From thomas.hupperich at ruhr-uni-bochum.de Thu Jan 17 20:08:35 2013 From: thomas.hupperich at ruhr-uni-bochum.de (Thomas Hupperich) Date: 17 Jan 2013 10:08:35 +0100 Subject: [netflow-tools] [softflowd] Capture only one subnet Message-ID: <50F7BF93.10408@ruhr-uni-bochum.de> Hello everybody, I am rather new to softflowd so I hope my question not to be totally dumb. Is it possible to capture only one subnet of netflow traffic? For instance: If a switch processes traffic of the subnet 10.1.x.x and 10.2.x.x, would it be possible to capture only traffic of 10.2.x.x ? Actually I am using softflowd to capture netflow traffic and it would be best to restrict it only to one subnet directly. Alternatively: Is there a way to export only those netflows of a specific subnet (e.g. with flow-export from flowtools)? Thanks for your help! Cheers From list2009 at lunch.za.net Thu Jan 17 21:24:30 2013 From: list2009 at lunch.za.net (Andrew McGill) Date: Thu, 17 Jan 2013 12:24:30 +0200 Subject: [netflow-tools] [softflowd] Capture only one subnet In-Reply-To: <50F7BF93.10408@ruhr-uni-bochum.de> References: <50F7BF93.10408@ruhr-uni-bochum.de> Message-ID: <20130117122430.1068cc6b@beans.lunch.za.net> softflowd accepts a pcap filter expression on the command line if memory serves (not necessarily true) this may work: softflowd net 10.2.0.0/16 &:-) On 17 Jan 2013 10:08:35 +0100 "Thomas Hupperich" wrote: > Hello everybody, > > I am rather new to softflowd so I hope my question not to be totally > dumb. > > Is it possible to capture only one subnet of netflow traffic? > For instance: If a switch processes traffic of the subnet 10.1.x.x and > 10.2.x.x, would it be possible to capture only traffic of 10.2.x.x ? > > Actually I am using softflowd to capture netflow traffic and it would > be best to restrict it only to one subnet directly. > Alternatively: Is there a way to export only those netflows of a > specific subnet (e.g. with flow-export from flowtools)? > > Thanks for your help! > Cheers > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools -- You get 3.5 years of bad luck if you break RAID1 From thomas.hupperich at ruhr-uni-bochum.de Sat Jan 19 02:00:37 2013 From: thomas.hupperich at ruhr-uni-bochum.de (Thomas Hupperich) Date: 18 Jan 2013 16:00:37 +0100 Subject: [netflow-tools] [softflowd] Capture only one subnet In-Reply-To: <20130117122430.1068cc6b@beans.lunch.za.net> References: <50F7BF93.10408@ruhr-uni-bochum.de> <20130117122430.1068cc6b@beans.lunch.za.net> Message-ID: <50F96395.2070207@ruhr-uni-bochum.de> Hello and thank you for your answers! On 17.01.2013 11:24, Andrew McGill wrote: > softflowd accepts a pcap filter expression on the command line > > if memory serves (not necessarily true) this may work: > > softflowd net 10.2.0.0/16 > > &:-) I tried this but unfortunately it did not work at all. When the OS boots up a script runs the following command: softflowd -i eth1 -v5 -n 127.0.0.1:10555 net 10.10.2.0/24 At port 10555 on localhost there is a capture script running and 10.10.2.x is the subnet I want softflowd to capture. eth1 is the interface to capture (in promisc mode). When I now execute the command "softflowctl dump-flows" there are flows listed on the console which are not from the specified subnet. (btw I also tried "net 10.10.2.0/16" with the same result). Of course I restarted the softflod service and even the whole machine after changing the configuration. I am sorry to bother you with this issue. Thank you again! Greetings, Thomas From djm at mindrot.org Thu Jan 24 16:17:04 2013 From: djm at mindrot.org (Damien Miller) Date: Thu, 24 Jan 2013 16:17:04 +1100 (EST) Subject: [netflow-tools] [softflowd] Capture only one subnet In-Reply-To: <50F96395.2070207@ruhr-uni-bochum.de> References: <50F7BF93.10408@ruhr-uni-bochum.de> <20130117122430.1068cc6b@beans.lunch.za.net> <50F96395.2070207@ruhr-uni-bochum.de> Message-ID: On Sat, 18 Jan 2013, Thomas Hupperich wrote: > softflowd -i eth1 -v5 -n 127.0.0.1:10555 net 10.10.2.0/24 > > At port 10555 on localhost there is a capture script running and > 10.10.2.x is the subnet I want softflowd to capture. > eth1 is the interface to capture (in promisc mode). > > When I now execute the command "softflowctl dump-flows" there are flows > listed on the console which are not from the specified subnet. I think "src net 10.10.2.0/24 and dst net 10.10.2.0/24" is what you want From thomas.hupperich at ruhr-uni-bochum.de Fri Jan 25 02:13:12 2013 From: thomas.hupperich at ruhr-uni-bochum.de (Thomas Hupperich) Date: 24 Jan 2013 16:13:12 +0100 Subject: [netflow-tools] [softflowd] Capture only one subnet In-Reply-To: References: <50F7BF93.10408@ruhr-uni-bochum.de> <20130117122430.1068cc6b@beans.lunch.za.net> <50F96395.2070207@ruhr-uni-bochum.de> Message-ID: <51014F88.6060907@ruhr-uni-bochum.de> Hello, > I think > > "src net 10.10.2.0/24 and dst net 10.10.2.0/24" > > is what you want Thank you so much! This is exactly what I was looking for. :-) Have a nice day! Thomas