-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Maurizio
- --On February 19, 2008 15:08:05 +0000 Maurizio Molina <[EMAIL PROTECTED]>
wrote:
| Peter Haag wrote:
| > Hi Maurizio,
| >
| > --On February 19, 2008 12:35:24 +0000 Maurizio Molina <[EMAIL PROTECTED]>
wrote:
| >
| > | Hi again,
| > | I'm starting to suspect that the occasional flow losses I'm seeing in
| > | nfsen are caused by the flow-tools flow-fanout that I placed in front of
| > | nfcapd. Actually, my (average) flow rate into the collector is around
| > | 1Mbit/s (but flows come in big bursts...), and then I had 5 internal
| > | fanouts on the loopback interface (so 6 Mbit/s of traffic to handle).
| > | Now I removed three of these five fanouts, and I'll see how it goes.
| > |
| > | Can I ask the list:
| > |
| > | 1) if anybody using flow-fanout to duplicate flows before nfcapd had
| > | ever noted flow losses because of it
| > | 2) are there other flow fan-out tools that can be used? how do they
| > | perform? (e.g. what about samplicator? will it support v9?)
| >
| Hi Peter,
| a few clarifications:
| > With nfcapd, you can daisy-chain a netflow stream. Using -R to repeat
| > the received UDP packet to another host. The additional args ( -R )
| > for nfcapd can be specified in the %sources array as 'optarg'
| 1) I assume in the above you are describing the case where nfcapd is started
through nfsen (thus you're referring to the
No - that's a feature of nfcapd, regardless who starts the collector.
| nfsen.conf file, right?). Do you have a small example for what you suggest?
| Note: I have packets from several routers on different ports, and would like
to keep this separation (e.g. all packets from
| X.X.X.X:11111 go to Y.Y.Y.Y:21111)
|
| 2) if I want to do the above manually (e.g. because I don't wan to run nfsen
on the fanout host), and keep the port
| separation , do I have to write, in the example above, nfcapd.... -p 11111 -R
Y.Y.Y.Y/21111 ?
|
| 3) is it possible to force the IP src of the replicated udp packet to remain
the same (like the spoofing option of
| flow-tools)?
|
| 4) can the destination host be also the loopback interface?
For all your additional requirements you describe above, you would need
samplicator, which does all these jobs.
- Peter
|
| Thanks,
| Maurizio
|
| >
| > samplicator itself works fine too. As it works on UDP packet level, the
| > netflow version is not relevant. ( as it is not for -R with nfcapd )
| >
| > Use nfcapd for simple daisy-chains and samplicator, if you need more than
| > a single repeated stream.
| >
| > - Peter
| >
| > |
| > | Thanks,
| > | Maurizio
| > |
| > |
| > | -------------------------------------------------------------------------
| > | This SF.net email is sponsored by: Microsoft
| > | Defy all challenges. Microsoft(R) Visual Studio 2008.
| > | http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
| > | _______________________________________________
| > | Nfsen-discuss mailing list
| > | [email protected]
| > | https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
| >
| >
| >
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBR70o7f5AbZRALNr/AQLTtwQAmFGd8cPhgMuZNj/9Gb8UMeq/N98v0xIP
+yOpYyXqaGAy+SAuYKoxflsYbJ0cd23iIexR3MOZcvjYpYkqgUBgrdxq38tAt4Pk
KK3oRH/q6V50+75Fo7gMfMX53T+KM5H7znutbJhpd3wlpU7+GzYCntEroiVzI4uq
aq9ocva9Z0Q=
=1mfT
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
