29:15 EST 2006


Hi list,

On our core router we are mirroring all traffic to a spanport on which
we have a dedicated host which should export netflow datagrams.
First we tried linux and softflowd. It seemed to be a nice solution, but
with higher load softflowd got very busy. So we decided to give OpenBSD
and pfflowd a try.
First i have to realize that with pfflowd the host must route traffic,
otherwise you will get no netflows. Not an easy task on a mirror port.
I solved this by changing the MAC of the host to the same address of
our router (promiscous mode didn't helped).
Okey at this time the host created states and pfflowd exported them.
But it seemed to me that the exported netflows are too little. I
analysed it with nfsen and nfdump. softflowd gives me much more netflows
( more than the double size ).

Regards, Joerg.




More information about the netflow-tools mailing list