I have tried to change from Pcap format to Netflow using softflowd but it say me that the format I use is not support. However, I can extract information using tcpdump, so I wonder why softflowd say me that is an unsupported datalink type. Anyone knows which is the reason? Besides, how could I add the support for this header? Thanks. -- Regards, V?ctor L?pez ?lvarez Universidad Aut?noma de Madrid Networking Research Group (NRG - http://www.ii.uam.es/~networking) http://rincon.uam.es/dir?cw=288360595703125
On Wed, 21 Feb 2007, V?ctor L?pez ?lvarez wrote:> I have tried to change from Pcap format to Netflow using softflowd but > it say me that the format I use is not support. However, I can extract > information using tcpdump, so I wonder why softflowd say me that is an > unsupported datalink type. > > Anyone knows which is the reason?Because support for it has not been implemented.> Besides, how could I add the support for this header?Near the start of softflowd.c there is a definition of "struct DATALINK" and a table of supported datalink types "lt[]". struct DATALINK defines where in the layer-2 frame softflowd should look for the frame type, how to extract it and how to interpet it to determine whether a frame represents a IPv4 or IPv6 packet. Adding a new frame type to softflowd is as simple as adding an entry to this array. -d
On 3/29/07, Damien Miller <djm at mindrot.org> wrote:> On Wed, 21 Feb 2007, V?ctor L?pez ?lvarez wrote: > > > I have tried to change from Pcap format to Netflow using softflowd but > > it say me that the format I use is not support. However, I can extract > > information using tcpdump, so I wonder why softflowd say me that is an > > unsupported datalink type. > > > > Anyone knows which is the reason? > > Because support for it has not been implemented. > > > Besides, how could I add the support for this header? > > Near the start of softflowd.c there is a definition of "struct DATALINK" > and a table of supported datalink types "lt[]". struct DATALINK defines > where in the layer-2 frame softflowd should look for the frame type, how > to extract it and how to interpet it to determine whether a frame represents > a IPv4 or IPv6 packet. > > Adding a new frame type to softflowd is as simple as adding an entry to > this array.I''m wondering whether it''s easy to collect other packet information such as MPLS and VPN.> > -d > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > http://lists.mindrot.org/mailman/listinfo/netflow-tools > >Thanks, -- Guanqun
On Thu, 29 Mar 2007, Guanqun Lu wrote:> > Adding a new frame type to softflowd is as simple as adding an entry to > > this array. > > I''m wondering whether it''s easy to collect other packet information such as > MPLS > and VPN.If it is in the packet, and there exist NetFlow fields in which to export it, then softflowd can be modified to collect and report it. It doesn''t support either of these at present, but MPLS wouldn''t be too difficult to add I imagine. You would need to be more specific about what you mean by "VPN". If you mean IPsec, then there is not much more additional information available beyond what is already reported (endpoints and IP protocol) unless you give softflowd the keys to the phase-2 IPsec SAs, which I think is a pretty scary proposition. -d