Re: Pflow granularity
Hi have you tried the diff by yourself ? i cant remember. someone else was working on that at the same time bck then, if i remember correctly. But it might still work. If it does, report back, i might pick the topic up again. I patched it yesterday night and it seems work. i have an issue with udp flows sometimes. the flow data comes multiple times. but i have no idea yet. Thomas /Benno Diese Nachricht wurde versandt mit Webmail von www.tbits.net. This message was sent using webmail of www.tbits.net.
Re: Pflow granularity
Hi Benno, have you tried the diff by yourself ? Thanks Thomas Am 2018-12-06 21:14, schrieb Sebastian Benoit: Thomas Boernert(m...@tbits.net) on 2018.12.06 18:11:17 +0100: Hi, i found this old thread and i have the same problem. i need an active timeout of the netflow data. i found this patch http://marc.info/?l=openbsd-misc&m=124661838923498&w=2 which i can set the "set timeout pflowexport 60" for example Have anyone tried that ? Sebastian Benoit wrote: however right now some people are working on something similar. Is the another solution? No, the other solution never happened. By all means, try the diff, maybe it still works. /Benno Diese Nachricht wurde versandt mit Webmail von www.tbits.net. This message was sent using webmail of www.tbits.net.
Re: Pflow granularity
Thomas Boernert(m...@tbits.net) on 2018.12.06 18:11:17 +0100: > Hi, > > i found this old thread and i have the same problem. i need an active > timeout of the netflow data. > > i found this patch > http://marc.info/?l=openbsd-misc&m=124661838923498&w=2 > which i can set the "set timeout pflowexport 60" for example > > Have anyone tried that ? > > Sebastian Benoit wrote: > however right now some people are working on something similar. > > Is the another solution? No, the other solution never happened. By all means, try the diff, maybe it still works. /Benno
Re: Pflow granularity
Hi, i found this old thread and i have the same problem. i need an active timeout of the netflow data. i found this patch http://marc.info/?l=openbsd-misc&m=124661838923498&w=2 which i can set the "set timeout pflowexport 60" for example Have anyone tried that ? Sebastian Benoit wrote: however right now some people are working on something similar. Is the another solution ? Thanks Thomas Diese Nachricht wurde versandt mit Webmail von www.tbits.net. This message was sent using webmail of www.tbits.net.
Re: Pflow granularity
2014-06-24 13:50 GMT+02:00 Sebastian Benoit : > Tristan PILAT(tristan.pi...@gmail.com) on 2014.06.24 11:04:35 +0200: > > I noticed the same problems in my reports > > > > Why this diff was not imported ? > > you'll have to ask joerg. :) > > however right now some people are working on something similar. > Very happy to read that :) Looking forward to know more about that.
Re: Pflow granularity
Tristan PILAT(tristan.pi...@gmail.com) on 2014.06.24 11:04:35 +0200: > 2014-06-04 16:37 GMT+02:00 Stuart Henderson : > > > On 2014-06-02, Andy wrote: > > > I think you might have to try softflowd instead of the built-in sflowd.. > > > > > > These guys had the same problem and moved to softflowd to allow them to > > > analyse DDOS traffic with netflow.. > > > > > > https://ripe68.ripe.net/presentations/276-DDoS.pdf > > > > see also the video from UKNOF28, though my understanding was that a > > big part of the reason for softflowd was to capture stats from blocked > > packets. > > > > I noticed the same problems in my reports > > Why this diff was not imported ? you'll have to ask joerg. :) however right now some people are working on something similar.
Re: Pflow granularity
2014-06-04 16:37 GMT+02:00 Stuart Henderson : > On 2014-06-02, Andy wrote: > > I think you might have to try softflowd instead of the built-in sflowd.. > > > > These guys had the same problem and moved to softflowd to allow them to > > analyse DDOS traffic with netflow.. > > > > https://ripe68.ripe.net/presentations/276-DDoS.pdf > > see also the video from UKNOF28, though my understanding was that a > big part of the reason for softflowd was to capture stats from blocked > packets. > > I noticed the same problems in my reports Why this diff was not imported ? http://marc.info/?l=openbsd-misc&m=124661838923498&w=2 After all, that was a great idea.
Re: Pflow granularity
On 2014-06-02, Andy wrote: > I think you might have to try softflowd instead of the built-in sflowd.. > > These guys had the same problem and moved to softflowd to allow them to > analyse DDOS traffic with netflow.. > > https://ripe68.ripe.net/presentations/276-DDoS.pdf see also the video from UKNOF28, though my understanding was that a big part of the reason for softflowd was to capture stats from blocked packets.
Re: Pflow granularity
Hello, Many thanks for the idea, I didn't knew about softflowd. But I wonder if it is "production ready" : * It seems there are no new developments : https://code.google.com/p/softflowd/source/list * The TODO list is quite long, and has not moved since 2007. * The counters are not 64 bit, thus flows are limited to 2 Gb * There is no multiple interface support, all flows are exported with IfIndex 0 I am testing it anyway, it gives me correct graphs with -t maxlife=60. It's really sad that pflow doesn't have such an option, it would be perfect. -- Cordialement, Pierre BARDOU -Message d'origine- De : Andy [mailto:a...@brandwatch.com] Envoyé : lundi 2 juin 2014 18:01 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: Pflow granularity I think you might have to try softflowd instead of the built-in sflowd.. These guys had the same problem and moved to softflowd to allow them to analyse DDOS traffic with netflow.. https://ripe68.ripe.net/presentations/276-DDoS.pdf Cheers, Andy. On Mon 02 Jun 2014 14:38:33 BST, BARDOU Pierre wrote: > Hello, > > I sat up NetFlow reporting on a PF firewall, but there seems to be a flaw in > the implementation : only global statistics about the flow are given (start > time, end time, IP/port source, IP/port dest, bits in both ways, ...). So as > an example if somebody establishes an sftp connexion, downloads a file @10 > Mbps for 2 mins, then waits 2 min and ends the connexion, all I will see in > the netflow report is a 5 Mbps flow, and I will never know that my 10 Mbps > link was saturated. > > I saw questions about this were already posted on misc@ : > http://openbsd.7691.n7.nabble.com/pflow-packets-before-state-expires-t > d233952.html > > Some diff were even posted : > http://marc.info/?l=openbsd-misc&m=124661838923498&w=2 > > But it seems they never made their way to the base system. > > Is there any way to break-up long flows in fragments, like the Cisco command > "ip flow-cache timeout active" does ? > > -- > Cordialement, > > Pierre BARDOU > Ingénieur réseau - P2I Infrastructure > 05 67 69 71 84 > > MiPih > 12, rue Michel Labrousse - BP93668 > 31036 TOULOUSE Cedex 1 > www.mipih.fr > > Avant d'imprimer cet e-mail, pensons à l'environnement
Re: Pflow granularity
I think you might have to try softflowd instead of the built-in sflowd.. These guys had the same problem and moved to softflowd to allow them to analyse DDOS traffic with netflow.. https://ripe68.ripe.net/presentations/276-DDoS.pdf Cheers, Andy. On Mon 02 Jun 2014 14:38:33 BST, BARDOU Pierre wrote: Hello, I sat up NetFlow reporting on a PF firewall, but there seems to be a flaw in the implementation : only global statistics about the flow are given (start time, end time, IP/port source, IP/port dest, bits in both ways, ...). So as an example if somebody establishes an sftp connexion, downloads a file @10 Mbps for 2 mins, then waits 2 min and ends the connexion, all I will see in the netflow report is a 5 Mbps flow, and I will never know that my 10 Mbps link was saturated. I saw questions about this were already posted on misc@ : http://openbsd.7691.n7.nabble.com/pflow-packets-before-state-expires-td233952.html Some diff were even posted : http://marc.info/?l=openbsd-misc&m=124661838923498&w=2 But it seems they never made their way to the base system. Is there any way to break-up long flows in fragments, like the Cisco command "ip flow-cache timeout active" does ? -- Cordialement, Pierre BARDOU Ingénieur réseau - P2I Infrastructure 05 67 69 71 84 MiPih 12, rue Michel Labrousse - BP93668 31036 TOULOUSE Cedex 1 www.mipih.fr Avant d'imprimer cet e-mail, pensons à l'environnement
Pflow granularity
Hello, I sat up NetFlow reporting on a PF firewall, but there seems to be a flaw in the implementation : only global statistics about the flow are given (start time, end time, IP/port source, IP/port dest, bits in both ways, ...). So as an example if somebody establishes an sftp connexion, downloads a file @10 Mbps for 2 mins, then waits 2 min and ends the connexion, all I will see in the netflow report is a 5 Mbps flow, and I will never know that my 10 Mbps link was saturated. I saw questions about this were already posted on misc@ : http://openbsd.7691.n7.nabble.com/pflow-packets-before-state-expires-td233952.html Some diff were even posted : http://marc.info/?l=openbsd-misc&m=124661838923498&w=2 But it seems they never made their way to the base system. Is there any way to break-up long flows in fragments, like the Cisco command "ip flow-cache timeout active" does ? -- Cordialement, Pierre BARDOU Ingénieur réseau - P2I Infrastructure 05 67 69 71 84 MiPih 12, rue Michel Labrousse - BP93668 31036 TOULOUSE Cedex 1 www.mipih.fr Avant d'imprimer cet e-mail, pensons à l'environnement
