Hello, I sat up NetFlow reporting on a PF firewall, but there seems to be a flaw in the implementation : only global statistics about the flow are given (start time, end time, IP/port source, IP/port dest, bits in both ways, ...). So as an example if somebody establishes an sftp connexion, downloads a file @10 Mbps for 2 mins, then waits 2 min and ends the connexion, all I will see in the netflow report is a 5 Mbps flow, and I will never know that my 10 Mbps link was saturated.
I saw questions about this were already posted on misc@ : http://openbsd.7691.n7.nabble.com/pflow-packets-before-state-expires-td233952.html Some diff were even posted : http://marc.info/?l=openbsd-misc&m=124661838923498&w=2 But it seems they never made their way to the base system. Is there any way to break-up long flows in fragments, like the Cisco command "ip flow-cache timeout active" does ? -- Cordialement, Pierre BARDOU Ingénieur réseau - P2I Infrastructure 05 67 69 71 84 MiPih 12, rue Michel Labrousse - BP93668 31036 TOULOUSE Cedex 1 www.mipih.fr Avant d'imprimer cet e-mail, pensons à l'environnement
