[netflow-tools] softflowd questions
Douglas Choma
doug at nakediron.com
Fri Aug 17 09:25:29 EST 2007
On Aug 16, 2007, at 4:10 PM, Cristian KLEIN wrote:
> Softflowd uses pcap to get the packets which it then converts to
> flows.
> It essecially sees the same data that tcpdump would. On all systems
> (including Linux), pcap sees the packet immediately before being
> sent on
> the wire, or immediately after receiving it from the wire.
>
> If you use softflowd on the externat interface of a NAT, you will see
> the translated IPs and not the ones of your internal hosts. There are
> few cases in which you can't tell softflowd to monitor the internal
> interface.
So then it makes more sense to use softflowd on the *internal*
interface, and capture the packets (flows) to/from the Internet
before the addresses are NAT'd? I'm guessing there are all sorts of
possible uses for softflowd, but I just wanting to figure out a "best
practice".
Thanks for your help. :-)
More information about the netflow-tools
mailing list