--- Jonathan Glass <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I gave up on using flow-fanout to distribute flows, > and bought a flow > mirroring appliance from Lancope.com How about flow-send? Anyone who knows an opensource tool to distribute flows to other collectors without modifying its contents, specially exporterip? > > Jonathan G. > > jay alvarez wrote: > > Hi, > > > > Supposed we have a netflow collector which > captures > > raw flows using flow-scan, throws a copy of each > to a > > flow-capture listening on loopback and another > copy on > > a remote machine. > > > > The ip which runs flow-fanout is 192.168.1.19. > > The ip of another collector is 192.168.1.20 > > > > > > Flow-fanout was started like this: > > > > /usr/bin/flow-fanout 192.168.1.19/0/2054 > > 127.0.0.1/0/2054 192.168.1.19/192.168.1.20/2054 > > > > Flow-capture was started like this: > > /usr/bin/flow-capture -w /var/netflow/ft/all > > 127.0.0.1/0/2054 -S5 -V5 -e864 -n287 -N0 > > > > Now, I have encountered several problems, which I > > think pertains to the "Bugs" section of > flow-fanout > > manpage: > > > > > > First, the flows being received by flow-capture, > has > > now a router exporter ip of 127.0.0.1. With this, > I > > got weird netflows having random ifindex numbers > above > > 100. The same erroneous flows arrives on > 192.168.1.20. > > The manpage says this is a bug (having the > exporter > > router ip lost when using flow-fanout), and I > assume > > that this is the cause why I am getting wrong > > ifindexes, and a workaround would be to use IP > aliases > > and localip option. Can you please clarify how > this > > should be done, and why this bug is happening. The > > exporterip as well as the ifindex is important to > us > > because, there is an instance when a host appears > at > > the top talkers but when we ping it, it doesn't > reply, > > and we are assuming that it's either filtered or > the > > ip is spoofed. However, to find out if this is > > spoofed, we have find out what interface on the > > exporter router it enters. Only that, it is not > > possible with flows received from flow-fanout.. > > > > > > That's all for now. Thanks. > > > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > http://mail.yahoo.com > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > _______________________________________________ > > Flow-tools mailing list > > [EMAIL PROTECTED] > > > http://mailman.splintered.net/mailman/listinfo/flow-tools > > > > > - -- > Jonathan Glass, RHCE, MCP Information Security > Engineer III > OIT Information Security Georgia Institute of > Technology > Atlanta, Georgia 30332-0700 Office/Cell: > 404-385-6900 > Key ID: 0xAB50FF20 Size: 2048 Bits Created: > 11/17/2004 > Fingerprint: 3CD2 1BC6 4485 720B AB45 FF3E 8B3B D6F5 > AB50 FF20 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - > http://enigmail.mozdev.org > > iD8DBQFE6u/YizvW9atQ/yARAspkAJ0YwJuJno5wk7yCM0upabSqYJ5SoQCbBqCQ > 2jh8JsTkhqQbG7mtKL+lyKk= > =xIio > -----END PGP SIGNATURE----- > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
