[netflow-tools] softflowd questions

Cristian KLEIN cristi at net.utcluj.ro
Fri Aug 17 09:10:40 EST 2007


Douglas Choma wrote:
> Sorry if this has been answered elsewhere... I didn't find an mailing
> list archive.
>
> I'm trying to set up my Linux "router" to monitor Internet bandwidth
> usage (using Netflow).  But I'm a little confused on a few issues:
>
> 1) Do I only need to monitor the external interface?  Will that give
> me data about the source IP from internal requests?  Or will the
> NAT'd packet contain the firewall's address as the source?

Softflowd uses pcap to get the packets which it then converts to flows.
It essecially sees the same data that tcpdump would. On all systems
(including Linux), pcap sees the packet immediately before being sent on
the wire, or immediately after receiving it from the wire.

If you use softflowd on the externat interface of a NAT, you will see
the translated IPs and not the ones of your internal hosts. There are
few cases in which you can't tell softflowd to monitor the internal
interface.

> 2) With the external interface in promiscuous mode, won't that open
> up the firewall to unwanted security risks?

Short: I, personally, haven't heard of such a thing.

Long: A network card usually only captures the frame whose destination
MAC address is either broadcast or the burned-in MAC address of the
card. Promiscuous mode changes this behaviour and tells the NIC to
capture all frames even if they have a different destination MAC than
the burned-in one. In nowadays networks, this makes little difference,
as switches usually filter such frames (this is in fact their very purpose).

Anyway, supposing you have an old hub network and one of your interfaces
is in promiscuous mode. The single consequence is that a lot of silly
frames won't be dropped by the NIC, but by the operating system.



More information about the netflow-tools mailing list