From cristi at net.utcluj.ro  Fri Oct 27 06:06:19 2006
From: cristi at net.utcluj.ro (Cristian KLEIN)
Date: Thu, 26 Oct 2006 23:06:19 +0300
Subject: [netflow-tools] softflowd and pflog
Message-ID: <4541153B.8030002@net.utcluj.ro>

Hi list,

I found it useful to log packets from a FreeBSD / OpenBSD pflog
interface. This way, you may fine-tune the traffic you want to export.

This is very useful if you have a box which routes Gigabit LAN traffic
and does NAT to the Internet. If you want to log the Internet traffic
(before being NATed) you would have to put softflowd on the Gigabit
interface, which would be a huge waste of CPU cycles.

In the following patch, I have hardcoded the pflog header size and the
location of the address family, to reduce dependency.

Usage: softflowd -i pflog0 -n 127.0.0.1:12142

--- softflowd.c.orig    Thu Oct 26 21:52:15 2006
+++ softflowd.c Thu Oct 26 22:41:44 2006
@@ -88,6 +88,9 @@
 #ifdef DLT_LOOP
        { DLT_LOOP,      4,  0,  4,  1, 0xffffffff, AF_INET, AF_INET6 },
 #endif
+#ifdef DLT_PFLOG
+       { DLT_PFLOG,    48,  1,  1,  0, 0x000000ff, AF_INET, AF_INET6 },
+#endif
        { -1,           -1, -1, -1, -1, 0x00000000,  0xffff,   0xffff },
 };