Softflowd , missing fields - where are my out_bytes?

miloman · Mar 31, 2015, 9:15 AM

i'm exporting netflow data from a pfsense 2.1.5 straight into logstash with the "netflow codec".

it seems as if i'm missing the "out_bytes" field (amongst others).

how do I debug this? where can I see the fields that softflowd is outputting? can I define it somewhere?

jimp · Apr 1, 2015, 6:01 PM

softflowd doesn't have any way to set or see those fields. Best thing to do would be to run a packet capture of the flow data and see if wireshark or similar can make sense of it.

Also could be your interface, for example it's a known issue on 2.2.x that some wireless adapters have a problem reporting outbound bandwidth

running softflowd locally exporting to nfsen I seem to have sane traffic counts.

miloman · Apr 13, 2015, 1:44 PM

@jimp:

softflowd doesn't have any way to set or see those fields

what do you mean by that?

i just downloaded the source code for softflowd https://code.google.com/p/softflowd/downloads/detail?name=softflowd-0.9.8.tar.gz&can=2&q=

in the file netflow9.c it says that:

–---------------------------------------------------------------------
/* Flowset record types the we care about /
#define NF9_IN_BYTES 1
#define NF9_IN_PACKETS 2
/ ... /
#define NF9_IN_PROTOCOL 4
/ ... /
#define NF9_TCP_FLAGS 6
#define NF9_L4_SRC_PORT 7
#define NF9_IPV4_SRC_ADDR 8
/ ... /
#define NF9_L4_DST_PORT 11
#define NF9_IPV4_DST_ADDR 12
/ ... /
#define NF9_LAST_SWITCHED 21
#define NF9_FIRST_SWITCHED 22
/ ... /
#define NF9_IPV6_SRC_ADDR 27
#define NF9_IPV6_DST_ADDR 28
/ ... */
#define NF9_IP_PROTOCOL_VERSION 60

so out_bytes isn't processed i guess?

according to cisco the value of out_bytes should be "23", where in_bytes is "1".

i know you just implemented softflowd "as is"... but can you make a guess as to why the out_bytes was left out?

jimp · Apr 13, 2015, 1:46 PM

No idea, the author of the software is likely the only person who can answer that properly.

miloman · Apr 13, 2015, 1:57 PM

mail sent… awaiting damiens reply. :)

miloman · Apr 14, 2015, 7:23 AM

@jimp:

No idea, the author of the software is likely the only person who can answer that properly.

well… i got a response from damien.

softflowd will never fill in out_bytes, instead it sends two flows -
one for each direction. The reason for this is just history, it matches
what Netflow < 9 did.

It probably wouldn't be much work to adjust softflowd to do it differently,
but I don't have time to work on it anymore unfortunately.

-d

Jim> thank you for replying.