Softflowd , missing fields - where are my out_bytes?
-
i'm exporting netflow data from a pfsense 2.1.5 straight into logstash with the "netflow codec".
it seems as if i'm missing the "out_bytes" field (amongst others).
how do I debug this? where can I see the fields that softflowd is outputting? can I define it somewhere?
-
softflowd doesn't have any way to set or see those fields. Best thing to do would be to run a packet capture of the flow data and see if wireshark or similar can make sense of it.
Also could be your interface, for example it's a known issue on 2.2.x that some wireless adapters have a problem reporting outbound bandwidth
running softflowd locally exporting to nfsen I seem to have sane traffic counts.
-
softflowd doesn't have any way to set or see those fields
what do you mean by that?
i just downloaded the source code for softflowd https://code.google.com/p/softflowd/downloads/detail?name=softflowd-0.9.8.tar.gz&can=2&q=
in the file netflow9.c it says that:
–---------------------------------------------------------------------
/* Flowset record types the we care about /
#define NF9_IN_BYTES 1
#define NF9_IN_PACKETS 2
/ ... /
#define NF9_IN_PROTOCOL 4
/ ... /
#define NF9_TCP_FLAGS 6
#define NF9_L4_SRC_PORT 7
#define NF9_IPV4_SRC_ADDR 8
/ ... /
#define NF9_L4_DST_PORT 11
#define NF9_IPV4_DST_ADDR 12
/ ... /
#define NF9_LAST_SWITCHED 21
#define NF9_FIRST_SWITCHED 22
/ ... /
#define NF9_IPV6_SRC_ADDR 27
#define NF9_IPV6_DST_ADDR 28
/ ... */
#define NF9_IP_PROTOCOL_VERSION 60so out_bytes isn't processed i guess?
according to cisco the value of out_bytes should be "23", where in_bytes is "1".
i know you just implemented softflowd "as is"... but can you make a guess as to why the out_bytes was left out?
-
No idea, the author of the software is likely the only person who can answer that properly.
-
mail sent… awaiting damiens reply. :)
-
No idea, the author of the software is likely the only person who can answer that properly.
well… i got a response from damien.
softflowd will never fill in out_bytes, instead it sends two flows -
one for each direction. The reason for this is just history, it matches
what Netflow < 9 did.It probably wouldn't be much work to adjust softflowd to do it differently,
but I don't have time to work on it anymore unfortunately.-d
Jim> thank you for replying.
