[netflow-tools] Softflowd & flow-tools on multiple interfaces.
djm at mindrot.org
Sun Aug 16 02:59:25 EST 2009
On Mon, 13 Jul 2009, Sean Cody wrote:
> I've deployed both softflowd and flow-tools to devices that I can't easily add
> a mirror port to.
> So I've got around 5 sensors per site (softflowd on 3 mirror interfaces and on
> 2 devices directly) and 1 collector and am saving them in completely different
> flow-tools log sets. A bit of reading lends me to the idea of using the
> interface field in the flow records to record which device the flow came from
> (and have online 1 set of flow logs).
> Is this possible or should I continue using the 1 softflowd per flow-capture
Some platforms support listening to all IP traffic that passes through a host,
but softflowd doesn't support this yet.
> As well is there an easy way to tell if softflowd is missing flows (ala
> tcpdump discards)?
You can compare the total of the netflow packet or byte counts with those
of the interfaces over the same time period.
More information about the netflow-tools