We are taking netflow from various Cisco devices throughout our enterprise to argus-3.0 running on OpenBSD 4.2. Unfortunately we've also got some Cisco products in our environment that require us to have netflow sent to more than 2 versions, which means we need a netflow reflector built.
I understand the "dup-to" syntax in pf.conf(5) but it may not meet the requirements for the reason that we wish not to re-write the source IP address (as our netflow aggregation depends on the source address of those packets). Has anyone ever crafted a UDP reflector which could re-write the destination address while keeping the source address intact? If you have done it using pf(4), were there any hurdles that you had to jump through to get things working? Thanks in advance, - Eric -- ``...don't you know, black is this years pink.''
