I agree that Samplicator (http://code.google.com/p/samplicator/) is the best solution. It's protocol agnostic, and works well for any one-way UDP traffic -- Netflow, Syslog, SNMP traps, etc...
flow-fanout and flow-send can work, but they butcher the flow counter fields on the replicated packets. This impacts flow collection statistics on the device you fanned out to (i.e., it can't tell how many flows were lost). -Craig ________________________________________ From: [email protected] [[email protected]] on behalf of Volk,Gregory B [[email protected]] Sent: Wednesday, July 13, 2011 7:34 AM To: Drew Weaver; [email protected] Subject: RE: [Flow-tools] Exporting flows from one collector to another One method for doing this is to invoke flow-send after flow-capture produces a file. For instance, if I run flow-capture with these options... /opt/netflow/bin/flow-capture -p /opt/netflow/run/flow-capture.pid -N0 -V5 -w/opt/netflow/v5flows/ 0/0/2055 -n287 -S5 -d2 -z0 ....I will get a flow file every five minutes. Then, I can call flow-send like... flow-cat ft-v05.2011-07-13.071500-0500 | flow-send 0/192.168.1.105/9500 ...to forward the flows onto 192.168.1.105:9500. I think flow-send will spoof the source IP with the -s flag, but I'm not clear on what source addr it will use (exaddr?). You'll have to experiment and trace. IMHO, a better method for doing this is to use samplicator (http://www.switch.ch/network/downloads/tf-tant/samplicator/. It receives and resends packets at the UDP level and I know it supports spoofing and works for resending netflow data because I've used it for that. It is also real time and easier than calling flow-send after flow-capture drops a file. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to [email protected]. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Drew Weaver Sent: Wednesday, July 13, 2011 6:59 AM To: [email protected] Subject: [Flow-tools] Exporting flows from one collector to another Howdy, We have hit the limit for our routers on how many devices we can export netflow to but I need to send the netflow information to one more device. I am using flowtools to collect netflow, does it have a way to send everything it receives out to another collector on an ongoing basis? thanks, -Drew _______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools _______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
