Hi all I want a simple netflow probe in linux which will export v5 and v9 flows to the collector. Any daemon is available for this or kernel can be patched to do this?? Thanks in advance Koteswar
Koteswar - Pandu wrote:> Hi all > > I want a simple netflow probe in linux which will export v5 and v9 > flows to the collector. Any daemon is available for this or kernel can > be patched to do this??I can highly recommend pmacctd. It''s simple to set up and will work as a netflow probe for you. Kind regards, Martin List-Petersen -- Airwire - Ag Nascadh Pobail an Iarthair http://www.airwire.ie Phone: 091-865 968
On Wed, 8 Jul 2009, Koteswar - Pandu wrote:> Hi all > > I want a simple netflow probe in linux which will export v5 and v9 > flows to the collector. Any daemon is available for this or kernel can > be patched to do this??Well this list partially exists to support softflowd: http://www.mindrot.org/projects/softflowd/ Softflowd is a software netflow probe that supports v5, v9 and IPv6. -d
Hi In sofflowd, If I select track level as "ip" (softflowd -T ip) then it is filling other fields like protocol, src port, dst port, tcp flags to 0 and sending data flow set. But this is not correct behavior. It should not add these fields to data flow set or template flow set so that we can reduce exported flow data volume and network load (RFC3957). Please clarify if I am wrong? Regards Koteswar On Thu, Jul 9, 2009 at 1:20 PM, Damien Miller <djm at mindrot.org> wrote:> On Wed, 8 Jul 2009, Koteswar - Pandu wrote: > > > Hi all > > > > I want a simple netflow probe in linux which will export v5 and v9 > > flows to the collector. Any daemon is available for this or kernel can > > be patched to do this?? > > Well this list partially exists to support softflowd: > > http://www.mindrot.org/projects/softflowd/ > > Softflowd is a software netflow probe that supports v5, v9 and IPv6. > > -d >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20090824/325af145/attachment-0001.html>
On Mon, 24 Aug 2009, Koteswar wrote:> Hi > In sofflowd, If I select track level as "ip" (softflowd -T ip) then it is > filling other fields like protocol, src port, dst port, tcp flags to 0 and > sending data flow set. But this is not correct behavior. It should not add > these fields to data flow set or template flow set so that we can reduce > exported flow data volume and network load (RFC3957). > Please clarify if I am wrong?The tracking level (-T flag) defines how much of the packets are inspected. You setting of "ip" is the bare minimum, and does not include Layer-3 information like the protocol and protocol ports. Normally you would only select this option if you were uninterested in this information. If you do want to see source/destination ports and the protocol in use then I suggest that you specify "-T full" or just leave the -T flag off, since "full" is the default anyway. -d
But while sending template record better not to add the unwanted fields like protocol and port. And in case of sending data record also donot add the fields protocol and ports if track level "ip" is selected. In softflowd we are sending all the fields independent of track level but setting unwanted fields to 0. Regards Koteswar On Mon, Aug 24, 2009 at 12:49 PM, Damien Miller <djm at mindrot.org> wrote:> On Mon, 24 Aug 2009, Koteswar wrote: > > > Hi > > In sofflowd, If I select track level as "ip" (softflowd -T ip) then it is > > filling other fields like protocol, src port, dst port, tcp flags to 0 > and > > sending data flow set. But this is not correct behavior. It should not > add > > these fields to data flow set or template flow set so that we can reduce > > exported flow data volume and network load (RFC3957). > > Please clarify if I am wrong? > > The tracking level (-T flag) defines how much of the packets are inspected. > You setting of "ip" is the bare minimum, and does not include Layer-3 > information like the protocol and protocol ports. Normally you would only > select this option if you were uninterested in this information. > > If you do want to see source/destination ports and the protocol in use then > I suggest that you specify "-T full" or just leave the -T flag off, since > "full" is the default anyway. > > -d > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20090824/8a9effc3/attachment.html>
On Mon, 24 Aug 2009, Koteswar wrote:> But while sending template record better not to add the unwanted fields like > protocol and port. And in case of sending data record also donot add the > fields protocol and ports if track level "ip" is selected. In softflowd we > are sending all the fields independent of track level but setting unwanted > fields to 0.Yes, this is true. I did it this way to keep the nf.9 export code simple, and because the track level stuff was really only intended as a way to reduce load on the sensor and the total number of exported flows. If someone wants to help renovate the nf.9 export code then this can change :) -d