Sebastian Schwerdhoefer
2006-Jan-19 17:50 UTC
[netflow-tools] Problem with pfflowd on freebsd 6.0
Hi,> When i start pfflowd with -D switch i only have this message: > pfflowd -d > no export target defined > zzzz -1 > pfflowd[37565]: pfflowd listening on pfsync0 > > it dosen''t matter that i tell to what collector send this data. > nothing happens. > this is router for my network so there is a lot of changes in pf > states.the same situation here. I commented out the lines """ if (ph->action != PFSYNC_ACT_DEL) return; """ in pfflowd.c and it seems to work now. But this is a very dirty hack, ''cause the condition to only handle PFSYNC_ACT_DEL packets should save a lot of unnecessary netflow datagrams - as far as i and my boss understood.
Sebastian Schwerdhoefer wrote:> the same situation here. I commented out the lines > > """ > if (ph->action != PFSYNC_ACT_DEL) > return; > """ > > in pfflowd.c and it seems to work now. But this is a very dirty hack, ''cause > the condition to only handle PFSYNC_ACT_DEL packets should save a lot of > unnecessary netflow datagrams - as far as i and my boss understood.I have no idea why you aren''t seeing PFSYNC_ACT_DEL messages... Could you have your pfflowd.c to printf() the pf->action value? Maybe that will give us a clue. -d
Sebastian Schwerdhoefer
2006-Jan-20 12:48 UTC
[netflow-tools] Problem with pfflowd on freebsd 6.0
Damien Miller schrieb am 2006-01-20 um 13:26 Uhr:> I have no idea why you aren''t seeing PFSYNC_ACT_DEL messages... > > Could you have your pfflowd.c to printf() the pf->action value? Maybe > that will give us a clue.pfsync works fine, and state deletions are synchronized too, but pfflowd (with a debug message) just prints out: ... DEBUG: ph->action: 1 DEBUG: ph->action: 2 ... No PFSYNC_ACT_DEL message arrives, only PFSYNC_ACT_INS and PFSYNC_ACT_UPD. It seems as pfsync (on FreeBSD 6) uses PFSYNC_ACT_UPD to notify about state deletions... Sadly I''m not a programmer, so I couldn''t figure out how to detect if a PFSYNC_ACT_UPD message is a masked delete message. regards, Sebastian Schwerdhoefer
Sebastian Schwerdhoefer wrote:> Damien Miller schrieb am 2006-01-20 um 13:26 Uhr: > >>I have no idea why you aren''t seeing PFSYNC_ACT_DEL messages... >> >>Could you have your pfflowd.c to printf() the pf->action value? Maybe >>that will give us a clue. > > > pfsync works fine, and state deletions are synchronized too, but > pfflowd (with a debug message) just prints out: > ... > DEBUG: ph->action: 1 > DEBUG: ph->action: 2 > ... > No PFSYNC_ACT_DEL message arrives, only PFSYNC_ACT_INS and > PFSYNC_ACT_UPD. It seems as pfsync (on FreeBSD 6) uses PFSYNC_ACT_UPD > to notify about state deletions...Does tcpdump on the pfsync interface see delete events? -d
Sebastian Schwerdhoefer
2006-Jan-24 15:05 UTC
[netflow-tools] Problem with pfflowd on freebsd 6.0
Damien Miller schrieb am 2006-01-21 um 00:25 Uhr:> Does tcpdump on the pfsync interface see delete events?Hm...: Directly listening at pfsync0 does not work (tcpdump: unsupported data link type 121) and if I listen at the "syncdev", tcpdump or ethereal does not decode the pfsync packets. Anyway I''ll attach a commented tcpdump output. Maybe you can decode it. regards, Sebastian Schwerdhoefer 11:34:10.466564 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:11.125427 IP 172.16.17.241 > 224.0.0.240: pfsync 92 11:34:11.126415 IP 172.16.17.241 > 224.0.0.240: pfsync 228 11:34:11.126422 IP 172.16.17.241 > 224.0.0.240: pfsync 92 11:34:11.127423 IP 172.16.17.241 > 224.0.0.240: pfsync 228 11:34:12.127270 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:13.128119 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:14.464950 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:15.465793 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:15.974669 IP 172.16.17.241 > 224.0.0.240: pfsync 180 11:34:15.975669 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:16.159600 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:16.342616 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:16.654566 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:16.752550 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:16.788545 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:17.788405 IP 172.16.17.241 > 224.0.0.240: pfsync 444 11:34:19.127201 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:20.325028 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:21.470885 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:22.471730 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:23.472587 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:24.473424 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:25.474272 IP 172.16.17.241 > 224.0.0.240: pfsync 444 11:34:26.475116 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:27.475965 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:28.476825 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:29.477657 IP 172.16.17.241 > 224.0.0.240: pfsync 444 ### Here I started my browser and pfctl -ss reported the new states 11:34:30.478538 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:30.937397 IP 172.16.17.241 > 224.0.0.240: pfsync 444 11:34:30.948405 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:31.515314 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:31.522305 IP 172.16.17.241 > 224.0.0.240: pfsync 180 11:34:31.531302 IP 172.16.17.241 > 224.0.0.240: pfsync 1348 11:34:31.538301 IP 172.16.17.241 > 224.0.0.240: pfsync 180 11:34:31.539301 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:31.551299 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:31.565296 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:31.585294 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:31.587294 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:31.591292 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:31.611290 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:31.726274 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:32.481171 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:32.493161 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:32.679128 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:32.925090 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:32.948087 IP 172.16.17.241 > 224.0.0.240: pfsync 900 11:34:32.958134 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:32.969083 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:32.980082 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:32.987080 IP 172.16.17.241 > 224.0.0.240: pfsync 180 11:34:32.989080 IP 172.16.17.241 > 224.0.0.240: pfsync 900 11:34:32.990080 IP 172.16.17.241 > 224.0.0.240: pfsync 180 11:34:32.995078 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:33.011077 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.013079 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.013086 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.015076 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.019076 IP 172.16.17.241 > 224.0.0.240: pfsync 180 11:34:33.020075 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:33.047072 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.049070 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.061069 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.067068 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.070072 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:33.078084 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:33.090068 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.092068 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.095063 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.096064 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:33.097063 IP 172.16.17.241 > 224.0.0.240: pfsync 452 11:34:33.105062 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.120071 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.126059 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.149069 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.163058 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:33.487007 IP 172.16.17.241 > 224.0.0.240: pfsync 532 11:34:35.139763 IP 172.16.17.241 > 224.0.0.240: pfsync 444 11:34:36.483596 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:34:37.484453 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:38.485306 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:39.486153 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:40.487004 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:41.487842 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:42.488700 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:43.489549 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:44.490399 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:45.491243 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:46.492091 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:47.492935 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:48.493785 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:49.494633 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:50.495475 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:51.496320 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:52.497174 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:53.498025 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:54.498862 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:55.499717 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:56.500564 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:57.501409 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:58.502263 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:34:59.503112 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:00.503956 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:01.504799 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:02.505670 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:03.505466 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:04.507362 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:05.508193 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:06.509046 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:07.509889 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:08.510839 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:09.511582 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:10.512434 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:11.513289 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:35:12.514120 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:13.514971 IP 172.16.17.241 > 224.0.0.240: pfsync 356 ### here the states dissapeared. 11:35:14.515815 IP 172.16.17.241 > 224.0.0.240: pfsync 356 11:35:15.516661 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:35:16.517510 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:35:17.518346 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:35:18.519201 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:35:19.520041 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:35:20.520889 IP 172.16.17.241 > 224.0.0.240: pfsync 268 11:35:21.521741 IP 172.16.17.241 > 224.0.0.240: pfsync 268