I want to monitor a PFsense router with 3 Interfaces. WAN= [bge0] /LAN= [em1] /Optional= [em0] Softflowd is installed on the PFsense router with the following configuration. softflowd -i em1 -v 5 -m 65000 -n 192.168.0.4:9997 -t maxlife=5m
The Optional [em0] Interface is a second Lan connecting to another network. How do I setup netflow sensors for IP's on Lan [em1] and filter out ALL traffic between em1 and em0 so only traffic between em1 and Bge0 is counted?
Article Comments
I've created several Netflow V 9 sensor udp port 9996 time out 6 minutes. Include filter IP[192.168.25.40] and several more with different IP's
Checking the top list of any filter say from 11.00 AM too 11:15 AM the #1 and #2 items are well over 3,000 KByts plus several more above 500 KByts. This is a 15 minute span in toplist. If I go to history and choose 10:am to 11:am I see total usage of just over 1,000KByts.
Now if toplists shows what looks like correct usage why does it not show up in the history or live data.
Aug, 2011 - Permalink
In stead of playing with include filters on your PRTG sensor you can use a Berkley Packet Filter (tcpdump syntax) at the end of your softflowd execution line. Something like this:
If all of the networks on em1 and Bge0 are known: softflowd -i em1 -v 9 -m 65000 -n 192.168.0.4:9996 -t maxlife=5m "net em1_NET and net Bge0_NET" If all of the possible subnets are not known on one of the interfaces then, assuming you have only one other interface em0 change the filter to something like: "not net em0_NET"
Aug, 2011 - Permalink
Thanks for the tip. When I tried it I got Unknown error
[2.0-RC3][admin@bob.bob.bobs]/root(2): softflowd -i em1 -v 9 -m 65000 -n 192.168.0.4:9996 -t maxlife=5m "not net em0_NET" pcap_compile("not net em0_NET"): unknown network 'em0_NET'
Aug, 2011 - Permalink
I have since changed Softflowd config too-- softflowd -i em1 -v 9 -m 65000 -n 192.168.0.4:9996 -t maxlife=5m.
Aug, 2011 - Permalink