[netflow-tools] softflowd questions

Douglas Choma doug at nakediron.com
Fri Aug 17 09:25:29 EST 2007

On Aug 16, 2007, at 4:10 PM, Cristian KLEIN wrote:

> Softflowd uses pcap to get the packets which it then converts to  
> flows.
> It essecially sees the same data that tcpdump would. On all systems
> (including Linux), pcap sees the packet immediately before being  
> sent on
> the wire, or immediately after receiving it from the wire.
> If you use softflowd on the externat interface of a NAT, you will see
> the translated IPs and not the ones of your internal hosts. There are
> few cases in which you can't tell softflowd to monitor the internal
> interface.

So then it makes more sense to use softflowd on the *internal*  
interface, and capture the packets (flows) to/from the Internet  
before the addresses are NAT'd?  I'm guessing there are all sorts of  
possible uses for softflowd, but I just wanting to figure out a "best  

Thanks for your help.  :-) 

More information about the netflow-tools mailing list