From irino at sfc.wide.ad.jp Wed Sep 14 09:21:32 2011 From: irino at sfc.wide.ad.jp (Hitoshi Irino) Date: Wed, 14 Sep 2011 08:21:32 +0900 Subject: [netflow-tools] [PATCH] reducing compile warning on AMD64 cpu Message-ID: <4E6FE57C.6000001@sfc.wide.ad.jp> Hello softflowd developers and users, Some warning appears in printf similar functions when softflowd is compiled in ubuntu 11.04 x64(AMD64) environment. The attached patch replaces llu to PRIu64 to reduce compile warning. thanks, Hitoshi Irino -------------- next part -------------- A non-text attachment was scrubbed... Name: softflowd_amd64_reduce_compile_warn.patch Type: text/x-patch Size: 4467 bytes Desc: not available URL: From irino at sfc.wide.ad.jp Tue Sep 20 12:31:58 2011 From: irino at sfc.wide.ad.jp (Hitoshi Irino) Date: Tue, 20 Sep 2011 11:31:58 +0900 Subject: [netflow-tools] [PATCH] periodic sampling function for softflowd Message-ID: <4E77FB1E.8030004@sfc.wide.ad.jp> Hello softflowd developers and users, I wrote a patch which provides periodic sampling function to softflowd. I add -s option, it needs a number which sampling rate (denominator). thanks, Hitoshi Irino -------------- next part -------------- A non-text attachment was scrubbed... Name: softflowd_sampling.patch Type: text/x-patch Size: 2697 bytes Desc: not available URL: From djm at mindrot.org Tue Sep 20 23:07:58 2011 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Sep 2011 23:07:58 +1000 (EST) Subject: [netflow-tools] flowd ASA Support In-Reply-To: References: Message-ID: On Wed, 31 Aug 2011, John Marrett wrote: > I have updated my patch so that it reports all ASA reported flows as > having at least one packet. > > This allows reporting on blocked traffic with the flow-tools utility > flow-report. Ugh, I knew that vendors would abuse NetFlow v.9's flexibility sooner or later. My vague plan is to change the storage format of flowd to protocol buffers[1] so it will be able to store near-arbitrary data with good forward and backwards compatibility, but I haven't got around to it yet. -d [1] http://code.google.com/apis/protocolbuffers/docs/overview.html From djm at mindrot.org Tue Sep 20 23:09:05 2011 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Sep 2011 23:09:05 +1000 (EST) Subject: [netflow-tools] ignore interface In-Reply-To: References: Message-ID: On Wed, 24 Aug 2011, CB EXPRESS wrote: > If a system has more than 2 interfaces is there an option for softflowd or > pfflowd to have it ignore traffic from these interfaces? You can tell softflowd which interface to listen on with the "-i" option. I don't think pfflowd can do this, but you can filter on if_index in the received flows. -d From johnf at zioncluster.ca Wed Sep 21 04:20:28 2011 From: johnf at zioncluster.ca (John Marrett) Date: Tue, 20 Sep 2011 14:20:28 -0400 Subject: [netflow-tools] flowd ASA Support In-Reply-To: References: Message-ID: Damien, > My vague plan is to change the storage format of flowd to protocol > buffers[1] so it will be able to store near-arbitrary data with good > forward and backwards compatibility, but I haven't got around to it > yet. It would be very interesting to have a way to do this. There's interesting data that my "patch" is leaving on the table. The most significant are: - If the flow was permitted or denied; I tried to implement this, it didn't go very well though. It didn't seem that the value NF_F_FW_EVENT was being correctly set by the ASA (more likely, I wasn't reading it correctly). Right now you can use a 0 byte flow as an indicator that the traffic wasn't permitted but that's far from perfect. - Translated addresses and ports -JohnF