Pfflowd - How to specify interface to monitor?
-
I have been struggling with a solution I am trying to use to do traffic analysis on customer networks without having to make changes to their networks. What I have found is that I can use a transparent firewall between the customers firewall and their network and allow all traffic to pass from WAN to LAN. Then I tell pfflowd to capture traffic to a netflow collector on the network. Throw this on a 2 port alix box and it becomes a very useful tool for under $200. The problem is I think pfflowd is set to monitor the LAN and since it is bridged, it doubles the utilization. nTop would also do this when I chose the LAN, but when choosing WAN it was ok. What I am hoping for is to find a way to tell pfflowd to monitor the WAN interface instead of the LAN. Also pfTop on Bridge(Transparent firewall) shows 8 mbit RATE when my firewall shows the correct 4 mbit RATE.
Thanks
-
Found a post regarding Bandwidthd with a similar issue. Is there a similar solution for my problem with pfflowd?
Hi, thanks for this great package, I have it up running just fine but have a little problem
I got 2 WAN's and a wired LAN and a wireless LAN that is bridged to the wired and as such with monitoring on the LAN I am seeing the local traffic between the wired and wireless. I see that there is a field to enter in filter rules but I got no idea how to format them to ignore local traffic. Googling hasn't turned up anything that I can follow, so has anyone got a link to a page that shows all the options and how to use them or can even just give me the command needed to filter local traffic.
Thanks,
Dan.Solution:
SPECIFYING THE LIBPCAP FILTER
if you'd like more control over what traffic is counted, you can specify a Manuel
filter to be passed to libpcap. You can use this to remove certain IPs or only
graph certain IPs, or limit the graphs to certain kinds of traffic. You should
always specify "ip" in the filter. For example:filter "ip and host 64.215.40.1"