Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Softflowd - exported netflow is correct?

    Scheduled Pinned Locked Moved Traffic Monitoring
    2 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zoris
      last edited by

      Hello everyone,

      pfsense 2.4.2-RELEASE
      softflowd 1.2.2

      I found an open source tool Graylog which can collect and analyze syslog, netflow and etc.
      So I decided to configure pfsense to send syslog to this tool and everything looks good.
      Next I installed softflowd package to export netflow data. Configured it to export netflow v9.
      Now then I try to analyze the data I would like to see the traffic and I found nf_bytes field and nf_in_bytes. For my understanding nf_bytes shows total traffic, nf_in_bytes shows in direction traffic, and there is missing _**nf_out_bytes
      Or maybe nf_bytes field show out traffic and nf_in_bytes shows in traffic.
      The most interesting thing is that both fields are equal. After googling about out_bytes field in softflowd I found this post:

      I think you are using software probe to export softflowd packets from Free BSD. Since the flow packets exported from the Free BSD are from Single NIC, you will be seeing all the traffic in one direction. This is a limitation with the software probe flow exporters, you can create IP groups in NetFlow Analyzer based on IP Network or IP address to see both way traffic.

      In this link https://pitstop.manageengine.com/portal/community/topic/no-outgoing-traffic-for-softflowd

      I still don't understand why FreeBSD can't send IN and OUT flows but this topic gave me an idea to make new fields nf_src_bytes and nf_dst_bytes depending on source and destination ip it should split the data i want.
      I created two rules:
      1. If src_address contains 192.168.0.0/16 or 10.0.0.0/8 then copy nf_bytes to nf_dst_bytes
      2. If dst_address contains 192.168.0.0/16 or 10.0.0.0/8 then copy nf_bytes to nf_src_bytes
      I thought it will sort things out but the results disappointed me.

      Here's pfsense traffic graph:

      And here's Graylogs data:

      Data is different on pfsense and Graylog.
      Even more interesting is that nf_src_bytes and nf_dst_bytes are almost identical but comparing with pfsense traffic graphs it should not be.

      Does anyone know why is this happening and how to fix it?
      If i'm understanding things wrong can someone explain me the situation or give me some useful links**_

      1 Reply Last reply Reply Quote 0
      • M
        mikael.andre
        last edited by

        Hello,

        I'm trying to configure Netflow on my Graylog too.
        I saw in your graph settings you set up to "total" but you should setting up to "SUM" or "MEAN".
        Could you give a feedback if this setting solved your issue ?

        Many thanks

        Best regards,

        Mikaël ANDRE

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.