Hi folks,
I've setup a netflow collector and have begun exporting flow data from
one of my OpenBSD edge systems.
All appeared well at first glance, but I've noticed that the amount of
flow data exported appears excessive.
(i.e: My hardware router for nearly 7-8 gbit/s of actual traffic,
configured with a sampling rate of 768 sends around 550 flows/second.)
However, my BSD box that's forwarding 1-2 mbit/s of traffic is
generating nearly 500 flows per second as well.
This seemed odd to me, and seems to be a sampling issue.
Is there any way to configure the sampling rate for pflow(4) interfaces?
I've went through the man-page
(http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pflow.4?query=pflow&sec=4&arch=i386)
and was unable to locate anything.
My configuration is fairly basic,
# cat /etc/hostname.pflow0
flowsrc 10.152.212.1 flowdst 10.1.26.197:9996 pflowproto 10
Then on /etc/pf.conf,
set state-defaults pflow
I believe the pf rule mentions to sample every packet, how can I config
it to only sample only once every n packets?
Thanks!
