From lists at pantz.org Thu Jun 22 05:36:35 2006 From: lists at pantz.org (Joe) Date: Wed, 21 Jun 2006 15:36:35 -0400 Subject: [netflow-tools] Pfflowd and OpenBSD 3.9 Message-ID: <20060621193635.GA22754@x2.domain.lan> Has anyone had any luck with Pfflowd from OpenBSD 3.9? I'm using the same line to start it from 3.8 which works fine. Pfflowd is the same version (.6) from 3.8 - 3.9.The output of the error below on a default install of a 3.9 machine. Looks like the version of pfsync for 3.9 is not what Pfflowd is looking for. If it is broke are there any plans to fix it? Thanks for the help. root at net: /usr/local/sbin/pfflowd -D -n 127.0.0.1:12345 ZZZZ 4 pfflowd[12377]: pfflowd listening on pfsync0 pfflowd[12377]: Unsupported pfsync version 3, exiting From msf at kisoku.net Thu Jun 22 05:38:28 2006 From: msf at kisoku.net (Mathieu Sauve-Frankel) Date: Wed, 21 Jun 2006 15:38:28 -0400 Subject: [netflow-tools] Pfflowd and OpenBSD 3.9 In-Reply-To: <20060621193635.GA22754@x2.domain.lan> References: <20060621193635.GA22754@x2.domain.lan> Message-ID: <20060621193828.GB23268@kisoku.net> On Wed, Jun 21, 2006 at 03:36:35PM -0400, Joe wrote: > Has anyone had any luck with Pfflowd from OpenBSD 3.9? I'm using the same > line to start it from 3.8 which works fine. Pfflowd is the same version (.6) > from 3.8 - 3.9.The output of the error below on a default install of a 3.9 > machine. Looks like the version of pfsync for 3.9 is not what Pfflowd is looking > for. If it is broke are there any plans to fix it? Thanks for the help. I committed a fix for this a couple of weeks ago to Damien's cvs repository. -- Mathieu Sauve-Frankel From lists at pantz.org Thu Jun 22 07:17:07 2006 From: lists at pantz.org (Joe) Date: Wed, 21 Jun 2006 17:17:07 -0400 Subject: [netflow-tools] Pfflowd and OpenBSD 3.9 In-Reply-To: <20060621193828.GB23268@kisoku.net> References: <20060621193635.GA22754@x2.domain.lan> <20060621193828.GB23268@kisoku.net> Message-ID: <20060621211707.GB22754@x2.domain.lan> Fantastic! I just compiled the new one from the mindrot CVS. Works great! A note to anyone on the list. Remember to make the user "_pfflowd". If you don't and you try to start it you get nothing back. Let's hope this fix gets picked up for OpenBSD 4.0. Thanks for your work Mathieu it is appreciated. On Wed, Jun 21, 2006 at 03:38:28PM -0400, Mathieu Sauve-Frankel wrote: >On Wed, Jun 21, 2006 at 03:36:35PM -0400, Joe wrote: >> Has anyone had any luck with Pfflowd from OpenBSD 3.9? I'm using the same >> line to start it from 3.8 which works fine. Pfflowd is the same version (.6) >> from 3.8 - 3.9.The output of the error below on a default install of a 3.9 >> machine. Looks like the version of pfsync for 3.9 is not what Pfflowd is looking >> for. If it is broke are there any plans to fix it? Thanks for the help. > >I committed a fix for this a couple of weeks ago to Damien's cvs >repository. > >-- >Mathieu Sauve-Frankel > >_______________________________________________ >netflow-tools mailing list >netflow-tools at mindrot.org >http://www.mindrot.org/mailman/listinfo/netflow-tools From joerg at lemonnet.de Thu Jun 29 07:29:15 2006 From: joerg at lemonnet.de (joerg at lemonnet.de) Date: Wed, 28 Jun 2006 23:29:15 +0200 Subject: [netflow-tools] too little flows with pfflowd Message-ID: <20060628232915.03520438@localhost> Hi list, On our core router we are mirroring all traffic to a spanport on which we have a dedicated host which should export netflow datagrams. First we tried linux and softflowd. It seemed to be a nice solution, but with higher load softflowd got very busy. So we decided to give OpenBSD and pfflowd a try. First i have to realize that with pfflowd the host must route traffic, otherwise you will get no netflows. Not an easy task on a mirror port. I solved this by changing the MAC of the host to the same address of our router (promiscous mode didn't helped). Okey at this time the host created states and pfflowd exported them. But it seemed to me that the exported netflows are too little. I analysed it with nfsen and nfdump. softflowd gives me much more netflows ( more than the double size ). Regards, Joerg.