[netflow-tools] Softflowd & flow-tools on multiple interfaces.

Damien Miller djm at mindrot.org
Sun Aug 16 02:59:25 EST 2009



On Mon, 13 Jul 2009, Sean Cody wrote:

> I've deployed both softflowd and flow-tools to devices that I can't easily add
> a mirror port to.
> So I've got around 5 sensors per site (softflowd on 3 mirror interfaces and on
> 2 devices directly) and 1 collector and am saving them in completely different
> flow-tools log sets.  A bit of reading lends me to the idea of using the
> interface field in the flow records to record which device the flow came from
> (and have online 1 set of flow logs).
> 
> Is this possible or should I continue using the 1 softflowd per flow-capture
> setup?

Some platforms support listening to all IP traffic that passes through a host,
but softflowd doesn't support this yet.

> As well is there an easy way to tell if softflowd is missing flows (ala
> tcpdump discards)?

You can compare the total of the netflow packet or byte counts with those
of the interfaces over the same time period.

-d


More information about the netflow-tools mailing list