On 4/14/05, Michael W. Lucas <[EMAIL PROTECTED]> wrote: > On Wed, Apr 13, 2005 at 07:55:22PM +0100, Kimi Ostro wrote: > > On 4/11/05, Michael W. Lucas <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > I'm trying to duplicate packets matching one particular rule. > > > > > > Background: I have softflowd running on OpenBSD 3.5 i386. This is > > > exporting flows to a logging host. Works beautifully. > > > > > > The old logging host is being replaced. I would like to run the two > > > logging hosts in parallel temporarily, until I'm sure all the bugs are > > > out of the new one. > > > > > > While I could fire up a second instance of softflowd, it seems like > > > this would be a good application of dup-to. I don't want to duplicate > > > the entire mass of traffic going through this box, just the netflow > > > packets. > > > > > > pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to > > > ($int_if a.b.c.252) > > > > > Should probably read: > > pass out on $int_if proto udp from any to a.b.c.251 port 8641 (dup-to > > a.b.c.252) > > Thanks, but that doesn't do it either. :-( Any other suggestions? > > The rule parses perfectly if I put a # sign right before the dup-to, > so I know the rest of it is correct. > > I'm sending this duplicate out via the same interface as the original > packet, could that be the problem? The samples tend to show people > dumping traffic over a different NIC, but that won't work in this > case. Since netflow transmission is stateless I wasn't expecting any > sort of trouble, but I freely admit that lots of people here know more > than I do. :-) > > ==ml > > -- > Michael W. Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] > http://www.BlackHelicopters.org/~mwlucas/ > Latest book: Cisco Routers for the Desperate > http://www.CiscoRoutersForTheDesperate.com >
After doing a little more reading, the syntax is wrong on our parts, try: pass out on $int_if dup-to ($int_if a.b.c.252) proto udp from any to a.b.c.251 port 8641 Kimi -- spamassassinexception
