-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I gave up on using flow-fanout to distribute flows, and bought a flow mirroring appliance from Lancope.com
Jonathan G. jay alvarez wrote: > Hi, > > Supposed we have a netflow collector which captures > raw flows using flow-scan, throws a copy of each to a > flow-capture listening on loopback and another copy on > a remote machine. > > The ip which runs flow-fanout is 192.168.1.19. > The ip of another collector is 192.168.1.20 > > > Flow-fanout was started like this: > > /usr/bin/flow-fanout 192.168.1.19/0/2054 > 127.0.0.1/0/2054 192.168.1.19/192.168.1.20/2054 > > Flow-capture was started like this: > /usr/bin/flow-capture -w /var/netflow/ft/all > 127.0.0.1/0/2054 -S5 -V5 -e864 -n287 -N0 > > Now, I have encountered several problems, which I > think pertains to the "Bugs" section of flow-fanout > manpage: > > > First, the flows being received by flow-capture, has > now a router exporter ip of 127.0.0.1. With this, I > got weird netflows having random ifindex numbers above > 100. The same erroneous flows arrives on 192.168.1.20. > The manpage says this is a bug (having the exporter > router ip lost when using flow-fanout), and I assume > that this is the cause why I am getting wrong > ifindexes, and a workaround would be to use IP aliases > and localip option. Can you please clarify how this > should be done, and why this bug is happening. The > exporterip as well as the ifindex is important to us > because, there is an instance when a host appears at > the top talkers but when we ping it, it doesn't reply, > and we are assuming that it's either filtered or the > ip is spoofed. However, to find out if this is > spoofed, we have find out what interface on the > exporter router it enters. Only that, it is not > possible with flows received from flow-fanout.. > > > That's all for now. Thanks. > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > Flow-tools mailing list > [EMAIL PROTECTED] > http://mailman.splintered.net/mailman/listinfo/flow-tools > - -- Jonathan Glass, RHCE, MCP Information Security Engineer III OIT Information Security Georgia Institute of Technology Atlanta, Georgia 30332-0700 Office/Cell: 404-385-6900 Key ID: 0xAB50FF20 Size: 2048 Bits Created: 11/17/2004 Fingerprint: 3CD2 1BC6 4485 720B AB45 FF3E 8B3B D6F5 AB50 FF20 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6u/YizvW9atQ/yARAspkAJ0YwJuJno5wk7yCM0upabSqYJ5SoQCbBqCQ 2jh8JsTkhqQbG7mtKL+lyKk= =xIio -----END PGP SIGNATURE----- _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
