[netflow-tools] softflowd and pflog
Damien Miller
djm at mindrot.org
Thu Nov 2 16:17:35 EST 2006
On Thu, 26 Oct 2006, Cristian KLEIN wrote:
> Hi list,
>
> I found it useful to log packets from a FreeBSD / OpenBSD pflog
> interface. This way, you may fine-tune the traffic you want to export.
Have you tried pfflowd[1]? It does something very similar to what
you want.
> This is very useful if you have a box which routes Gigabit LAN traffic
> and does NAT to the Internet. If you want to log the Internet traffic
> (before being NATed) you would have to put softflowd on the Gigabit
> interface, which would be a huge waste of CPU cycles.
Well, using pflog means that many fields in the flow will not be
accurate, especially since pflog typically records only the first
packet matching a state entry. You can use the "log (all)" modifier,
but then you are back to having softflowd look at every packet.
What advantages do you see in using pflog instead of pfsync (which is
what pfflowd uses)?
> In the following patch, I have hardcoded the pflog header size and the
> location of the address family, to reduce dependency.
I think it would be better to detect the presence of the net/if_pflog.h
header in configure and use PFLOG_HDRLEN directly so softflowd will
automatically pick up changes in that file.
-d
[1] http://www.mindrot.org/projects/flowd/
More information about the netflow-tools
mailing list