Ok, the manpage says: "When the spoofing option is used multiple exporters with different IP addresses will share the same sequence number but will have the original source IP. Fixing this requires per source : destination sequence number mapping. It is much easier to just use multiple instances of flow-fanout running on different ports."
What's with the sequence number anyway? Should I care about these sequence numbers? The host running flow-fanout, receives flows from multiple routers. This host also runs a flow-capture on the loopback interface. What does they mean when they say: "It is much easier to just use multiple instances of flow-fanout running on different ports." Does this mean that I will have to assign a particular router to a particular flow-fanout port on that host, meaning running several instance of flow-capture and flow-fanout on that primary collector and also several instance of flow-capture on other collectors which corresponds to the number of router exporters we have? Will this fix the input ifindex issue? Thanks. --- jay alvarez <[EMAIL PROTECTED]> wrote: > > > --- Jonathan Glass <[EMAIL PROTECTED]> > wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > I gave up on using flow-fanout to distribute > flows, > > and bought a flow > > mirroring appliance from Lancope.com > > How about flow-send? Anyone who knows an opensource > tool to distribute flows to other collectors without > modifying its contents, specially exporterip? > > > > > > Jonathan G. > > > > jay alvarez wrote: > > > Hi, > > > > > > Supposed we have a netflow collector which > > captures > > > raw flows using flow-scan, throws a copy of each > > to a > > > flow-capture listening on loopback and another > > copy on > > > a remote machine. > > > > > > The ip which runs flow-fanout is 192.168.1.19. > > > The ip of another collector is 192.168.1.20 > > > > > > > > > Flow-fanout was started like this: > > > > > > /usr/bin/flow-fanout 192.168.1.19/0/2054 > > > 127.0.0.1/0/2054 192.168.1.19/192.168.1.20/2054 > > > > > > Flow-capture was started like this: > > > /usr/bin/flow-capture -w /var/netflow/ft/all > > > 127.0.0.1/0/2054 -S5 -V5 -e864 -n287 -N0 > > > > > > Now, I have encountered several problems, which > I > > > think pertains to the "Bugs" section of > > flow-fanout > > > manpage: > > > > > > > > > First, the flows being received by flow-capture, > > has > > > now a router exporter ip of 127.0.0.1. With > this, > > I > > > got weird netflows having random ifindex numbers > > above > > > 100. The same erroneous flows arrives on > > 192.168.1.20. > > > The manpage says this is a bug (having the > > exporter > > > router ip lost when using flow-fanout), and I > > assume > > > that this is the cause why I am getting wrong > > > ifindexes, and a workaround would be to use IP > > aliases > > > and localip option. Can you please clarify how > > this > > > should be done, and why this bug is happening. > The > > > exporterip as well as the ifindex is important > to > > us > > > because, there is an instance when a host > appears > > at > > > the top talkers but when we ping it, it doesn't > > reply, > > > and we are assuming that it's either filtered or > > the > > > ip is spoofed. However, to find out if this is > > > spoofed, we have find out what interface on the > > > exporter router it enters. Only that, it is not > > > possible with flows received from flow-fanout.. > > > > > > > > > That's all for now. Thanks. > > > > > > > > > > > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > > > protection around > > > http://mail.yahoo.com > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > > http://mail.yahoo.com > > > _______________________________________________ > > > Flow-tools mailing list > > > [EMAIL PROTECTED] > > > > > > http://mailman.splintered.net/mailman/listinfo/flow-tools > > > > > > > > > - -- > > Jonathan Glass, RHCE, MCP Information Security > > Engineer III > > OIT Information Security Georgia Institute > of > > Technology > > Atlanta, Georgia 30332-0700 Office/Cell: > > 404-385-6900 > > Key ID: 0xAB50FF20 Size: 2048 Bits > Created: > > 11/17/2004 > > Fingerprint: 3CD2 1BC6 4485 720B AB45 FF3E 8B3B > D6F5 > > AB50 FF20 > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.6 (GNU/Linux) > > Comment: Using GnuPG with Mozilla - > > http://enigmail.mozdev.org > > > > > iD8DBQFE6u/YizvW9atQ/yARAspkAJ0YwJuJno5wk7yCM0upabSqYJ5SoQCbBqCQ > > 2jh8JsTkhqQbG7mtKL+lyKk= > > =xIio > > -----END PGP SIGNATURE----- > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > _______________________________________________ > Flow-tools mailing list > [EMAIL PROTECTED] > http://mailman.splintered.net/mailman/listinfo/flow-tools > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
