ng_netflow

[Eugene M. Zheganin]

Hi.

I'm using ng_netflow along with flow-tools to collect traffic statistics.
What is bothering me, is that I constantly see lost flow. What is even
more weird - is that ng_netflow and flow-capture are on the same host,
and are communication via lo0:

May 26 18:33:16 balancer1 flow-capture[67265]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=49.51.57.55 d_version=5 expect
ing=2033661856 received=2033666446 lost=4590
May 26 18:33:17 balancer1 flow-capture[67265]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=0.0.0.0 d_version=5 expecting=
2033666446 received=2033666476 lost=30
May 26 18:33:17 balancer1 flow-capture[67265]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=49.52.48.48 d_version=5 expect
ing=2033461677 received=2033666926 lost=205249
May 26 18:33:17 balancer1 flow-capture[67265]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=0.0.0.0 d_version=5 expecting=
2033666926 received=2033666956 lost=30

Plus I see weird IPs like "dst_ip=0.0.0.0" or "dst_ip=0.2.0.4".
Can someone point me what m I doing wrong ?

I configure the netflow like this:

/usr/sbin/ngctl -f- <<-SEQ
    mkpeer bge0: netflow lower iface0
    name bge0:lower netflow

    connect bge0: netflow: upper out0

    connect bge1: netflow: lower iface1
    connect bge1: netflow: upper out1

    msg netflow: setconfig { iface=0 conf=63 }
    msg netflow: setconfig { iface=1 conf=63 }

    msg netflow: setmtu { mtu=16384 }

    mkpeer netflow: ksocket export inet/dgram/udp
    msg netflow:export connect inet/127.0.0.1:4444
    name netflow:export ksocket
SEQ

By the way setting MTU to 16384 doesn't change the packet size as
tcpdump sees it on lo0.

Thanks.
Eugene.