Re: pflow and interface numbers

Thu, 29 May 2014 14:26:35 -0700 

Marko Cupa??([email protected]) on 2014.05.29 16:22:40 +0200:
> Hi,
> 
> I am exporting netflow data from OpenBSD 5.5 machine to another
> non-OpenBSD machine with nfsen installed, which is successfully
> receiving netflow data.
> 
> I have the following in pf.conf:
> set state-defaults pflow
> 
> And the following in hostname.pflow0:
> flowsrc IP.ADD.RE.SS flowdst IP.ADD:RE.SS:PORT pflowproto 10
> 
> I would like to parse netflow data with nfdump, in a way that traffic
> is separated by interface and direction.
> 
> The following command gives me interface numbers:
> nfdump -R <profiledir> -n 0 -s if/flows
> 
> With the following output (modified in order to avoid line wraps):
> If    Flows(%)      Packets(%)     Bytes(%)       pps   bps      bpp
> 6     197277(49.9)  5.2 M(47.3)    2.8 G(48.0)    57    243030   532
> 4     195221(49.4)  5.2 M(47.3)    2.8 G(48.0)    57    242976   532
> 5     194677(49.2)  5.4 M(49.1)    2.9 G(50.0)    59    253025   534
> 7     192506(48.7)  5.4 M(49.0)    2.9 G(49.9)    59    252973   534
> 0     4217( 1.1)    14827( 0.1)    1.2 M( 0.0)    2     1428     81
> 11    3232( 0.8)    392170( 3.6)   118.0 M( 2.0)  4     10374    300
> 8     134( 0.0)     3817( 0.0)     1.2 M( 0.0)    0     818      320
> 
> Exporting machine has a bunch of interfaces:
> 3 physical: bnx0 bnx1 em0
> 2 tun (npppd and openvpn): tun0 tun1
> 2 carp: carp1 carp2
> 5 other: enc0 lo0 pflog0 pflow0 pfsync0
> 
> Is there a way to determine which interface is mapped to which if
> number in netflow?

The ifIndex is reported by snmpd in the If-MIB:

$ snmpwalk -v 2c -c public 127.0.0.1
[...]
IF-MIB::ifNumber.0 = INTEGER: 6
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifIndex.4 = INTEGER: 4
IF-MIB::ifIndex.5 = INTEGER: 5
IF-MIB::ifIndex.6 = INTEGER: 6
IF-MIB::ifDescr.1 = STRING: em0
IF-MIB::ifDescr.2 = STRING: em1
IF-MIB::ifDescr.3 = STRING: enc0
IF-MIB::ifDescr.4 = STRING: lo0
IF-MIB::ifDescr.5 = STRING: pflow0
IF-MIB::ifDescr.6 = STRING: pflog0
IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.3 = INTEGER: other(1)
IF-MIB::ifType.4 = INTEGER: softwareLoopback(24)
IF-MIB::ifType.5 = INTEGER: other(1)
IF-MIB::ifType.6 = INTEGER: other(1)
[...]

Reply via email to