Hi, Supposed we have a netflow collector which captures raw flows using flow-scan, throws a copy of each to a flow-capture listening on loopback and another copy on a remote machine.
The ip which runs flow-fanout is 192.168.1.19. The ip of another collector is 192.168.1.20 Flow-fanout was started like this: /usr/bin/flow-fanout 192.168.1.19/0/2054 127.0.0.1/0/2054 192.168.1.19/192.168.1.20/2054 Flow-capture was started like this: /usr/bin/flow-capture -w /var/netflow/ft/all 127.0.0.1/0/2054 -S5 -V5 -e864 -n287 -N0 Now, I have encountered several problems, which I think pertains to the "Bugs" section of flow-fanout manpage: First, the flows being received by flow-capture, has now a router exporter ip of 127.0.0.1. With this, I got weird netflows having random ifindex numbers above 100. The same erroneous flows arrives on 192.168.1.20. The manpage says this is a bug (having the exporter router ip lost when using flow-fanout), and I assume that this is the cause why I am getting wrong ifindexes, and a workaround would be to use IP aliases and localip option. Can you please clarify how this should be done, and why this bug is happening. The exporterip as well as the ifindex is important to us because, there is an instance when a host appears at the top talkers but when we ping it, it doesn't reply, and we are assuming that it's either filtered or the ip is spoofed. However, to find out if this is spoofed, we have find out what interface on the exporter router it enters. Only that, it is not possible with flows received from flow-fanout.. That's all for now. Thanks. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
