Re: dup-to problem with specific packets
On Wed, Apr 13, 2005 at 07:55:22PM +0100, Kimi Ostro wrote: On 4/11/05, Michael W. Lucas [EMAIL PROTECTED] wrote: Hi, I'm trying to duplicate packets matching one particular rule. Background: I have softflowd running on OpenBSD 3.5 i386. This is exporting flows to a logging host. Works beautifully. The old logging host is being replaced. I would like to run the two logging hosts in parallel temporarily, until I'm sure all the bugs are out of the new one. While I could fire up a second instance of softflowd, it seems like this would be a good application of dup-to. I don't want to duplicate the entire mass of traffic going through this box, just the netflow packets. pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to ($int_if a.b.c.252) Should probably read: pass out on $int_if proto udp from any to a.b.c.251 port 8641 (dup-to a.b.c.252) Thanks, but that doesn't do it either. :-( Any other suggestions? The rule parses perfectly if I put a # sign right before the dup-to, so I know the rest of it is correct. I'm sending this duplicate out via the same interface as the original packet, could that be the problem? The samples tend to show people dumping traffic over a different NIC, but that won't work in this case. Since netflow transmission is stateless I wasn't expecting any sort of trouble, but I freely admit that lots of people here know more than I do. :-) ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com
Re: dup-to problem with specific packets
On Sun, Apr 10, 2005 at 11:18:58PM -0400, Michael W. Lucas wrote: Hi, I'm trying to duplicate packets matching one particular rule. Background: I have softflowd running on OpenBSD 3.5 i386. This is exporting flows to a logging host. Works beautifully. The old logging host is being replaced. I would like to run the two logging hosts in parallel temporarily, until I'm sure all the bugs are out of the new one. While I could fire up a second instance of softflowd, it seems like this would be a good application of dup-to. I don't want to duplicate the entire mass of traffic going through this box, just the netflow packets. pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to ($int_if a.b.c.252) (port number changed to protect the guilty, of course) pfctl -nf gives me a syntax error on line 80, but won't be specific on what the problem is. Any suggestions? Or am I just outright misunderstanding dup-to? dup-to goes in the same spot as route-to and reply-to, so: pass out on $int_if dup-to ($int_if a.b.c.252) inet proto udp \ from any to a.b.c.251 port = 8641 appears to be the correct syntax here (3.6 GENERIC#0 sparc64) -j -- Contestant: I'll take the dying boy to block. Tom Bergeron: Ok, Jeremy... is there anything lower than absolute zero? Jeremy: Uhh, yeah... my white cell count. --Family Guy
Re: dup-to problem with specific packets
On 4/14/05, Michael W. Lucas [EMAIL PROTECTED] wrote: On Wed, Apr 13, 2005 at 07:55:22PM +0100, Kimi Ostro wrote: On 4/11/05, Michael W. Lucas [EMAIL PROTECTED] wrote: Hi, I'm trying to duplicate packets matching one particular rule. Background: I have softflowd running on OpenBSD 3.5 i386. This is exporting flows to a logging host. Works beautifully. The old logging host is being replaced. I would like to run the two logging hosts in parallel temporarily, until I'm sure all the bugs are out of the new one. While I could fire up a second instance of softflowd, it seems like this would be a good application of dup-to. I don't want to duplicate the entire mass of traffic going through this box, just the netflow packets. pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to ($int_if a.b.c.252) Should probably read: pass out on $int_if proto udp from any to a.b.c.251 port 8641 (dup-to a.b.c.252) Thanks, but that doesn't do it either. :-( Any other suggestions? The rule parses perfectly if I put a # sign right before the dup-to, so I know the rest of it is correct. I'm sending this duplicate out via the same interface as the original packet, could that be the problem? The samples tend to show people dumping traffic over a different NIC, but that won't work in this case. Since netflow transmission is stateless I wasn't expecting any sort of trouble, but I freely admit that lots of people here know more than I do. :-) ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com After doing a little more reading, the syntax is wrong on our parts, try: pass out on $int_if dup-to ($int_if a.b.c.252) proto udp from any to a.b.c.251 port 8641 Kimi -- spamassassinexception
Re: dup-to problem with specific packets
On 4/11/05, Michael W. Lucas [EMAIL PROTECTED] wrote: Hi, I'm trying to duplicate packets matching one particular rule. Background: I have softflowd running on OpenBSD 3.5 i386. This is exporting flows to a logging host. Works beautifully. The old logging host is being replaced. I would like to run the two logging hosts in parallel temporarily, until I'm sure all the bugs are out of the new one. While I could fire up a second instance of softflowd, it seems like this would be a good application of dup-to. I don't want to duplicate the entire mass of traffic going through this box, just the netflow packets. pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to ($int_if a.b.c.252) Should probably read: pass out on $int_if proto udp from any to a.b.c.251 port 8641 (dup-to a.b.c.252) (port number changed to protect the guilty, of course) pfctl -nf gives me a syntax error on line 80, but won't be specific on what the problem is. Any suggestions? Or am I just outright misunderstanding dup-to? Thanks, With regards ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com Kimi PS. Still awaiting this NetBSD book ;o) -- spamassassinexception
dup-to problem with specific packets
Hi, I'm trying to duplicate packets matching one particular rule. Background: I have softflowd running on OpenBSD 3.5 i386. This is exporting flows to a logging host. Works beautifully. The old logging host is being replaced. I would like to run the two logging hosts in parallel temporarily, until I'm sure all the bugs are out of the new one. While I could fire up a second instance of softflowd, it seems like this would be a good application of dup-to. I don't want to duplicate the entire mass of traffic going through this box, just the netflow packets. pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to ($int_if a.b.c.252) (port number changed to protect the guilty, of course) pfctl -nf gives me a syntax error on line 80, but won't be specific on what the problem is. Any suggestions? Or am I just outright misunderstanding dup-to? Thanks, ==ml -- Michael W. Lucas[EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com
