[netflow-tools] problems with pfflowd that don't happen with softflowd
Damien Miller
djm at mindrot.org
Sat Apr 30 21:58:30 EST 2005
Michael W. Lucas wrote:
> Hi,
>
> I'm currently using softflowd on FreeBSD 5.4, trying to switch over to
> pfflowd to get more timely exports of flows. (It *seems* that
> softflowd exports flows much later than when the traffic actually
> stops, and it *appears* that pfflowd expires these flows more
> quickly.)
That is possible: softflowd's timeouts are pretty conservative,
especially for TCP - 30 minutes post-FIN. You can tune these on the
commandline though :)
> My collector is flow-capture, and works perfectly with softflowd. It
> doesn't actually record anything with pfflowd, however.
>
> If I run pfflowd in debug mode, it sure looks like I'm getting flows.
>
> ...
> pfflowd[40500]: FLOW proto 6 direction 1
> pfflowd[40500]: start 2005-04-30T07:33:36(0) finish 2005-04-30T07:33:42(6880)
> pfflowd[40500]: w.x.y.z:10260 -> a.b.c.d:443 2897 bytes 11 packets
> pfflowd[40500]: a.b.c.d:443 -> w.x.y.z:10260 831 bytes 9 packets
> pfflowd[40500]: Sending flow packet len = 600
> pfflowd[40500]: flows_exported = 36
> ...
>
> tcpdump on the sensor and the collector shows that traffic is actually
> reaching the collector, so I don't think I've made an error on my host
> or port config.
When you run tcpdump, did you try the "-T cnfp" to get it to parse the
NetFlow packets? What collector are you using?
-d
More information about the netflow-tools
mailing list