netgraph with ng_netflow and ng_gridge nodes
petru garstea
peter.garshtja at ambient-md.com
Sat Feb 6 16:10:34 UTC 2021
Greetings,
I have come up with a graph with no use of ng_tee, ng_hub or ng_one2many.
Also I validated the flows on a collector
In case anybody has the same use case I am sharing the graph
mkpeer re0: netflow lower iface0
name re0:lower netflow
connect re0: netflow: upper out1
mkpeer netflow: bridge out0 link0
name netflow:out0 re0bridge
connect re0bridge: netflow: link1 iface1
mkpeer re0bridge: eiface link2 ether
name re0bridge:link2 ng0
mkpeer netflow: ksocket export9 inet/dgram/udp
msg re0: setpromisc 1
msg re0: setautosrc 0
msg netflow: setconfig {iface=0 conf=11}
msg netflow: setconfig {iface=1 conf=11}
msg netflow:export9 connect inet/${collector_ip}:${port}
Cheers,
Petru Garstea
On 2/2/21 3:26 PM, Lutz Donnerhacke wrote:
> On Tue, Feb 02, 2021 at 09:16:49PM +0100, Lutz Donnerhacke wrote:
>> fxp0.lower -- iface0.netgraph.out0 -- link1.bridge.link2 -- upper.fxp0
>> \.link3 -- ether.eiface
> The strange thing is, that both fxp0 and eiface provide an interface to the
> kernel IP stack. This is confusing (for the kernel).
>
> I'd like to point you to ng_tee instead of ng_bridge for a read only access
> to the communitcation (depending on the direction). Even ng_one2many or
> ng_hub might be a better solution.
>
> If you only need the eiface to attach tcpdump, you can omit it completely,
> because tcpdump is able to sniff on the fxp0 even if the netgraph hooks are
> set.
More information about the freebsd-net
mailing list