From djm at mindrot.org Wed May 2 11:16:33 2007 From: djm at mindrot.org (Damien Miller) Date: Wed, 2 May 2007 11:16:33 +1000 (EST) Subject: [netflow-tools] Tagging In-Reply-To: <46309043.9020900@dfn.de> References: <46309043.9020900@dfn.de> Message-ID: On Thu, 26 Apr 2007, Ralf Kleineisel wrote: > Hi, > > is it possible to tag flows by their input/output router interface index? Not at present, though this patch should teach it how to do it. Are you able to test it? -d Index: filter.c =================================================================== RCS file: /var/cvs/flowd/filter.c,v retrieving revision 1.25 diff -u -p -r1.25 filter.c --- filter.c 12 Dec 2005 03:33:51 -0000 1.25 +++ filter.c 2 May 2007 01:09:28 -0000 @@ -67,6 +67,18 @@ format_rule(const struct filter_rule *ru strlcat(rulebuf, tmpbuf, sizeof(rulebuf)); } + if (rule->match.match_what & FF_MATCH_IFNDX_IN) { + snprintf(tmpbuf, sizeof(tmpbuf), "in_ifndx %s%d ", + FRNEG(IFNDX_IN), rule->match.ifndx_in); + strlcat(rulebuf, tmpbuf, sizeof(rulebuf)); + } + + if (rule->match.match_what & FF_MATCH_IFNDX_OUT) { + snprintf(tmpbuf, sizeof(tmpbuf), "out_ifndx %s%d ", + FRNEG(IFNDX_OUT), rule->match.ifndx_out); + strlcat(rulebuf, tmpbuf, sizeof(rulebuf)); + } + if (rule->match.match_what & FF_MATCH_AF) { strlcat(rulebuf, FRNEG(AF), sizeof(rulebuf)); if (rule->match.af == AF_INET) @@ -213,6 +225,16 @@ flow_match(const struct filter_rule *rul rule->match.agent_masklen) == 0); if ((FRNEG(AGENT_ADDR) && m) || (!FRNEG(AGENT_ADDR) && !m)) return (0); + } + + if (FRMATCH(IFNDX_IN)) { + m = flow->ifndx.if_index_in == rule->match.ifndx_in; + FRRET(IFNDX_IN); + } + + if (FRMATCH(IFNDX_OUT)) { + m = flow->ifndx.if_index_out == rule->match.ifndx_out; + FRRET(IFNDX_IN); } if (FRMATCH(AF)) { Index: filter.h =================================================================== RCS file: /var/cvs/flowd/filter.h,v retrieving revision 1.17 diff -u -p -r1.17 filter.h --- filter.h 12 Dec 2005 03:33:51 -0000 1.17 +++ filter.h 2 May 2007 00:49:52 -0000 @@ -45,6 +45,8 @@ struct filter_action { #define FF_MATCH_AF (1<<8) #define FF_MATCH_DAYTIME (1<<9) #define FF_MATCH_ABSTIME (1<<10) +#define FF_MATCH_IFNDX_IN (1<<11) +#define FF_MATCH_IFNDX_OUT (1<<12) struct filter_match { u_int32_t match_what; u_int32_t match_negate; @@ -55,6 +57,8 @@ struct filter_match { struct xaddr src_addr; int dst_masklen; struct xaddr dst_addr; + int ifndx_in; + int ifndx_out; int src_port; int dst_port; int proto; Index: flowd.conf.5.in =================================================================== RCS file: /var/cvs/flowd/flowd.conf.5.in,v retrieving revision 1.13 diff -u -p -r1.13 flowd.conf.5.in --- flowd.conf.5.in 12 Dec 2005 03:33:51 -0000 1.13 +++ flowd.conf.5.in 2 May 2007 01:14:58 -0000 @@ -320,6 +320,18 @@ within the packet itself. .Xc This rule applies to flows whose source or destination address family matches that specified. +.It Ar in_ifndx Xo +.Oo Ar !\& Oc +.Ar +.Xc +Match traffic whose input interface number matches +.Ar index . +.It Ar out_ifndx Xo +.Oo Ar !\& Oc +.Ar +.Xc +Match traffic whose output interface number matches +.Ar index . .It Ar src Xo .Oo !\& Oc .Ar

/ Oo port Oo !\& Oc Oc @@ -451,6 +463,8 @@ accept days Monday-Friday after 08:30:00 discard days Sat,Sun # Ignore flows sent outside a certain date/time range discard after date 20051123 before date 20051124084459 +# Ignore flows coming in interface 10 +discard in_ifndx 10 .Ed .Pp .Sh AUTHORS Index: parse.y =================================================================== RCS file: /var/cvs/flowd/parse.y,v retrieving revision 1.34 diff -u -p -r1.34 parse.y --- parse.y 12 Dec 2005 03:33:51 -0000 1.34 +++ parse.y 2 May 2007 01:04:27 -0000 @@ -105,6 +105,7 @@ static const char *longdays[7] = { %token LISTEN ON JOIN GROUP LOGFILE LOGSOCK STORE PIDFILE FLOW SOURCE %token ALL TAG ACCEPT DISCARD QUICK AGENT SRC DST PORT PROTO TOS ANY %token TCP_FLAGS EQUALS MASK INET INET6 DAYS AFTER BEFORE DATE +%token IN_IFNDX OUT_IFNDX %token ERROR %token STRING %type number quick logspec not octet tcp_flags tcp_mask af dayname dayrange daylist dayspec daytime abstime @@ -112,7 +113,7 @@ static const char *longdays[7] = { %type address %type address_port %type prefix prefix_or_any -%type match_agent match_src match_dst match_proto match_tos match_tcp_flags match_af match_day match_after match_before match_dayafter match_daybefore match_absafter match_absbefore +%type match_agent match_src match_dst match_proto match_tos match_tcp_flags match_af match_day match_after match_before match_dayafter match_daybefore match_absafter match_absbefore match_if_in match_if_out %type action tag %% @@ -480,7 +481,7 @@ logspec : STRING { free($1); } -filterrule : action tag quick match_agent match_af match_src match_dst match_proto match_tos match_tcp_flags match_day match_after match_before +filterrule : action tag quick match_agent match_if_in match_if_out match_af match_src match_dst match_proto match_tos match_tcp_flags match_day match_after match_before { struct filter_rule *r; @@ -503,49 +504,57 @@ filterrule : action tag quick match_agen r->match.match_what |= $4.match_what; r->match.match_negate |= $4.match_negate; - r->match.af = $5.af; + r->match.ifndx_in = $5.ifndx_in; r->match.match_what |= $5.match_what; r->match.match_negate |= $5.match_negate; - r->match.src_addr = $6.src_addr; - r->match.src_masklen = $6.src_masklen; - r->match.src_port = $6.src_port; + r->match.ifndx_out = $6.ifndx_out; r->match.match_what |= $6.match_what; r->match.match_negate |= $6.match_negate; - - r->match.dst_addr = $7.dst_addr; - r->match.dst_masklen = $7.dst_masklen; - r->match.dst_port = $7.dst_port; + + r->match.af = $7.af; r->match.match_what |= $7.match_what; r->match.match_negate |= $7.match_negate; - r->match.proto = $8.proto; + r->match.src_addr = $8.src_addr; + r->match.src_masklen = $8.src_masklen; + r->match.src_port = $8.src_port; r->match.match_what |= $8.match_what; r->match.match_negate |= $8.match_negate; - r->match.tos = $9.tos; + r->match.dst_addr = $9.dst_addr; + r->match.dst_masklen = $9.dst_masklen; + r->match.dst_port = $9.dst_port; r->match.match_what |= $9.match_what; r->match.match_negate |= $9.match_negate; - r->match.tcp_flags_mask = $10.tcp_flags_mask; - r->match.tcp_flags_equals = $10.tcp_flags_equals; + r->match.proto = $10.proto; r->match.match_what |= $10.match_what; r->match.match_negate |= $10.match_negate; - r->match.day_mask = $11.day_mask; + r->match.tos = $11.tos; r->match.match_what |= $11.match_what; r->match.match_negate |= $11.match_negate; - r->match.dayafter = $12.dayafter - 1; - r->match.absafter = $12.absafter; + r->match.tcp_flags_mask = $12.tcp_flags_mask; + r->match.tcp_flags_equals = $12.tcp_flags_equals; r->match.match_what |= $12.match_what; r->match.match_negate |= $12.match_negate; - r->match.daybefore = $13.daybefore - 1; - r->match.absbefore = $13.absbefore; + r->match.day_mask = $13.day_mask; r->match.match_what |= $13.match_what; r->match.match_negate |= $13.match_negate; + r->match.dayafter = $14.dayafter - 1; + r->match.absafter = $14.absafter; + r->match.match_what |= $14.match_what; + r->match.match_negate |= $14.match_negate; + + r->match.daybefore = $15.daybefore - 1; + r->match.absbefore = $15.absbefore; + r->match.match_what |= $15.match_what; + r->match.match_negate |= $15.match_negate; + if ((r->match.match_what & FF_MATCH_DAYTIME) != 0) { if (r->match.dayafter != 0 && r->match.daybefore != 0 && @@ -670,6 +679,32 @@ match_agent : /* empty */ { bzero(&$$, af : INET { $$ = AF_INET; } | INET6 { $$ = AF_INET6; } +match_if_in : /* empty */ { bzero(&$$, sizeof($$)); } + | IN_IFNDX not number { + bzero(&$$, sizeof($$)); + $$.ifndx_in = $3; + $$.match_what |= FF_MATCH_IFNDX_IN; + $$.match_negate |= $2 ? FF_MATCH_IFNDX_IN : 0; + if ($$.ifndx_in <= 0 || $$.ifndx_in > 65535) { + yyerror("invalid input interface index"); + YYERROR; + } + } + ; + +match_if_out : /* empty */ { bzero(&$$, sizeof($$)); } + | OUT_IFNDX not number { + bzero(&$$, sizeof($$)); + $$.ifndx_out = $3; + $$.match_what |= FF_MATCH_IFNDX_OUT; + $$.match_negate |= $2 ? FF_MATCH_IFNDX_OUT : 0; + if ($$.ifndx_out <= 0 || $$.ifndx_out > 65535) { + yyerror("invalid output interface index"); + YYERROR; + } + } + ; + match_af : /* empty */ { bzero(&$$, sizeof($$)); } | not af { bzero(&$$, sizeof($$)); @@ -874,6 +909,7 @@ lookup(char *s) { "equals", EQUALS}, { "flow", FLOW}, { "group", GROUP}, + { "in_ifndx", IN_IFNDX}, { "inet", INET}, { "inet6", INET6}, { "join", JOIN}, @@ -882,6 +918,7 @@ lookup(char *s) { "logsock", LOGSOCK}, { "mask", MASK}, { "on", ON}, + { "out_ifndx", OUT_IFNDX}, { "pidfile", PIDFILE}, { "port", PORT}, { "proto", PROTO}, From djm at fuyu.mindrot.org Thu May 10 11:38:39 2007 From: djm at fuyu.mindrot.org (Damien Miller) Date: Thu, 10 May 2007 11:38:39 +1000 (EST) Subject: [netflow-tools] CVS: fuyu.mindrot.org: flowd Message-ID: <20070510013839.4B9803C67C@fuyu.mindrot.org> CVSROOT: /var/cvs Module name: flowd Changes by: djm at fuyu.mindrot.org 07/05/10 11:38:39 Modified files: . : ChangeLog TODO filter.c filter.h flowd.conf.5.in parse.y Log message: - (djm) Add support for filtering input/output interface index. Requested by Ralf Kleineisel, debugging assistance from Matthew Smart Diff commands: cvs -nQq rdiff -u -r1.165 -r1.166 flowd/ChangeLog cvs -nQq rdiff -u -r1.66 -r1.67 flowd/TODO cvs -nQq rdiff -u -r1.25 -r1.26 flowd/filter.c cvs -nQq rdiff -u -r1.17 -r1.18 flowd/filter.h cvs -nQq rdiff -u -r1.13 -r1.14 flowd/flowd.conf.5.in cvs -nQq rdiff -u -r1.34 -r1.35 flowd/parse.y CVSWeb: http://cvsweb.mindrot.org/index.cgi/flowd/ChangeLog?r1=1.165;r2=1.166 http://cvsweb.mindrot.org/index.cgi/flowd/TODO?r1=1.66;r2=1.67 http://cvsweb.mindrot.org/index.cgi/flowd/filter.c?r1=1.25;r2=1.26 http://cvsweb.mindrot.org/index.cgi/flowd/filter.h?r1=1.17;r2=1.18 http://cvsweb.mindrot.org/index.cgi/flowd/flowd.conf.5.in?r1=1.13;r2=1.14 http://cvsweb.mindrot.org/index.cgi/flowd/parse.y?r1=1.34;r2=1.35 Please note that there may be a delay before commits are available on the public CVSWeb site. From djm at mindrot.org Thu May 10 17:02:56 2007 From: djm at mindrot.org (Damien Miller) Date: Thu, 10 May 2007 17:02:56 +1000 (EST) Subject: [netflow-tools] softflowd & openbsd carp devices In-Reply-To: <46307FDD.3020505@paniert.org> References: <46307FDD.3020505@paniert.org> Message-ID: On Thu, 26 Apr 2007, memic wrote: > Hi, > > i have an interface with softflowd running, but since this router is > going into a redudant setup > i will have carp devices. i will have serveral carp devices on one the > interfaces where i running > softflowd at the moment, because on this interfaces i have more than one ip. > does it make sence to run softflowd on the carp devices (serveral > softlfowd istances then) > or better to run it on the psyical interface like now (fxp0)? I would guess that it would be better to run it on the carp interfaces, but in a switched environment there should not be too much effective difference - the physical interface should not be seeing traffic destined for the virtual arp address of a carp interface when it is in slave mode. On the other hand, running multiple instances of softflowd shouldn't waste too many cycles. -d From memic at paniert.org Mon May 14 18:25:41 2007 From: memic at paniert.org (memic) Date: Mon, 14 May 2007 10:25:41 +0200 Subject: [netflow-tools] softflowd & openbsd carp devices In-Reply-To: References: <46307FDD.3020505@paniert.org> Message-ID: <46481D05.9040904@paniert.org> even with about 10 instances running? Damien Miller wrote: > On Thu, 26 Apr 2007, memic wrote: > > >> Hi, >> >> i have an interface with softflowd running, but since this router is >> going into a redudant setup >> i will have carp devices. i will have serveral carp devices on one the >> interfaces where i running >> softflowd at the moment, because on this interfaces i have more than one ip. >> does it make sence to run softflowd on the carp devices (serveral >> softlfowd istances then) >> or better to run it on the psyical interface like now (fxp0)? >> > > I would guess that it would be better to run it on the carp interfaces, > but in a switched environment there should not be too much effective > difference - the physical interface should not be seeing traffic destined > for the virtual arp address of a carp interface when it is in slave mode. > > On the other hand, running multiple instances of softflowd shouldn't > waste too many cycles. > > -d > From chris.snell at gmail.com Tue May 15 08:59:25 2007 From: chris.snell at gmail.com (Christopher Snell) Date: Mon, 14 May 2007 16:59:25 -0600 Subject: [netflow-tools] Busted Perl interface Message-ID: <4052b0840705141559r4c49d77bycd8f0a34ed6d228b@mail.gmail.com> Hi All, I'm having problems with the Flowd Perl interface. It looks like the object returned from read_flow() contains no data for "recv_sec" and iso_time() is choking on this: % ./flowinsert.pl /var/log/flowd missing argument at /usr/local/libdata/perl5/site_perl/amd64-openbsd/Flowd.pm line 88 Flowd::iso_time('undef') called at ./flowinsert.pl line 51 Anybody have any clues? thanks, Chris From djm at mindrot.org Tue May 15 09:09:11 2007 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 May 2007 09:09:11 +1000 (EST) Subject: [netflow-tools] Busted Perl interface In-Reply-To: <4052b0840705141559r4c49d77bycd8f0a34ed6d228b@mail.gmail.com> References: <4052b0840705141559r4c49d77bycd8f0a34ed6d228b@mail.gmail.com> Message-ID: On Mon, 14 May 2007, Christopher Snell wrote: > Hi All, > > I'm having problems with the Flowd Perl interface. It looks like the > object returned from read_flow() contains no data for "recv_sec" and > iso_time() is choking on this: > > % ./flowinsert.pl /var/log/flowd > missing argument at > /usr/local/libdata/perl5/site_perl/amd64-openbsd/Flowd.pm line 88 > Flowd::iso_time('undef') called at ./flowinsert.pl line 51 > > Anybody have any clues? Are you storing RECV_TIME in your flow log? If not then you will need to modify the schema and flowinsert.pl. -d From chris.snell at gmail.com Tue May 15 09:39:27 2007 From: chris.snell at gmail.com (Christopher Snell) Date: Mon, 14 May 2007 17:39:27 -0600 Subject: [netflow-tools] Busted Perl interface In-Reply-To: References: <4052b0840705141559r4c49d77bycd8f0a34ed6d228b@mail.gmail.com> Message-ID: <4052b0840705141639l681c76a2s17d0851ef615634f@mail.gmail.com> We're configured to store everything: store ALL ...right? thanks, Chris On 5/14/07, Damien Miller wrote: > On Mon, 14 May 2007, Christopher Snell wrote: > > > Hi All, > > > > I'm having problems with the Flowd Perl interface. It looks like the > > object returned from read_flow() contains no data for "recv_sec" and > > iso_time() is choking on this: > > > > % ./flowinsert.pl /var/log/flowd > > missing argument at > > /usr/local/libdata/perl5/site_perl/amd64-openbsd/Flowd.pm line 88 > > Flowd::iso_time('undef') called at ./flowinsert.pl line 51 > > > > Anybody have any clues? > > Are you storing RECV_TIME in your flow log? If not then you will need to > modify the schema and flowinsert.pl. > > -d > From djm at mindrot.org Tue May 15 09:47:54 2007 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 May 2007 09:47:54 +1000 (EST) Subject: [netflow-tools] Busted Perl interface In-Reply-To: <4052b0840705141639l681c76a2s17d0851ef615634f@mail.gmail.com> References: <4052b0840705141559r4c49d77bycd8f0a34ed6d228b@mail.gmail.com> <4052b0840705141639l681c76a2s17d0851ef615634f@mail.gmail.com> Message-ID: On Mon, 14 May 2007, Christopher Snell wrote: > We're configured to store everything: > > store ALL > > ...right? oh, it looks like a bug in flowinsert.pl. Please try this patch: Index: flowinsert.pl =================================================================== RCS file: /var/cvs/flowd/tools/flowinsert.pl,v retrieving revision 1.2 diff -u -p -r1.2 flowinsert.pl --- flowinsert.pl 31 Oct 2004 06:42:57 -0000 1.2 +++ flowinsert.pl 14 May 2007 23:47:16 -0000 @@ -53,7 +53,7 @@ for (my $i = 0; $i < scalar(@ARGV); $i++ " src_port, dst_port, octets, packets, protocol) VALUES ". "(%u, %s, %s, %s, %s, %u, %u, %u, %u, %u)" , $tag, - $db->quote(Flowd::iso_time($flow->{recv_secs})), + $db->quote(Flowd::iso_time($flow->{recv_sec})), $db->quote($flow->{agent_addr}), $db->quote($flow->{src_addr}), $db->quote($flow->{dst_addr}), From dupuyol at hotmail.com Fri May 18 14:32:52 2007 From: dupuyol at hotmail.com (Olivier Dupuy) Date: Fri, 18 May 2007 04:32:52 +0000 Subject: [netflow-tools] PFSense OUT Traffic Message-ID: My current setup consist of PFSense latest snapshot. I have added the pfflowd package and configured as follow: IP address: 192.168.1.8 Port: 9996 Direction: Any Netflow Version: 5 I am using Manage Engine Netflow Analyzer to capture the data and report on it. However, I am having a problem with getting OUT traffic information. All I am getting is IN traffic. Do you have any idea of what is happening? I also have only 1 interface recognized, shouldn't I have 2 interfaces? Any help would appreciated _________________________________________________________________ Like the way Microsoft Office Outlook works? You?ll love Windows Live Hotmail. http://imagine-windowslive.com/hotmail/?locale=en-us&ocid=TXT_TAGHM_migration_HM_mini_outlook_0507 From djm at mindrot.org Wed May 30 19:28:46 2007 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 May 2007 19:28:46 +1000 (EST) Subject: [netflow-tools] flowd, ERROR, filtering input/output router interface index In-Reply-To: <075b01c7a291$f0b638a0$031f11ac@ITNT.RU> References: <075b01c7a291$f0b638a0$031f11ac@ITNT.RU> Message-ID: On Wed, 30 May 2007, Alex A.Brodskiy wrote: > Good time of day! > > yesterday i tried to work woth resent snapshot flowd release from 10 > may 2007 and discover error in filtering with input/output router > interface index. After debugging i cleared up for myself that values > of 'flow->ifndx.if_index_in' and 'flow->ifndx.if_index_out' read in > function 'int store_flow_deserialise()' in module 'store.c' with wrong > shift: instea of real value we got value shifted left by 24. although > it worked correctly with next write binary file by 'flowd-reader' > application after fileting i did not make a risk to correct this > behavior. so if somebody would like to have a correct version of this > package he will heed only to use shift back to right by 24 values of > 'flow->ifndx.if_index_in' and 'flow->ifndx.if_index_out' in function > 'flow_match()' in module 'filter.c' this is patch to file 'filter.c' > version from 10 may 2007 to only correct this attached. Thanks for the report! Could you please try the attached patch? I think it is a more correct fix. Thanks, Damien From michael.gale at pason.com Thu May 31 01:01:58 2007 From: michael.gale at pason.com (Michael Gale) Date: Wed, 30 May 2007 09:01:58 -0600 Subject: [netflow-tools] softflowd and -m ? Message-ID: <465D91E6.2000700@pason.com> Hello, I am new to using netflows and am experimenting by using softflowd to send tcpdump created files to ntop. Everything seems to be working except that I noticed a strange change in stats when using the -m option in softflowd. With out specifying the -m, ntop reports 1.4GB of traffic with an average of 136Mbps. If I run softflowd with "-m 1000000" ntop now reports that 250MB of traffic was seen ? Does any one know why this would happen ? -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp.