ng_netflow and BGP

William Waites wwaites at tardis.ed.ac.uk
Thu Apr 2 08:10:32 UTC 2015 

On Thu, 02 Apr 2015 10:07:29 +0900, "Paul S." <contact at winterei.se> said:

    > [pmacct's] use of 'return' (with no args) on functions that are
    > meant to return an int flat out makes it unable to compile on
    > FreeBSD.

Yes, I found that surprising that any modern C compiler would tolerate
that at all.

    > If you fix those by hand, it compiles, but just seems to
    > segfault -- I didn't get the time to look into it further with
    > GDB.

I also fixed this by hand but it does not segfault for me. I'll try to
make a proper patch for the ports tree and submit it in the next few
days.

One thing that it cannot not do is simply put the required information
into the flow messages and forward them on. This is a bit hard to do
for Netflow V9 because in general it means mangling the templates as
well as the flow messages themselves and according to the author the
main use case in "tee" mode is simply splitting the flow and doing
nothing else which translates to about one order of magnitude of
throughput. So you can either use nfacctd to compute aggregates, or
you can use it to split/copy flow data but you cannot use it to enrich
the data and then do the computations after the fact with standard
tools like nfdump or flow-tools.

It also seems to get confused by multiple BGP sessions (IPv4 and IPv6)
with the same router-id, as you have to do with BIRD because it does
not support a single session with multiple address families. This
causes one or the other protocol to be mis-classified depending on
which session it has decided to use. I may have mis-diagnosed this
problem, but definitely something of the kind appears to happen.

This is all on top of consuming extra RAM for BGP tables on the
collector which is just unnecessary.

    > As to the ng_netflow hook, +1, excellent idea.

Great!

-w
--
William Waites <wwaites at tardis.ed.ac.uk>  |  School of Informatics
   http://tardis.ed.ac.uk/~wwaites/       | University of Edinburgh
       http://www.hubs.net.uk/            |      HUBS AS60241

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20150402/2388d4b9/attachment.sig>

More information about the freebsd-net mailing list