[Nfdump-discuss] Double counting with pfsense and softflowd
netflow collecting and processing tools
Brought to you by:
phaag
From: Garrett B. <gb...@eg...> - 2015-11-20 18:12:46
|
All, I'm using pfSense 2.2.4 with softflowd 1.2.1 exporting Netflow v5 packets to nfsen with nfdump: Version: NSEL-NEL1.6.11 and I'm seeing double counting of the bps. If I generate a 10Mbps flow through the pfSense firewall with iperf, it's being displayed as 20Mbps. The pfSense counters show it correctly as 10Mbps. It looks like softflowd is sending the records twice, as I see the following in the nfcapd files: # nfdump -r nfcapd.201511201555 Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte 2015-11-20 15:50:22.588 IGNORE Ignore UDP 172.22.37.250:55138 -> 128.18.1.1:5001 0.0.0.0:0 -> 0.0.0.0:0 382.7 M 0 2015-11-20 15:50:29.099 IGNORE Ignore UDP 172.22.37.250:55138 -> 128.18.1.1:5001 0.0.0.0:0 -> 0.0.0.0:0 386.5 M 0 Has anyone else seen this? Is there a way to get nfsen/nfdump to ignore the duplicates (if that is what they are)? Thks, GB -- Garrett Burke VP Engineering Egenera Inc. | Converge. Unify. Simplify. 00-353-1-9022868 (office) http://www.egenera.com http://blog.egenera.com http://www.facebook.com/#!/pages/Egenera/74312707811 http://twitter.com/#!/Egenera http://www.linkedin.com/company/7909?trk=tyah |