netflow tools - Jan 2013 - [softflowd] Capture only one subnet

Hello everybody,

I am rather new to softflowd so I hope my question not to be totally dumb.

Is it possible to capture only one subnet of netflow traffic?
For instance: If a switch processes traffic of the subnet 10.1.x.x and
10.2.x.x, would it be possible to capture only traffic of 10.2.x.x ?

Actually I am using softflowd to capture netflow traffic and it would be
best to restrict it only to one subnet directly.
Alternatively: Is there a way to export only those netflows of a
specific subnet (e.g. with flow-export from flowtools)?

Thanks for your help!
Cheers

softflowd accepts a pcap filter expression on the command line

if memory serves (not necessarily true) this may work:

	softflowd net 10.2.0.0/16

&:-)

On 17 Jan 2013 10:08:35 +0100
"Thomas Hupperich" <thomas.hupperich at ruhr-uni-bochum.de>
wrote:
> Hello everybody,
> 
> I am rather new to softflowd so I hope my question not to be totally
> dumb.
> 
> Is it possible to capture only one subnet of netflow traffic?
> For instance: If a switch processes traffic of the subnet 10.1.x.x and
> 10.2.x.x, would it be possible to capture only traffic of 10.2.x.x ?
> 
> Actually I am using softflowd to capture netflow traffic and it would
> be best to restrict it only to one subnet directly.
> Alternatively: Is there a way to export only those netflows of a
> specific subnet (e.g. with flow-export from flowtools)?
> 
> Thanks for your help!
> Cheers
> _______________________________________________
> netflow-tools mailing list
> netflow-tools at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/netflow-tools

-- 
You get 3.5 years of bad luck if you break RAID1

Hello and thank you for your answers!

On 17.01.2013 11:24, Andrew McGill wrote:
> softflowd accepts a pcap filter expression on the command line
>
> if memory serves (not necessarily true) this may work:
>
> 	softflowd net 10.2.0.0/16
>
> &:-)
I tried this but unfortunately it did not work at all.
When the OS boots up a script runs the following command:

softflowd -i eth1 -v5 -n 127.0.0.1:10555 net 10.10.2.0/24

At port 10555 on localhost there is a capture script running and
10.10.2.x is the subnet I want softflowd to capture.
eth1 is the interface to capture (in promisc mode).

When I now execute the command "softflowctl dump-flows" there are
flows
listed on the console which are not from the specified subnet. (btw I
also tried "net 10.10.2.0/16" with the same result).
Of course I restarted the softflod service and even the whole machine
after changing the configuration.

I am sorry to bother you with this issue.
Thank you again!

Greetings,
    Thomas

On Sat, 18 Jan 2013, Thomas Hupperich wrote:
> softflowd -i eth1 -v5 -n 127.0.0.1:10555 net 10.10.2.0/24
> 
> At port 10555 on localhost there is a capture script running and
> 10.10.2.x is the subnet I want softflowd to capture.
> eth1 is the interface to capture (in promisc mode).
> 
> When I now execute the command "softflowctl dump-flows" there are
flows
> listed on the console which are not from the specified subnet.
I think

"src net 10.10.2.0/24 and dst net 10.10.2.0/24"

is what you want

Hello,
> I think
>
> "src net 10.10.2.0/24 and dst net 10.10.2.0/24"
>
> is what you want
Thank you so much! This is exactly what I was looking for. :-)

Have a nice day!
Thomas