Hi grep,
On 12/11/13 10:26 PM, greg whynott wrote:
> Hello,
>
> Wondering if anyone happens to have nfcapd running on the latest version
> (2.1) of pfsense. if so where did you get the package, and did you have
> to jump threw any hoops to get it to operate?
Not sure how pfsene collects flows, other than softflowd. If it's the OpenBSD
pf way, then you need to configure a pflow
interface, as well as to assign the pflow keyword in pf.conf for all rules,
which apply.
Don't know, if this helps
- Peter
>
> thanks for your time/responses,
> greg
>
>
>
>
> more details:
>
>
> I'm attempting to run nfcapd on a pfsense box ( freebsd 8.3-REL-p11 amd64)
> without luck. all the cap files it creates are 'empty'. If I use
> softflowd it works as expected (but i don't want to use softflowd as its
> killing the cpu which apparently is a common/known issue when using it on
> multiple interfaces (We have 12 local interfaces to monitor on this device).
>
> empty files:
>
> [2.1-RELEASE][root@fw01]/var/netflow(103): nfdump -r
> nfcapd.201311121517
>
> Date flow start Duration Proto Src IP Addr:Port Dst
> IP Addr:Port Packets Bytes Flows
>
>
> I've tried a few varitions of the command line arguments and also attempted
> to ship the flows off to another host, which is were I ultimately want to
> get to. Here are a few:
>
> nfcapd -w -D -p 9996 -R 10.11.0.4 -B 200000 -S 1 -z -I test -l
> /var/netflow/test
>
> nfcapd -R 10.11.0.4 -b 69.58.11.23 -I firewall -n
> firewall,69.58.11.23,/var/netflow/ -t 60 -T all
>
>
> 69.58.11.23 is the IP of the external interface, 10.11.0.4 is the host
> i'd like to send the flows to. /var/netflow contains files of the same
> size, with nothing in them.
>
> -rw-r--r-- 1 root wheel 276 Nov 12 15:05 nfcapd.201311121504
> -rw-r--r-- 1 root wheel 276 Nov 12 15:06 nfcapd.201311121505
> -rw-r--r-- 1 root wheel 276 Nov 12 15:07 nfcapd.201311121506
> -rw-r--r-- 1 root wheel 276 Nov 12 15:08 nfcapd.201311121507
>
>
> the link is a 100 megabit link and it is busy all the time, currently it
> is doing about 80 megabits in and 30 out.
>
> syslog shows (using nfcapd -R 10.11.0.4 -b 69.58.102.156 -I firewall -n
> firewall,69.58.11.23,/var/netflow/ -t 60 -T all -D)
>
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 2 byte input/output
> interface index
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 4 byte input/output
> interface index
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 2 byte src/dst AS number
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 4 byte src/dst AS number
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: dst tos, direction,
> src/dst mask
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv4 next hop
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv6 next hop
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv4 BGP next IP
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv6 BGP next IP
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: src/dst vlan id
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 4 byte output packets
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 8 byte output packets
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 4 byte output bytes
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 8 byte output bytes
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 4 byte aggregated flows
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 8 byte aggregated flows
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: in src/out dst mac
> address
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: in dst/out src mac
> address
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: MPLS Labels
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv4 router IP addr
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv6 router IP addr
> Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: router ID
> Nov 12 16:01:54 fw01 nfcapd[47144]: Startup.
>
>
> each time I start it i see the interfaces go into promiscuous mode:
>
> bge0: promiscuous mode enabled
> igb0_vlan116: promiscuous mode enabled
> igb0_vlan117: promiscuous mode enabled
> igb0_vlan118: promiscuous mode enabled
> igb0_vlan119: promiscuous mode enabled
> igb0_vlan120: promiscuous mode enabled
> igb0_vlan111: promiscuous mode enabled
> igb0_vlan112: promiscuous mode enabled
> igb0_vlan113: promiscuous mode enabled
> igb0_vlan114: promiscuous mode enabled
> igb0_vlan115: promiscuous mode enabled
> bge0: promiscuous mode enabled
>
>
>
> ------------------------------------------------------------------------------
> DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
> OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
> Free app hosting. Or install the open source package on any LAMP server.
> Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
> http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
